ETSI TR 103 309 V1.1.1 (2015-08)

ETSI TR 103 309 V1.1.1 (2015-08)






TECHNICAL REPORT
CYBER;
Secure by Default - platform security technology

---------------------- Page: 1 ----------------------
2 ETSI TR 103 309 V1.1.1 (2015-08)



Reference
DTR/CYBER-0007
Keywords
cybersecurity, platforms, secure by default
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2015.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 103 309 V1.1.1 (2015-08)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Introduction . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Abbreviations . 5
4 Secure by default approach . 6
5 Annex structure . 6
5.1 Approach . 6
5.2 Introduction . 6
5.3 Specific challenges . 6
5.4 Enabling technologies and good practice . 6
Annex A: Personally owned IT . 7
A.1 Introduction . 7
A.2 Specific Challenges . 7
A.2.1 User ID - who wants access? How can their identity be verified? . 7
A.2.2 Location - where is the access request coming from? Is that appropriate? . 7
A.2.3 Device ID - which devices are connecting to the network? Can this device be trusted to access that
resource?. 7
A.2.4 Device state - how is the device configured? Is the system (including apps) up to date? . 7
A.2.5 On-Device isolation - is sensitive data protected from malicious or insecure applications on a device? . 8
A.3 Enabling technologies and good practice . 8
A.3.1 Introduction . 8
A.3.2 Trusted Platform Module . 8
A.3.3 Secure Element . 8
A.3.4 Trusted Execution Environment . 8
A.3.5 FIDO alliance . 8
History . 9


ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 103 309 V1.1.1 (2015-08)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
Often in order to make today's products and services secure, their usability has to be severely reduced. If an enterprise is
to operate securely in a connected world, every product, system or service that is procured or deployed should be Secure
by Default. It should actually be hard to make them insecure; technology should improve usability without
compromising security.
Standards have been developed which describe how to provide the required features and mechanisms, however
adoption of these into real systems is often slow.
A key reason for slow adoption is the lack of awareness outside the technical community of which security features
exist and how they should be used. Effort is needed to build demand as well as supply.
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 103 309 V1.1.1 (2015-08)
1 Scope
The present document is intended to encourage development and adoption of 'secure by default' platform security
technologies by showing how they can be used to effectively solve real business pr
...