Reflections on “X.805” Certification?

(Last Updated On: April 22, 2009)

While walking through E-mail, doing my morning [[SITREP]], and sipping coffee I was surprise to see a request from a peer asking about X.805 Certification info.  What is “X.805 Certification?”

For those who have never run into [[X.805]], it is a [[ITU]] security reference model submitted by Lucent from their security practices team. As seen by the slide below, it has a lot of impressive illustrations. The spec is informative and a useful tool to walk a variety of people through the complexities of security and resiliency in a telecommunications network. But …….

x805-security-architecture

….. X.805 is not something that leads to “certification.” Why? Back in 2005 – 2006 many people in the SP Security community tried to use X.805 as a risk assessment tool. The goal was to use X.805 to review the security and resiliency of services in a SP’s network. Any effective risk assessment tool will lead the investigator to actionable findings. These findings are the exposures, policy flaws, and other security risk which are problems that need to be resolved.  The hope was that the X.805 model would lead to actions a SP can implement – resulting in a more secure and resilient services.  At lease, that was the hope. Unfortunately,  some of the best minds in the SP Security industry could not figure out how to make X.805 work.

In my personal experience, I was trying to use it to find issues on one service only to find my 100+ page analysis report was not leading me any where. When you have a model that has “72 Security perspectives” will get “thick.” Add to this other peers who were running into similar difficulties. In one case, the Chief of Security for a really big SP in Europe asked one of the co-authors of X.805 to show how the approach will work on a small network — where you can spot problems and fix them. The co-author could not hand over any risk assessment that demonstrated actionable results.

So what happened? X.805 is a nice contribution to the industry, but it did not really deliver what SPs were looking for. IETF did look at it, but found the major conceptural flaw with the lack of applying the [[End to End Model]]. Eric Rescorla  ekr@rtfm.com blogged about this after a session at the IETF: Thoughts on X.805. Others took lessons from this and moved forward with models which could deliver results. Cisco Systems developed first the Cisco Operational Process Model (COPM) then the Cisco Comprehensive Security Assessment Model. This mismatch to the [[End to End Model]] and the inabilty to turn X.805 into a tool which produced deliverables mostly is the reason why the only Alcatel-Lucent and ‘Consultants’ who produce lots of Powerpoint slides are the only ones still talking about X.805.