IT: Products, Standards and Dependencies Part 2: Standards


 

IT Standards

There are four types of standards in IT: official standards, proprietary implementations of standards, inofficial standards, and de facto standards created by vendors. The implementation and the design of the functionality provided is vendor and product specific. In most cases, only computers are interchangeable on a 1:1 basis, and only against devices with the same operating system. The situation is different for network and security devices, as well as for applications. Once a decision has been made in favor of a vendor's products for a particular sub-segment, these products remain part of the vendor's ecosystem. The vendor's goal is for a customer to use as many products as possible from the vendor's proprietary ecosystem. Only within the manufacturer-specific ecosystem is there seamless interaction and coordinated administration. Such vendor-specific ecosystems are the de facto standard for the respective vendors. Vendor-specific ecosystems have a major impact on enterprise IT and are given too little attention by business leaders despite the dependencies that arise. Dependencies are business risks and should be treated as such. Vendors have no interest in their products being easily exchanged for competing products. This would weaken their market position.

Why official standards?

Official standards are essential to ensure that products from different vendors are interoperable with each other. Interoperable in terms of communication, data exchange and manageability. For vendors, the reference to support for standards (compliance with standards) is an important selling point. This is how interoperability is suggested in vendor marketing. However, a vendor must also differentiate its products from the competition. For this reason, standards are usually implemented in a proprietary manner. Full compliance with standards and interoperability is only essential in terms of networking and data exchange.  For the rest of the product functionality implementation, differentiation from other vendors' offerings takes precedence. Often, such differentiation is also a prerequisite for integration into a vendor's ecosystem. Official standards are essential for interoperability between products from different vendors. In reality, vendors restrict this interoperability so that only their products are fully interoperable with each other, including administration.

Who publishes official IT standards?

Standards were originally determined and published by national standards organizations. These are united internationally in the International Standards Organization (ISO). Accordingly, there are international and national standards. However, this does not mean that the national organizations must adhere to the international standards with their standards. Therefore, there are different international standards for the same thing and national standards that deliberately deviate from international standards. A good example of this is the US standards organization NIST, which itself deviates from the corresponding ISO standards (ISO/IEC 19790:2012, ISO/IEC 24759:2017) in the new specifications for the evaluation of cryptographic modules (FIPS 140-3), althoughit refers to the ISO standards.

Standards are published by different organizations whose objectives serve different interests. And these are often the interests of the vendors involved and of national politics.

Standards organizations that are relevant to IT

Relevant in this context means that the standards published by these organizations are used in a wide range of products. However, the use of standards does not mean that products from different vendors are interoperable in all areas.

ISO (International Standards Organisation)

ISO (International Standards Organisation) develops and publishes standards. These include a number of standards that relate to IT in terms of organization, processes and product properties. For example, ISO 27001/27002 standardizes the organization and processes for the security of digital data. The problem with ISO standards for IT is the process of updating the standards. Everything is lengthy and based on consensus. As a result, ISO standards sometimes no longer meet current requirements and practice is farther ahead than ISO standards. Another point is that ISO standards are not binding.

ITU (International Telecommunication Union)

Standards are essential, especially in communications. ITU (International Telecommunication Union) was originally created to develop standards in telephony and telegraphy so as to ensure worldwide interoperability. It is a subsidiary organization of the United Nations (UN) and has expanded its activities to include digital infrastructure. The technical standards of the ITU, ITU-T are recommendations whose national implementation is voluntary.

IEEE (Institute of Electrical and Electronic Engineers)

IEEE (Institute of Electrical and Electronic Engineersis, by its own admission, the world's largest technical professional organization dedicated to the advancement of technology for the benefit of mankind. The IEEE's main purpose is to promote technological innovation and excellence for the benefit of mankind. In everyday life, you can find many products that use IEEE-Standards, both in IT and from outside of IT. The problem with IEEE is the "thought leadership" that comes from vendors and is aligned with their commercial interests. Much of what the IEEE does in terms of standards is good. But not all of it. And in terms of security, one should consider the intended application when relying on IEEE standards. Otherwise, protection remains limited and security holes are built in. A good example is MACsec for Ethernet network encryption. For use in a LAN, it is a cost-effective and adequate solution, but for use in a MAN or WAN, the security provided is limited. MACsec is vulnerable to simple denial of service attacks against which there is no control plane protection. This is now explicitly stated in the relevant standards document on page 34: "MACsec does not protect against brute force denial of service attacks that can be mounted by abusing the operation of particular media access control methods through degrading the communication channel or transmitting erroneous media access method specific control frames."  Such attacks are part of the normal threat scenario as soon as connections cross public ground. Nevertheless, the NSA, and thus the USA itself, relies on MACsec for network security at the highest level. This is despite the fact that there are established solutions on the market that do not have this security weakness. From an American point of view, there is currently nothing better. From a market point of view there is,  i

IETF (Internet Engineering Task Force)

