[UPlat] Input on Security for UPlat

[John DeCarlo <jdecarlo@mitre.org>]

Hello,

This is my input for the [UPlat] group.  Zulah suggested I send it to 
the whole list for review.  I tried to keep it short (1-2 paragraphs was 
suggested), rather than start a book on the subject, but that also means 
some key points may be misworded or skipped.  So any comments are welcome.

Thanks.

[UPlat] Security.

Definition(s)
-------------

Information/Computer Security. There are many ways to categorize
information security, but the most common today is represented by the
letters C, I, A:  Confidentiality, Integrity, and Authentication.
Additional concepts that can be arguably kept separate are:  Access
Control, Nonrepudiation, Availability, and Privacy.

Confidentiality.  Preventing unauthorized entities from accessing
information or resources.

Integrity.  Making sure that when authorized entities access
information, it is either not changed or any changes are detectable.

Authentication.  Making sure that entities are who/what they claim to be.

Access Control.  Making sure that entities can only access services,
resources, or information that they are authorized for.

Nonrepudiation.  Making sure the sender of a message can not deny having
sent the message.

Availability.  Making sure a service or resource can be accessed by
authorized users.  While this goes beyond security, security is expected
to address denial of service attacks.

Privacy.  Making sure that information on entities is used only for the
express purposes allowed.

Management Need
---------------

Management of a resource can have a huge impact on the operation of the
resource.  As such, it has higher security requirements than most of the
business services.  However, management and business services share many
security requirements, so having a separate security infrastructure is
needed.  Also, that security infrastructure needs to be managed.

There is also a requirement for manageable resources to be able to be
created, operate, and be turned off in the absence of access to a
security infrastructure.

MUWS Requirements
-----------------
2.1.5 Security (E) [SEC]

[SEC.001] The Manageability Interface MUST enable secure management, as
dictated by the threats of the environment. This includes (but is not
limited to) support for the functionality described in the
sub-requirements, SEC.001.1-6.

[SEC.001.1] The Manageability Interface SHOULD support having the
manager authenticate the manageable resource.

[SEC.001.2] The Manageability Interface SHOULD support having the
manageable resource authenticate the manager.

[SEC.001.3] The Manageability Interface SHOULD support an underlying
mechanism that guarantees the integrity of the messages exchanged.

[SEC 001.4] The Manageability Interface SHOULD support an underlying
mechanism that guarantees the confidentiality of the messages exchanged.

[SEC 001.5] The Manageability Interface SHOULD not preclude
establishing, using, and managing trust relationships.

[SEC.001.6] The Manageability Interface SHOULD support access control
(such as distinguishing between the ability to view and the ability to
change) for management information, operations and event notifications
at appropriate granularity.  Access SHOULD be controllable by role (the
security mechanism being used will determine what “role” means).  For
example, an internal manager should have greater control than a manager
being run by a partner.

[SEC.002] The Manageability Interface MUST be NAT and firewall
"friendly", meaning that the interface MUST NOT require additional
support in NAT and firewall products, and that sufficient information
MUST be provided for a firewall proxy to inspect the management messages.

[SEC.003] The Manageability Interface MUST not increase security risks
or enlarge security exposures.

[SEC.004] The Manageability Interface MUST allow a self-contained,
fallback security model, for use when the security infrastructure is not
available.

[SEC.005] The Manageability Interface MUST be able to be used to manage
a Security Infrastructure

[SEC.005.1] The Manageability Interface MUST allow operational
capabilities on security features (e.g., enable, disable).  Security
configuration SHOULD only be allowed via the Manageability Interface if
appropriate access controls are in place.


Other Related Work
------------------
TBD.
OASIS
o) ebXML Registry Security Services SC (Sub of ebXML Registry TC)
o) Security Services TC
o) Web Application Security TC
o) Web Services Security TC




-- 

John DeCarlo, The MITRE Corporation, My Views Are My Own
email:      jdecarlo@mitre.org
voice:      703-883-7116
fax:        703-883-3383
DISA cube:  703-882-0593