22.2403GPPRelease 17Service requirements for 3GPP Generic User Profile (GUP)Stage 1TS
Secure mechanisms shall be available for the transfer of User Profile data to, from or between authorised entities. Access to User Profile data shall only be permitted in an authorised and secure manner. The secure mechanisms to be applied shall be appropriate to the level of confidentiality of the data, the endpoints of the transfer and the routes that are available for the transfer of the data. The owner of the data, normally the body storing the master copy of the data, shall be responsible for applying the appropriate level of security to the transfer of the data.
The secure mechanisms available shall include the following:
1. Authentication of consumer
Before any user data transfer takes place, it shall be possible for the supplier of the data to verify the identity of the consumer.
2. Authentication of supplier
It shall be possible for the consumer of data to identify the supplier.
3. It is permissible for either the supplier or consumer of data to employ the services of a third party, known to, and trusted by, both in order to provide authentication of identity.
4. The validity of an authentication of identity shall, if required, be subject to a maximum time limit.
5. It shall be possible for the supplier of data to render the data to be unreadable by any party not authorised to receive it.
6. It shall be possible for the consumer of data to detect whether the data have been tampered with during transmission. .
7. The security mechanisms shall provide verification that the data has been sent by the supplier and received by the consumer (non-repudiation).
8. It shall be possible for the supplier and/or the consumer to create an audit log of all GUP data transfer transactions of a specified type, provided that this requirement is made known before any transfer takes place
9. User profile data in general is proprietary data. This data may not be shared with unauthorized entities. Access control to the data is required. This access control must also apply to data which is located at legacy systems, currently without own access control functionality.
10. Correct setting of data values in the user profile may be critical for the integrity of certain network services. Therefore, consistency checks are needed to minimise the risk.
11. Transaction security for the change of data should be available in order to ensure the consistent change of data at different locations.