The Standard

Lacking IT security put businesses at risk. A down-to-earth analysis reveals, however, that volumes of IT security standards and best practice were not sufficient to achieve an adequate level of security of today’s IT services. Whereas other industries like aviation succeeded in solving safety issues, to this day the IT industry has failed to really solve the IT security problem which starts to affect safety as well. The security working group of the Zero Outage Industry Standard association takes this seriously and developed several papers:

1. Introduction and Overall Picture: It is time to look behind the curtain and consider what the IT industry may have missed. Consequently, aspects have been identified which are underestimated or not considered at all although they are essential for reaching a sufficient level of security. But there is also the need to think ahead how the world is changing and whether different approaches are required to meet expected challenges in the future. The first paper provides examples of “enemies of good security” and ways to “combat” them. It also embeds the security topic into the whole framework of Zero Outag
2. ESARIS Security Taxonomy: IT is complex and securing IT is a complex undertaking as well. Modern IT services comprise different technologies and multiple IT service management activities as well. Individual IT services are deployed in a flexible way using existing components. The provisioning of secure technologies and the performance of security related activities is distributed amongst several specialized teams in larger IT services providers and amongst corporations in the supplier network. The second paper describes a classification and organization schema helping to manage IT security in this environment. The schema helps providing a comprehensive overview and is a means to exactly deliver content to the target group for which it is relevant and created for. It also adds topics and aspects which are missing in IT service management standards and in standards and best practice catalogs on IT security.
3. Supplier Management Model: Division of labor can be observed in the internal organizations of large-scale, industrialized IT production, but it expands to the whole supply chain, since partners and suppliers are decisively involved in modern IT service provisioning (“industrialization of IT”). The security management of the consuming party and that of the supplying party are interwoven. The third paper provides a model for managing external suppliers or partners, more specifically, the security of products and services they are providing. It describes how security standards are applied in the relationship between the supplying and the consuming party. It defines the sequence of actions for managing exchanged products and services and calls for having a so-called Product Requirement Document (PRD).
4. How to write a PRD: IT services need to be secure. Each technical component may contain vulnerabilities and each activity relating to the development, production, operation or maintenance of technical components may cause vulnerabilities which could be exploited by adversaries. It is hence required that security responsibilities are defined and clearly assigned to the involved parties. Transparency about security objectives and meeting them is the basis for this. The forth paper defines structure and content of a so-called Product Requirement Document (PRD). A PRD provides a service-dependent security specification which needs to be agreed between the supplying party and the consuming party.
5. Security Taxonomy for IoT: IoT systems consist of a multitude of different products and technologies requiring numerous procedures of managing them securely throughout their lifecycle. Though, especially IT practitioners do not want to invest too much in IT security; they prefer advice that is directly actionable. An approach is presented that aims to assist in coping with complexity. A Taxonomy is presented which helps considering overarching aspects and interdependencies while identifying several single work areas (components and activity related view). These single work areas are target group-specific and later be filled with security specification. In this way, the division of labor is supported, and activities of individual parties can be combined and orchestrated in a way that the IoT system can become an integrated secure whole. Admitting the constant failures to actually secure IoT, it is time for measures of confinement and compensation which in turn requires having an architectural approach making dependencies visible and showing ways of segregation. Moreover, Zero Outage puts other ideas up for discussion such as Zones, Classes, and an extended IT stack.