CEES tackles new security standard

Wireless security is a hot topic right now. A list of groups ranging from the 3GPP Forum (www.3gpp.org) to the WAP Forum (www.wapforum.org) are working to shape wireless-transaction security. Does the industry really need another security standards body?

Daniel Lieman thinks so. Lieman is the chairman of the Consortium for Efficient Embedded Security (CEES) (www.ceesstandards.org).

Last week, CEES sponsored a symposium during which about 40 companies, including stalwarts such as MasterCard International, Microsoft and Sony, discussed emerging security requirements and the advances needed to promote confidence in wireless transactions.

CEES’s emerging standard is different because it takes a holistic approach to wireless security, Lieman said. That’s why security architects, applications developers, device manufacturers, content owners and embedded security technology users were invited to the symposium, which was CEES’s first.

“Other standards bodies have looked at a piece of the problem,” Lieman said, referencing the Mobile Electronic Transactions (MeT) Initiative (www.mobiletransaction.org) as an example. MeT, an initiative sponsored by Ericsson (www.ericsson.com), Nokia (www.nokia.com), Panasonic (www.panasonic.co.uk/nw/home/), Siemens (www.siemens.com) and Sony (www.world.sony.com), recently drafted specifications for handset functionality for m-commerce transactions.

“That standards body was asking: ‘How do I use a phone to do a purchase,’” Lieman said. “The problem is they didn’t consider it from the point of view of the person processing a purchase.”

CEES wants to bring together all of the business players that will be involved in mobile transactions and create a standard that will take each of the key players’ business models into consideration. The standard’s success, according to Lieman, depends on its ability to address security requirements from a cohesive system perspective rather than from a component perspective.

CEES plans to complete the standard by mid-2002.

“The biggest challenge we face right now is keeping people’s interest moving forward,” Lieman said. “There really are no technical challenges. All of the pieces exist in one form or another. It’s really a matter of integrating them in a way that gives you a secure system and so that everyone knows what everyone else expects to see.”

The next step for CEES is to form a member subgroup to investigate which industry players will be most crucial in developing the new standard. In September, the subgroup will submit its findings to the general membership and get approval of an action plan. Then Lieman will recruit any necessary players that are missing.

Lieman admits the consortium overlaps other standards bodies. Eventually, he expects to foster formal relationships with some of the other groups, such as 3GPP and the MExE (mobile execution environment) Forum (www.mexeforum.org).

However, Lieman maintains that CEES’s standard will be unique.

“For the first time, (this standard) is taking a global systems view of the problem of security,” he said.

Other associations addressing mobile-transaction security are: Radicchio (www.radicchio.cc) Mobey Forum (www.mobey.org) PKI Forum (www.pkiforum.org)