Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfersX.800 : Security architecture for Open Systems Interconnection for CCITT applications
/ref> as defined by

ITU-T The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors (divisions or units) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Comm ...

X.800 Recommendation.
X.800 and

ISO ISO is the most common abbreviation for the International Organization for Standardization. ISO or Iso may also refer to: Business and finance * Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007 * Iso ...

7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture) are technically aligned. This model is widely recognized William Stallings Crittografia e sicurezza delle reti Seconda edizione Traduzione Italiana a cura di Luca Salgarelli di Cryptography and Network security 4 edition Pearson 2006 Securing information and communications systems: principles, technologies, and applications Steven Furnell, Sokratis Katsikas, Javier Lopez, Artech House, 2008 - 362 pages A more general definition is in CNSS Instruction No. 4009 dated 26 April 2010 by

Committee on National Security Systems The Committee on National Security Systems (CNSS) is a United States intergovernmental organization that sets policy for the security of the US security systems. Charter, mission, and leadership The National Security Telecommunications and Infor ...

United States of America The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territo ...

:CNSS Instruction No. 4009
dated 26 April 2010 :''A capability that supports one, or more, of the security requirements (Confidentiality, Integrity, Availability). Examples of security services are key management, access control, and authentication.'' Another authoritative definition is in W3C Web service Glossary adopted by NIST SP 800-95: : ''A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources may reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of AAA services. Security services typically implement portions of security policies and are implemented via security mechanisms.''

Basic security terminology

Information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

and

Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...

are disciplines that are dealing with the requirements of

Confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...

Integrity Integrity is the practice of being honest and showing a consistent and uncompromising adherence to strong moral and ethical principles and values. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions. In ...

Availability In reliability engineering, the term availability has the following meanings: * The degree to which a system, subsystem or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at ...

, the so-called CIA Triad, of information asset of an organization (company or agency) or the information managed by computers respectively. There are

threats A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...

that can attack the resources (information or devices to manage it) exploiting one or more vulnerabilities. The resources can be protected by one or more

countermeasures A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...

security control Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the c ...

s. So security services implement part of the countermeasures, trying to achieve the security requirements of an organization.

Basic OSI terminology

In order to let different devices (computers, routers, cellular phones) to communicate data in a standardized way,

communication protocol A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics and synchroniza ...

s had been defined. The

organization published a large set of protocols. The general architecture of these protocols is defined in recommendation X.200.X.200 : Information technology - Open Systems Interconnection - Basic Reference Model: The basic model
/ref> The different means (air, cables) and ways (protocols and

protocol stack The protocol stack or network stack is an implementation of a computer networking protocol suite or protocol family. Some of these terms are used interchangeably but strictly speaking, the ''suite'' is the definition of the communication protoco ...

s) to communicate are called a

communication network A telecommunications network is a group of Node (networking), nodes interconnected by telecommunications links that are used to exchange messages between the nodes. The links may use a variety of technologies based on the methodologies of circuit ...

. Security requirements are applicable to the information sent over the network. The discipline dealing with security over a network is called

Network security Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...

.Simmonds, A; Sandilands, P; van Ekert, L (2004). "An Ontology for Network Security Attacks". Lecture Notes in Computer Science 3285: 317–323 The X.800 Recommendation: #provides a general description of security services and related mechanisms, which may be provided by the Reference Model; and #defines the positions within the Reference Model where the services and mechanisms may be provided. This Recommendation extends the field of application of Recommendation X.200, to cover

secure communication Secure communication is when two entities are communicating and do not want a third party to listen in. For this to be the case, the entities need to communicate in a way that is unsusceptible to eavesdropping or interception. Secure communication ...

s between open systems. According to X.200 Recommendation, in the so-called OSI Reference model there are 7 layers, each one is generically called N layer. The N+1 entity ask for transmission services to the N entity. At each level two entities (N-entity) interact by means of the (N) protocol by transmitting Protocol Data Units (PDU). Service Data Unit (SDU) is a specific unit of data that has been passed down from an OSI layer, to a lower layer, and has not yet been encapsulated into a PDU, by the lower layer. It is a set of data that is sent by a user of the services of a given layer, and is transmitted semantically unchanged to a peer service user . The PDU at any given layer, layer 'n', is the SDU of the layer below, layer 'n-1'. In effect the SDU is the 'payload' of a given PDU. That is, the process of changing a SDU to a PDU, consists of an encapsulation process, performed by the lower layer. All the data contained in the SDU becomes encapsulated within the PDU. The layer n-1 adds headers or footers, or both, to the SDU, transforming it into a PDU of layer n-1. The added headers or footers are part of the process used to make it possible to get data from a source to a destination.

