DOUBLE STANDARDS

Aug 1, 2004 12:00 PM, By JACQUELINE EMIGH

Private companies and government are collaborating on new industry standards in areas combining both physical and information security, such as emergency readiness and disaster recovery. Yet in a certain sense, these new efforts take their cue from IS standardization efforts that have already been in place for some time.

One currently proposed standard, Disaster/Emergency Management and Business Continuity Programs, 2004 Edition, is an outgrowth of the American National Standards Institute's Homeland Security Standards Panel (ANSI-HSSP). ANSI, a well-established group with membership from both the private and public sectors, promotes standards across a range of industries. For example, the Security Industry Association (SIA) is active in developing ANSI standards.

Produced by the National Fire Protection Association (NFPA) under ANSI guidelines, the proposed emergency management standard — also known as NFPA 1600 — stems from an ANSI-HSSP workshop called “Private Sector Emergency Preparedness and Business Continuity.”

In April, ANSI issued a recommendation to the 9-11 Commission for adoption of NFPA 1600 as the national preparedness standard.

“We're taking a look at industry standards that are already out there, and trying to fill in the gaps,” says Matt Deane, program director for ANSI-HSSP. In areas where standards do not already exist, ANSI-HSSP's stated mission is to help the U.S. Department of Homeland Security (DHS) and other organizations that want assistance to “accelerate development and adoption” of standards critical to Homeland security.

Meanwhile, the DHS has set up private/public task forces of its own around areas that include cyber-security early warning, technical standards, corporate governance and awareness for home users and small businesses.

For its part, ANSI-HSSP has also convened — or plans to convene — panels to discuss biometrics, biological and chemical threat agents, supply chain security and a number of other topics, Deane says.

But if the security team works at all with the IS folks down the hall, it's a good idea to learn more about already entrenched IS standards, as well.

The new NFPA 1600 standard differs from most of the established standards in the IS world in a couple of ways. First, the NFPA 1600 deals much more with physical security than computer security, Deane says.

Secondly, like some 300 other NFPA voluntary codes and standards, NFPA 1600 is largely designed to recommend best practices for use within private companies and local, state and federal agencies.

In contrast, most traditional IS standards outline technologies for use by product vendors, experts say. “The biggest purpose of IS standards is interoperability. If one buys products from different vendors, and all of these products adhere to the same standard, the products can all be used together,” says Matt Blaze, a technical staff member at AT&T Research Labs.

For the most part, IS standards promote this sort of interoperability among security systems used by PCs, servers and networking devices such as gateways and routers. Yet vendors of physical security devices can also benefit.

“If there's a standard security interface, a third-party vendor can supply a smart card or biometric access control that interoperates (securely) with computer and network systems,” Blaze says.

IS standards also tend to produce positive by-products along the way. “Standardization spurs greater competition, because customers can choose among more products. This, in turn, leads to lower product pricing,” says DC Palter, vice president at Mentat Inc., a founding member of the IPv6 (Internet Protocol version 6) Forum.

Yet standardization can face obstacles, too. “The biggest challenges can occur when a single vendor dominates a specific market — for instance, Microsoft in the desktop (PC) market, Cisco for certain types of network routers,” Blaze says. “Technical complexities can pose other issues,” he adds. As one example, Blaze points to standardization efforts around voice-over-IP (Internet protocol), an emerging technology for sending voice calls over corporate computer networks and the Internet.

Sometimes, vendors and IS customers are faced with choices around two competing standards, each with similar objectives, Palter points out. For example, IPsec (IP security) and SSL (secure socket layer) are two standards used for encrypting (or “scrambling”) data and authenticating (identifying) users on computer networks.

On the other hand, standards can sometimes get widespread support when introduced among many vendors while a particular product category is still in its infancy. The wireless LAN (local area network) market represents one good example.

Blaze notes that wireless security standardization is also crucial to physical security. “In physical security, the physical perimeter used to be everything. If you knew the location of every network jack in the building, you could provide (physical) security to the entire corporate network. Now, though, wireless networking has destroyed that perimeter,” he says.

Wireless networking uses a number of technical standards. One critical standard is 802.11i, a recent update to the 802.11 wireless network standard originally passed by the Institute of Electrical and Electronics Engineers (IEEE).

Experts also credit standards such as IPsec and SSL — sometimes used to support secure virtual private networks (VPNs) on wired as well as wireless networks — as helping to pave the way for corporate Wi-Fi.

Aside from the IEEE and ANSI, major standardization bodies include the Internet Engineering Task Force (IETF), International Telecommunications Union (ITU) and International Standards Organization (ISO), to name a few. How these groups come up with their standards can vary dramatically.

Typically, though, these groups form committees to explore solutions around various technology issues, whether security-related or not. The group then ultimately achieves consensus around a standardized approach to solving the problem. Some groups do so through formal voting procedures.

Membership policies can also vary. The IETF, for instance, offers a particularly open membership policy. “Anybody who wants to can join the IETF,” Blaze says.

Meanwhile, other sorts of groups, generally formed by vendors in different industry segments, focus on marketing and/or vendor certification. For instance, the IPv6 Forum was forged to promote the latest revision of the IP standard for network communications.

In the wireless sphere, a group called the Wi-Fi Alliance certifies compliance with protocols that are based on IEEE standards. “Vendors can claim that their products adhere to standards. If there's an interoperability issue, though, Vendor A tends to blame Vendor B, and vice versa. Wi-Fi certification ensures that the products are really compatible,” Wi-Fi Alliance chairman David Cohen says. Vendors attaining Wi-Fi certification are allowed to display a special logo on product packaging.

As customers replace older equipment, the Wi-Fi Alliance's WEP (Wireless Encryption Protocol), based on the IEEE's original 802.11 standard, is gradually being phased out in favor of WPA (Wireless Protocol Access). WPA is a newer Wi-Fi security protocol based on the draft of the IEEE's 802.11i standard.

“With industry implementation of the full and final 802.11i standard, we'll have WPA II,” adds Cohen, who is also director of wireless product management strategy for Actiontec Electronics Inc.

Yet technical standards such as 802.11i and best practices standards like NFPA 1600 are actually just different threads from the same bolt of cloth. In just about every standardization effort, experts put their heads together to figure out the best approaches to solving problems. Considering the growing convergence between physical security and IS, the latest standards across all aspects of security should become common knowledge among security professionals.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue