1、 ETSI GS NFV-SEC 010 V1.1.1 (2016-04) Network Functions Virtualisation (NFV); NFV Security; Report on Retained Data problem statement and requirements Disclaimer The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG)
2、and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS NFV-SEC 010 V1.1.1 (2016-04)2 Reference DGS/NFV-SEC010 Keywords accessibility, privacy, retained data, safety, security,
3、 usability ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be download
4、ed from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing o
5、r perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject t
6、o revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People
7、/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the wri
8、tten authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPP
9、TM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS NFV-SEC 010 V1.1.1 (2016-04)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Mo
10、dal verbs terminology 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and abbreviations . 5g33.1 Definitions 5g33.2 Abbreviations . 6g34 Introduction to Retained Data 6g34.1 Legal basis and definition . 6g34.2 Reference model . 6g34.3 Stages of
11、 the RD process 7g35 NFV Retained Data problem statement 7g35.1 Overview 7g35.2 Data collection integrity and completeness 7g35.3 Multiple jurisdictions for storage and querying of data 8g35.4 Assurance of evidence for Retained Data . 8g35.5 Confidentiality of Retained Data requests and responses .
12、8g35.6 Retained Data logs and audit 9g35.7 Retained Data availability and timeliness 9g36 Available measures for meeting NFV Retained Data problem set . 9g36.1 Introduction and core approach 9g36.2 Secure Logging 10g36.3 Access control, physical/personnel controls and alarms 10g36.4 Post-incident an
13、alysis . 10g36.5 Policies for workload placement 10g36.6 Communications Security 11g36.7 Measured or secured boot . 11g36.8 Attestation, Trusted Platform Modules and Hardware-Mediated Execution Enclaves 11g36.9 Memory inspection as an attack vector. . 11g3History 12g3ETSI ETSI GS NFV-SEC 010 V1.1.1
14、(2016-04)4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectu
15、al Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including
16、IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been pr
17、oduced by ETSI Industry Specification Group (ISG) Network Functions Virtualisation (NFV). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ET
18、SI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI GS NFV-SEC 010 V1.1.1 (2016-04)5 1 Scope The purpose of the present document is to provide a problem statement and articulate t
19、he requirements for NFV Retained Data. The present document examines the core underlying requirements for Retained Data such as those presented by ETSI TC LI (ETSI TS 102 656 i.2 and ETSI TS 102 657 i.3). The present document aims to identify solutions or mitigations to the problems identified. 2 Re
20、ferences 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including
21、 any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at https:/docbox.etsi.org/Reference/. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term va
22、lidity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only t
23、he cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced
24、documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI GS NFV-SEC 009: “Network Functions Virtualisation (NFV); NFV Security; Report on use cases and technical approaches for multi-layer host administration“
25、. i.2 ETSI TS 102 656: “Lawful Interception (LI); Retained Data; Requirements of Law Enforcement Agencies for handling Retained Data“. i.3 ETSI TS 102 657: “Lawful Interception (LI); Retained data handling; Handover interface for the request and delivery of retained data“. i.4 ETSI TS 103 307: “CYBE
26、R; Security Aspects for LI and RD Interfaces“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: Communication Service Provider (CSP): organisations who are obliged by law to provide Retained Data functionality jurisd
27、iction: physical or virtual location subject to the authority of the LEA requesting access to retained data Law Enforcement Agency (LEA): organization authorized by a lawful authorization based on a national law to make requests for Retained Data Functionality or receive the results of it ETSI ETSI
28、GS NFV-SEC 010 V1.1.1 (2016-04)6 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: CSP Communication Service Provider HI Handover Interface HI-A Handover Interface-A (used for administration and requesting of RD) HI-B Handover Interface-B (used for transm
29、ission of RD material) LEA Law Enforcement Agency NFV Network Functions Virtualisation RD Retained Data 4 Introduction to Retained Data 4.1 Legal basis and definition The present document is designed to support Retained Data functionality. For the present document, “Retained Data functionality“ is d
30、efined as situations in which CSPs, or their equivalent in NFV provisioning architectures, are performing the following tasks: 1) store data (either in their existing business stores, or in dedicated stores of data); and 2) at a later point, when presented with an appropriate request, make available
31、 the data that meets the request to the appropriate authority. The present document is not a legal document. It does not define when or whether these tasks should take place, nor does it define what counts as an appropriate request or appropriate authority. The definition of what is or is not a “Com
32、munications Service Provider“ (from the point of view of Retained Data) is out of scope. It is a pre-requisite to the present document that Retained Data functionality is in line with appropriate and relevant legislation on privacy and data protection. The term “Data“ in the present document is used
33、 to describe information which is collected, stored or queried as part of Retained Data functionality. NOTE: In some jurisdictions, Retained Data may include “customer or subscriber data“ (i.e. records with information about the customer (e.g. name, address) and their subscription) and “usage data“
34、(i.e. records describing how the service was used). This note is included for background information but is not a definition. 4.2 Reference model Baseline requirements for Retained Data are provided in ETSI TS 102 656 i.2, with specific handover requirements articulated in ETSI TS 102 657 i.3. The r
35、eference model is defined in ETSI TS 102 657 i.3 and is shown in figure 1. ETSI ETSI GS NFV-SEC 010 V1.1.1 (2016-04)7 Figure 1 NOTE: In ETSI TS 102 657 i.3, the LEA is designated as “Authorized Organisation“. For compatibility with other standards, the present document uses the term LEA. 4.3 Stages
36、of the RD process Retained Data consists of: The collection of Data. The storage of Data. The querying mechanism. The delivery of requests and the handover of results. The collection and storage of Data may be performed as part of ordinary business processes (with the business data being stored for
37、longer than is necessary for business purposes only where required by appropriate legislation), or there may be a dedicated store of Data specifically for RD purposes. The querying of Data takes place specifically for RD purposes and involves matching any records in the store against the request rec
38、eived and returning the results. 5 NFV Retained Data problem statement 5.1 Overview The problems listed in clause 5 are those which relate specifically to NFV. For issues relating to the services which are offered on top of an NFV architecture, then in general these are handled by the standards rela
39、ting to those services (e.g. 3GPP standards). In general the problems will come from the use of NFV in two different ways: Challenges arising because the underlying service is handled using an NFV architecture. Challenges arising because RD functionality is provided within an NFV architecture. The p
40、resent document does not cover issues relating to globalisation of CSPs in general or global/third-party provision of RD functionality. These are covered in TC CYBER ETSI TS 103 307 i.4. 5.2 Data collection integrity and completeness The goal is to gain an understanding of the completeness of the Da
41、ta as it is collected, and any assurances that can be given about the integrity/completeness of its transmission to a Data store. In this context, integrity and completeness is used to mean that the meaning of any particular record or item has not been altered (nothing changed, added or removed) and
42、 that all records or items are present. In general, the Data is collected for business purposes and the goal is to establish the integrity and completeness of the existing business processes. Where data collection and storage is used for business purposes, it should meet applicable standards for tha
43、t purpose e.g. billing records should meet applicable billing standards. Handover interface HI-A: administrative Handover interface HI-B: transmission of RD material CSP LEA ETSI ETSI GS NFV-SEC 010 V1.1.1 (2016-04)8 The specific challenges relating to NFV are: To check that any new interfaces / del
44、ivery / transport mechanisms introduced in using NFV architectures were as robust as the non-NFV equivalents. To check that hypervisors do not have the ability to alter or remove data during the collection process. 5.3 Multiple jurisdictions for storage and querying of data When Retained Data querie
45、s are being handled by a network component which is virtualised and/or the RD storage is not necessarily in the same jurisdiction as the users of the service or the agency which is making the request - which may be exacerbated in NFV architectures - additional measures may be necessary For some CSPs
46、 it may be practical to copy all relevant Retained Data to meet jurisdictional requirements. However, this practice is inefficient and costly, and data storage is likely to be in a common multi-national location. Under these circumstances, security requirements will be critical and appropriate acces
47、s controls will be essential to meet privacy and other common requirements. The specific challenge relating to NFV is around determining the location where data is collected, stored or queried with appropriate levels of assurance. Control may be required to prevent collection or query functions movi
48、ng to jurisdictions which were not compatible with national legislation. Storage may need to be enhanced to indicate the locations involved in collecting and delivering the data. Extra care should be taken if a single request is fulfilled using information from different data stores. 5.4 Assurance o
49、f evidence for Retained Data There are the following stages to the assurance process: 1) Data collection integrity and completeness (see clause 5.2). 2) Integrity of data storage. 3) Accuracy and integrity of data querying. 4) Integrity and assuring origin of data delivery. In general the techniques for assuring origin and data delivery are common across NFV and non-NFV architectures and are handled by ETSI TS 103 307 i.4. The specific challenge relating to NFV are: As per clause 5.2 in terms of the collection processes. Where stor