Standards Driven Security Assurance for Mobile Networks

Authors

  • Sven Lachmund Deutsche Telekom, Germany

DOI:

https://doi.org/10.13052/jicts2245-800X.321

Keywords:

3GPP, accreditation, development lifecycle, evaluation, evidence, mobile industry, mobile network, network equipment, product lifecycle, regulation, regulator, security, security assurance, security assurance scheme, security requirement, specification, standardisation, test case

Abstract

A new security assurance scheme for mobile network infrastructure equipment is described in this article. In introducing an effective security assurance scheme, constraints need to be considered as the environment in which the scheme is introduced defines some boundaries. Technology is not the only aspect that counts and it is necessary to achieve a real balance between technical and organisational security improvement, visibility of security levels of network equipment, operational feasibility, and market acceptance and participation. The end goal is to involve a range of stakeholders that need to commit to the scheme so the likely effectiveness, cost, effort and complexity are important parameters that need to be taken into consideration. The mobile industry operates worldwide and thrives on the development of open standards by multiple standards development organisations. Solutions that are designed and agreed must meet the needs of all involved stakeholders around the world to secure support for their delivery to market. This paper explains how standardisation works in and for the mobile industry and introduces the objectives, the constraints, the reasons for developing a security assurance scheme, and describes the proposed scheme for mobile network equipment and lifecycle processes. The article illustrates that the new Network Equipment Security Assurance Scheme (NESAS), as it is called, meets the various and different needs of mobile network operators, network equipment vendors, and regulators in a time of ever growing complexity of mobile networks.

 

Downloads

Download data is not yet available.

Author Biography

Sven Lachmund, Deutsche Telekom, Germany

S. Lachmund received his degree in computer science from the University of Applied Sciences Munich, Germany. Thereafter he got his Ph.D. from the Technical University Munich, Germany while working in parallel with the European research laboratory of the Japanese mobile network operator NTT docomo in Munich. In 2011 he joined Deutsche Telekom in their headquarters in Bonn, Germany. Within the last 15 years, Sven Lachmund gained broad and deep expertise in ICT security, network security, and telecommunication security. He developed several security solutions and security architectures, filed patents, and published on some of his achievements. His current job is to support the engineering departments with his security expertise while they introduce new technologies on the mobile network. He accompanies them through all the stages of the introduction process. Sven is involved in requests for quotation, in design, and he appoints security tests before the technology goes live. Since 2014, when the work on NESAS started, Sven Lachmund is chairman of the Working Group at the GSMA that creates the security assurance scheme for network equipment.

References

3GPP Specifications. 3rd Generation Partnership Program (3GPP), [online]. Available at: www.3gpp.org/ftp/specs/

3rd Generation Partnership Program (3GPP), [online]. Available at: www.3gpp.org

Alliance for Telecommunications Industry Solutions (ATIS), [online]. Available at: www.atis.org

Schneier, B. (2004). Secrets & Lies – Digital Security in a Networked World. Hoboken, NJ: Wiley Publishing Inc.

CIS Security Benchmarks. Center for Internet Security (CIS), [online]. Available at: benchmarks.cisecurity.org/

Common Criteria for Information Technology Security Evaluation (CC), [online]. Available at: www.commoncriteriaportal.org

Gollmann, D. (2005). Computer Security, 2nd ed. Hoboken, NJ: John Wiley & Sons Ltd.

E. A. Roback. (2000). Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, 800–823. Gaithersburg, MD: U.S. Department of Commerce, National Institute of Standards and Technology (NIST) Special Publication [online].Available at: csrc.nist.gov/publications/nistpubs/800-23/sp800-23.pdf

European Telecommunications Standards Institute (ETSI), [online]. Available at: www.etsi.org

Hillebrand, F. (ed.). (2013). The Creation of Standards for Global Mobile Communication, [online]. Available at: www.etsi.org/images/files/news/ CreationOfStandardsForGlobalMobileCommunication.epub.

GSM Association (GSMA), [online]. Available at: www.gsma.com

McGraw, G. How to develop security the secure, Gary McGraw way, Internet Blog on SearchSecurity [online]. Available at: search security. techtarget.com/opinion/Gary-McGraw-on-software-security-assurance-Build-it-in-build-it-right

McGraw, G. (2006). Software security – building security. Boston: Addison-Wesley.

Government of India, Ministry of Communications and IT, Department of Telecommunications, Security Certification of Telecom Equipment within India, New Delhi, India, letter, 31 July 2015 [online]. Available at: www.dot.gov.in/sites/default/files/u10/Letter%20related%20to%20 extension%20of%20Security%20Certification%20Time%20(1) 3.pdf

Hamidovic, H. (2012). Fundamental concepts of IT security assurance, Vol. 2, ISACA [online]. Available at: www.isaca.org/Journal/archives/ 2012/Volume-2/Documents/12v2-Fundamental-Concepts.pdf

International Organisation for Standardisation ISO/IEC 17025:2005. General requirements for the competence of testing and calibration laboratories [online]. Available at: www.iso.org/iso/catalogue detail.htm?cs number=39883.

International Organisation for Standardisation ISO/IEC 27000:2014. Information technology – Security techniques – Information security management systems – Overview and vocabulary, [online]. Available at: www.iso.org/iso/catalogue detail?csnumber=63411

Sauter, M. (2010). From GSM to LTE: an introduction to mobile networks and mobile broadband. Hoboken, NJ: John Wiley & Sons.

Making Security Measurable, Software Assurance, mitre.org, October 2013 [online]. Available at: measurablesecurity.mitre.org/directory/ areas/softwareassurance.html.

Shirey, R. (2007). Internet Security Glossary, Version 2, RFC 4949, IETF [online]. Available at: www.ietf.org/rfc/rfc4949.txt

Davis, R. E. (2009). Ensuring Information Assets Protection, lulu.com [online]. Available at: books.google.de/books?id=yCtXPh5rwdoC&

Security Assurance Scheme (SAS). GSMA Association [online]. Available at: www.gsma.com/aboutus/leadership/committees-and-groups/ working-groups/fraud-security-group/security-accreditation-scheme

Software Security Assurance (Wikipedia). (2015). Version from 13 January 2015 [online].Available at: en.wikipedia.org/wiki/Software security assurance

Telecommunication Technology Committee (TTC) [online].Available at: www.ttc.or.jp

Downloads

Published

2016-03-15

How to Cite

Lachmund, S. . (2016). Standards Driven Security Assurance for Mobile Networks. Journal of ICT Standardization, 3(2), 105–132. https://doi.org/10.13052/jicts2245-800X.321

Issue

2015: Vol 3 Iss 2

Section

Articles

Similar Articles

You may also start an advanced similarity search for this article.