Security frameworks

next up previous contents
Next: WG4: OSI Management Up: Security work within Previous: Security work within

Security frameworks

The basis of all security work within ISO is ISO 7498-2, the OSI Security Architecture. This standard provides text and definitions that cover the following:

  1. security attacks relevant to Open System,
  2. general architectural elements that can be used to thwart such attacks, and
  3. circumstances under which the security elements can be used.

Such a document is, by its very nature, broad in scope and covers principles rather than detailed solutions. It leaves a wide latitude as to which elements can be used and where specific threats can be met.

SC21/WG1 is currently developing a multipart standard which consists of Security Framework documents. Each part aims to provide comprehensive and consistent coverage of each specific security functional area and to define the range of mechanisms that can be used to support each security service. The following Frameworks are developed within WG1:

  1. Framework Overview

    This document provides the glue that binds the other frameworks together. That is:

    This document is currently a Committee Draft.

  2. Guide to Open System Security

    This document provides an overview of all known and relevant Security activities. It is a document similar in scope to this report and is one of the report's primary sources.

    Currently, this document is a Working Draft and is maintained as a living document.

  3. Authentication Framework

    This framework was the first framework to be advanced to CD status (August 1990) and was quickly progressed to DIS. But, it has since stalled, its editor has resigned, and the timetable for its progression to IS is clouded in doubt.

    This document describes all aspects of Authentication (e.g., a remote logon) as these apply to Open Systems. In particular,

  4. Access Control Framework

    This framework is currently a DIS. This document defines the basic concepts of Access Control and proposes an abstract model for access control, i.e., all actions subject to Access Control must be validated by an Access Enforcement Function (AEF). This function invokes the Access Decision Function which decides if a given action must be carried out or not.

  5. Non-Repudiation Framework

    This framework describes all aspects of Non-repudiation in Open Systems. This includes the concept of a data recipient being provided with a proof of origin and the concept of a data sender being provided with a proof of delivery.

    It was progressed to CD in December of 1992 (London).

  6. Integrity Framework

    This framework addresses, mainly, the aspect of data integrity. I.e., ensuring that unauthorized data changes are either not allowed (e.g., Access Control) or detectable (e.g., cryptographic checksums over non-secure media).

    This document was advanced to CD in December 1992 (London).

  7. Confidentiality Framework

    This framework mirrors the previous one both in scope and status (was advanced to CD in December 1992, London).

    It addresses all aspects of Confidentiality in Open Systems (i.e., mainly how to protect sensitive information cryptographically, by Access Control, or by other means), identifies possible classes of confidentiality mechanisms, defines the services and the abstract data types needed for each Confidentiality mechanism, and addresses the interaction of Confidentiality with other security services and mechanisms.

next up previous contents
Next: WG4: OSI Management Up: Security work within Previous: Security work within

John Barkley
Fri Oct 7 16:17:21 EDT 1994