X/Open Co Ltd this week introduced its first set of specifications which define security standards for commercial products through the new-fangled Open Group (CI Nos 2,735, 2,891). The standards body says security – primarily internal network security against accidents and errors – is now the number one concern amongst its customer members. The initial release includes specifications for Baseline Security Services and Secure Communications Services which are designed to be implemented in multiple operating systems, not just Unix. Vendors currently gain recognition for security by formal evaluation against lengthy and expensive defense procurement requirements such as the US Department of Defense Orange Book. The first specification, to become Baseline Security 96, includes identification and authentication, system entry, audit functions, access control, security management, start-up, recovery and privileged operations. The second, Secure Communications Services for distributed authentication, is an implementation of the existing Digital Equipment Corp and Internet Engineering Task Force-derived GSS, Generic Security Service, application programming interface. It is designed to protect communications between distributed applications and is designed for use between pairs of communicating peers in a direct on-line client-server or message-passing environment. It is one of several components described by X/Open’s 1994 Distributed Security Framework. The Open Group says the Open Software Foundation’s DCE 1.1 release already conforms with the Secure Communication specification via a DCE-based mechanism that has been included in GSS- application programming interface and the Kerberos security service.
Generic Cryptographic Services
Baseline Security 96 licensing costs $45,000 per product family for initial registration and $10,000 a year thereafter. Secure Communication Services is $10,000 per product family. The Open Group couldn’t say when products might be branded. Individual security specifications for a Posix- derived single sign-on mechanism, cryptographic services, an Internet and Intranet firewall, distributed auditing, secure back-up and restore with systems management, public key encryption and digital signature support for electronic commerce will follow as they are defined. A GCS Generic Cryptographic Services specification is almost finished, and at least one supplier is said to be preparing a product for release into the market based on the unpublished specification. IBM Corp, which was responsible for the development of the US Department of Engineering & Science encryption algorithm, has been involved in the development of the specification along with the National Institute of Standards & Technology, the National Security Agency, RSA Data Security Inc, Trusted Information Systems Inc, Hewlett-Packard Co, ICL Plc, Fischer International Inc and others. In addition to being made available for separate and independent branding, a Baseline Security 98 specification will be including all of these security services into one standard. X/Open believes its specifications can be used as a stepping-stone for companies seeking to also provide government-level security in their products, which Open Group reckons typically require 20% more security than the commercial standards it is working on. After security, Open Group says users’ chief concerns (in no particular order) are distributed systems management (where it expects to define specifications for distributed and shared print services) and NetWare Directory Services in the short term; interoperability between all clients and all servers; architecture and the information superhighway (integrating public and private networks).