OSI security services description

The following are considered to be the security services which can be provided optionally within the framework of the OSI Reference Model. The authentication services require authentication information comprising locally stored information and data that is transferred (credentials) to facilitate the authentication: ;Authentication :These services provide for the authentication of a communicating peer entity and the source of data as described below. :;Peer entity authentication ::This service, when provided by the (N)-layer, provides corroboration to the (N + 1)-entity that the peer entity is the claimed (N + 1)-entity. :; Data origin authentication ::This service, when provided by the (N)-layer, provides corroboration to an (N + 1)-entity that the source of the data is the claimed peer (N + 1)-entity. ;Access control :This service provides protection against unauthorized use of resources accessible via OSI. These may be OSI or non-OSI resources accessed via OSI protocols. This protection service may be applied to various types of access to a resource (e.g., the use of a communications resource; the reading, the writing, or the deletion of an information resource; the execution of a processing resource) or to all accesses to a resource. ;Data confidentiality :These services provide for the protection of data from unauthorized disclosure as described below :;Connection confidentiality ::This service provides for the confidentiality of all (N)-user-data on an (N)-connection :;''Connectionless confidentiality'' ::This service provides for the confidentiality of all (N)-user-data in a single connectionless (N)-SDU :;Selective field confidentiality ::This service provides for the confidentiality of selected fields within the (N)-user-data on an (N)-connection or in a single connectionless (N)-SDU. :; Traffic flow confidentiality ::This service provides for the protection of the information which might be derived from observation of traffic flows. ; Data integrity :These services counter active

and may take one of the forms described below. :;Connection integrity with recovery ::This service provides for the integrity of all (N)-user-data on an (N)-connection and detects any modification, insertion, deletion or replay of any data within an entire SDU sequence (with recovery attempted). :;Connection integrity without recovery ::As for the previous one but with no recovery attempted. :;Selective field connection integrity ::This service provides for the integrity of selected fields within the (N)-user data of an (N)-SDU transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted or replayed. :;Connectionless integrity ::This service, when provided by the (N)-layer, provides integrity assurance to the requesting (N + 1)-entity. This service provides for the integrity of a single connectionless SDU and may take the form of determination of whether a received SDU has been modified. Additionally, a limited form of detection of replay may be provided. :;Selective field connectionless integrity ::This service provides for the integrity of selected fields within a single connectionless SDU and takes the form of determination of whether the selected fields have been modified. ; Non-repudiation :This service may take one or both of two forms. :;Non-repudiation with proof of origin ::The recipient of data is provided with proof of the origin of data. This will protect against any attempt by the sender to falsely deny sending the data or its contents. :; Non-repudiation with proof of delivery ::The sender of data is provided with proof of delivery of data. This will protect against any subsequent attempt by the recipient to falsely deny receiving the data or its contents.

Specific security mechanisms

The security services may be provided by means of security mechanism: * Encipherment * Digital signature * Access control *

Data integrity Data integrity is the maintenance of, and the assurance of, data accuracy and consistency over its entire life-cycle and is a critical aspect to the design, implementation, and usage of any system that stores, processes, or retrieves data. The ter ...

* Authentication exchange * Traffic padding * Routing control * Notarization The table1/X.800 shows the relationships between services and mechanisms Some of them can be applied to connection oriented protocols, other to connectionless protocols or both. The table 2/X.800 illustrates the relationship of security services and layers:

Other related meanings

Managed security service

Managed security service In computing, managed security services (MSS) are network security services that have been outsourced to a service provider. A company providing such a service is a managed security service provider (MSSP) The roots of MSSPs are in the Internet ...

(MSS) are

network security Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves th ...

services that have been outsourced to a service provider.

References

External links

Term in FISMApedia

List of ITU-T Security Activities and Publications
Computer network security Network protocols ITU-T recommendations ITU-T X Series Recommendations ISO standards