IETF (Internet Engineering Task Force) aims to make the Internet work better by producing high-quality, relevant technical documents that influence the way people design, use, and manage the Internet. These documents are publicly available as RFCs (Request for Comment), free of charge. Vendor interests also largely come into play at the IETF. "We make standards based on the combined engineering judgment of our participants and our real-world experience in implementing and deploying our specifications." Active participation in a workgroup has an impact on the design of a standard. And vendors have the most resources to contribute to a workgroup. Part of this problem is exemplified in an RFC. The dominance of the vendors makes the IETF a political battleground, which does neither the standardsnor the design of the standards any good. It should be noted that RFCs differentiate between s "MUST" and "SHOULD". Full interoperability is only possible with multilateral adherence to "MUST" and "SHOULD". The most important truths about basic principles of networks can be found in RFC 1925

W3C (Worldwide Web Consortium)

The Worldwide Web Consortium (W3C) is, according to its own understanding, an international community that develops open standards to ensure the long-term growth of the Internet. This is a bit of an exaggeration, because the Web is located above the Internet Protocol. Nevertheless, the W3C is the most important organization for the further development of the Web and the publication of corresponding standards. Both when it comes to Web applications and when it comes to data, files and their use, W3C standards can form the basis for interoperability on the Web (design, development, and use) and the exchange of data with context (Semantic Web) und files (XML).

MEF

MEF was founded in 2001 as a non-profit international industry consortium and was originally focused on Carrier Ethernet networks and services. Starting in 2015, MEF significantly expanded its scope of work to include additional underlay connectivity services such as optical transport and IP, and overlay services such as SD-WAN. Then, MEF tackled orchestration and automation with its Lifecycle Services Orchestration (LSO) framework and associated interface reference points and APIs. As an industry consortium, the MEF is aligned with the interests of vendors, carriers and product manufacturers. Unlike other standards organizations, the MEF also provides certification services that verify and certify compliance with standards. The scope of activities overlaps with the ITU.

National Standards Organizations

National standards and standardizations are not international standards, but are geared to national circumstances and national interests, especially economic interests. In the USA, the standardization authority NIST is subordinate to the Department of Commerce. In Switzerland, the Schweizerische Normen-Vereinigung (SNV) is responsible for standardization. It is also a member of ISO. Among the most widely used standards are ISO standards.  In Germany, the Deutsche Institut für Normung (DIN) is in charge. National standardization organizations are also represented in ISO and sell ISO standards.

Proprietary implementation of official standards in IT

Most standards leave quite a bit of room for maneuver in their implementation and also cover only a subset of a product. In IT, the customer uses products and is dependent on the implementation of the standard by the chosen vendor. Therefore, before purchasing or concluding a user contract, it should be clarified to what extent interoperability with existing products and with alternative products is possible. This clarification must not be one-dimensional and limited to functionality (FUNCTIONALITY). Without consideration of monitoring (RUN) and configuration management (CHANGE), problems are inevitable. At the same time, future viability must be taken into account. If a product is not continuously developed, it becomes obsolete relatively quickly and becomes a technical debt. This technical debt must be paid, either on an ongoing basis or then accumulated in the foreseeable future. Proprietary implementations are used by vendors to differentiate their products, can lead to lock-in, and increase operating costs. Both are unintended aspects of a product purchase or use. When products are implemented, official standards make up only a small percentage. Even if a product incorporates standards, it usually remains proprietary. Incidentally, this also applies to open source, except that with open source the code can be adapted to one's own needs.

Inofficial standards

Unofficial standards are publicly available standards that have not been published by a standards organization. However, they can still be shipped as part of other products by default and are, in this respect, vendor-independent de facto standards. A typical example of an unofficial standard is WireGuard, an encryption protocol for IP, the Internet Protocol. It is now part of the Linux kernel and is shipped with virtually all Linux distributions. It is also integrated into Android and is therefore widely used. WIreGuard-based solutions are being used more and more, especially in the area of remote access. Both the cryptographic and the network-oriented properties of WireGuard are better than those of IPSec and of SSL VPN. As with the alternatives, WireGuard depends on the appropriate implementation by a vendor. Of course, there are also proprietary implementations of inoffcial standards.

De facto standards

De facto standards are manufacturer-specific standards that have become accepted as standards on the market without being defined as such by a standards organization. All operating systems in all their variations are de facto standards. This also applies to the majority of standard programs and in particular applications that are used in companies, such as SAP, MS-Exchange, MS-Active Directory, Oracle applications, etc. Even if at least XML-based file formats are now supported and standardized, the data they contain is only fully usable if all the program functions are supported by another program that was used to create them.
Cloud-supported application such as MS Teams are also de-facto standards, and result in pushing the customer to use Exchange and Active Directory in the Azure cloud. For full functionality, the customer must come to terms with the fact that it can only be done with Microsoft 365.

Many standards, but still no standard

There is hardly such a thing as the one true standard. If it were, products would be interchangeable at will. In practice, there is a mixture of official standards with unofficial and de facto standards that are implemented proprietarily. Within the ecosystem of one vendor, interoperability works reasonably well, but things don't look so rosy when ecosystems of different vendors are combined. Despite standards.