back to article ETSI crypto-based access control standards land

Worried about enterprise security, access control, and GDPR? Relax, the standards bods at European Telecommunications Standards Institute (ETSI) have you covered. Covered, that is, if you implement its latest encryption standards. ETSI's Technical Committee on Cybersecurity announced it has released two Attribute-Based …

  1. CAPS LOCK

    When the title said ETSI I thought it might be a standard for...

    ... hand made lingerie. I am disappoint.

    1. NorthernCoder
      Facepalm

      Re: When the title said ETSI I thought it might be a standard for...

      I thought it might be cryptography derived from extraterrestrial intelligence (but that was SETI, not ETSI).

    2. James O'Shea

      Re: When the title said ETSI I thought it might be a standard for...

      I thought that it might be a standard for performing serious compression, but that'd be ITSI, not ETSI...

  2. Aodhhan

    The nanny state kicks in.

    Let's make regulations covering every bit of data we can; then, let's make things so convoluted and difficult to interpret we are sure to get people busted; because, finding people educated enough to understand all of these regulations will be difficult.

    We must do this because InfoSec professionals are too stupid to figure out how to secure data. Plus, if encryption best practices change, we want to create even tighter regulations to babysit.

    ...blah blah blah.

    -------

    I like the GDPR in theory. In practice, we're beginning to see the rich white men in Brussels are trying to over control the industry.

    You don't need to make regulations on how encryption is properly done. All you need to do is create laws to hold businesses responsible and punish appropriately. Require businesses have a robust InfoSec organizations within their corporation. Let the professionals who know a lot more about securing data than politicians, do their job.

    Then you don't need to stick your noses in at every turn, cost taxpayers more money than needed... and if big industry changes occur... it's easy to adapt without having to rewrite 35 volumes of outdated regulations.

  3. Robert Helpmann??
    Childcatcher

    Missing the Point

    The standards body said using encryption to enforce access control provides better security than software-based solutions, and a given data set can be protected by one encryption attribute, making it efficient.

    Security of any type that depends on just one thing is less secure by design that having multiple layers of defense. The statement above implies that access control should be done away with in favor of using encryption-based schemes. I don't know if this is taken out of context or what, but it doesn't strike me as more than replacing one set of issues and vulnerabilities with another with additional spin up time to learn and apply the replacement system thrown in (because every new technology is rolled out without a hitch and works just as intended when finally in place).

    If this can function in conjunction with existing security schema, it's probably a good thing. If not, I wouldn't want to be the one implementing it.

    1. GnuTzu

      Re: Missing the Point

      This reminds me of splitting a key or password into two or more chunks so that no one person has access alone. It's a cumbersome thing to do, but it is done. If this is about simplifying this process in some way or adapting it into another use case, then I can see the point, but the article could have done a better job of illustrating the use case.

  4. John Smith 19 Gold badge
    Unhappy

    "help protect stored data in the presence of a hostile listener on the network."

    I'd say that's any government and many actual network operators.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like