1 / 46

Testing and Evaluation of Privacy Enhancing Technologies using the Common Criteria

Testing and Evaluation of Privacy Enhancing Technologies using the Common Criteria. Paul Zatychec Director EWA-Canada Ltd. Commissioner’s Challenge. Yesterday, Commissioner Cavoukian issued 2 charges: Find the [privacy] design correlates in architecture!

avon
Download Presentation

Testing and Evaluation of Privacy Enhancing Technologies using the Common Criteria

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Testing and Evaluation of Privacy Enhancing Technologies using the Common Criteria Paul Zatychec Director EWA-Canada Ltd

  2. Commissioner’s Challenge • Yesterday, Commissioner Cavoukian issued 2 charges: • Find the [privacy] design correlates in architecture! • “Privacy is notjust about risk aversion, it’s about attracting opportunity.” • This presentation is about a commitment to a practical means of rising to these challenges.

  3. AIM • Present work done on a formal, standards-based approach for dealing with Privacy Considerations in technology • Raise awareness and open a dialogue

  4. Outline • History • Goals, Motivation and Challenges • Highlight key messages • What are the Common Criteria and why the Privacy community should care • Describe evaluation and certification process • Conclude with what this means • Open Discussion

  5. History • Situation: Development and Use of Privacy Enhancing Technologies have not lived up to the promising scenario of the mid-1990’s. • IPC wanted to boost the development and use of Privacy Enhancing Technologies

  6. More History • Formed an international team to take on the challenge of developing testing criteria for PET’s • Value: level playing field for developers, common understanding for organisations deploying PETs • Part of a project named and created by John Borking (father of PETs) • IPC/CSE and EWA-Canada conducted a joint study to adapt the CC for Privacy

  7. Our Goals Build an internationally accepted framework that will: • Provide engineering standards and guidance to technology developers and consumers on how to formally specify and build privacy requirements and functionality into new products • Allow products to be independently evaluated and Certified as Privacy Enhancing Technologies if they meet these requirements

  8. Motivation

  9. eBUSINESS SYSTEM OPERATIONS

  10. Risk Management Decisions ASSURANCE for e-BUSINESS eBUSINESS SYSTEM OPERATIONS OPS Metrics Process Metrics ACTIVE SECURITY CYCLE

  11. Risk Management Decisions Real World Volatility ASSURANCE for e-BUSINESS eBUSINESS SYSTEM OPERATIONS Changing Threats New Exposures E-Business environment OPS Metrics Process Metrics ACTIVE SECURITY CYCLE

  12. Developmental Certification & Accreditation Risk Management Decisions Real World Volatility On-Going Accreditation Visible Maps / Status ASSURANCE for e-BUSINESS Configuration Management Tools eBUSINESS SYSTEM OPERATIONS Changing Threats Minor System Adjustments Major System Changes New Exposures E-Business environment OPS Metrics Process Metrics ACTIVE SECURITY CYCLE

  13. Developmental Certification & Accreditation Current Vulnerabilities Risk Management Decisions Alarms, Incidents / Trends Real World Volatility On-Going Throughput / Availability Accreditation Visible Maps / Status ASSURANCE for e-BUSINESS Configuration Management Tools eBUSINESS SYSTEM OPERATIONS Performance Monitoring & Network Management Intrusion Detection Systems, Firewalls Changing Threats Minor System Adjustments Major System Changes Security Posture Assessment Tools New Exposures E-Business environment OPS Metrics Process Metrics ACTIVE SECURITY CYCLE

  14. Developmental Certification & Accreditation Current Vulnerabilities Risk Management Decisions Alarms, Incidents / Trends Real World Volatility On-Going Throughput / Availability Accreditation Recovery Plan Recovery Plan Visible Maps / Status ASSURANCE for e-BUSINESS Business Impact Analysis Business Impact Analysis Configuration Management Tools Business Continuity Plan Business Continuity Plan eBUSINESS SYSTEM OPERATIONS Performance Monitoring & Network Management Intrusion Detection Systems, Firewalls Changing Threats Minor System Adjustments Major System Changes Security Posture Assessment Tools New Exposures E-Business environment OPS Metrics Process Metrics ACTIVE SECURITY CYCLE

  15. Developmental Certification & Accreditation Current Vulnerabilities Risk Management Decisions People People Alarms, Incidents / Trends Real World Volatility Process Process On-Going Throughput / Availability Accreditation Technology Technology Recovery Plan Recovery Plan Visible Maps / Status ASSURANCE for e-BUSINESS Business Impact Analysis Business Impact Analysis Configuration Management Tools Business Continuity Plan Business Continuity Plan eBUSINESS IT SYSTEM OPERATIONS Process Improvement (PI) Process Improvement (PI) Performance Monitoring & Network Management Capability Maturity Capability Maturity Intrusion Detection Systems, Firewalls Changing Threats Minor System Adjustments Major System Changes Security Posture Assessment Tools New Exposures E-Business environment OPS Metrics Process Metrics ACTIVE SECURITY CYCLE

  16. Developmental Certification & Accreditation Current Vulnerabilities Risk Management Decisions People People Alarms, Incidents / Trends Real World Volatility Process Process On-Going Throughput / Availability Accreditation Technology Technology Recovery Plan Recovery Plan Visible Maps / Status ASSURANCE for e-BUSINESS Business Impact Analysis Business Impact Analysis Configuration Management Tools Business Continuity Plan Business Continuity Plan eBUSINESS IT SYSTEM OPERATIONS Process Improvement (PI) Process Improvement (PI) Performance Monitoring & Network Management Capability Maturity Capability Maturity Intrusion Detection Systems, Firewalls Changing Threats Minor System Adjustments Major System Changes Security Posture Assessment Tools New Exposures E-Business environment OPS Metrics Process Metrics ACTIVE SECURITY CYCLE

  17. Motivation • Internationally accepted engineering standards and methodologies for privacy do not yet exist • Huge opportunity for Canadian leadership and contribution to the global privacy community • Clear demand! • Address both public and private concerns

  18. More Motivation • Need to differentiate products based on privacy characteristics (….finding the opportunity part) • Create a formal system to prove or disprove vendor claims to reduce snake oil and partial solutions

  19. 4 Challenges • How to formally and measurably deal with Privacy Considerations for IT with credible due diligence/care regarding requirements defined in legislation, regulation, codes of ethics and best practices? “Demonstrably” means: • Claims are precise and confirmed through independent analysis via credible third party • Privacy enhancing functionality has been independently evaluated, tested and documented • Technologies that meet specified measurable requirements are Certified by national authorities

  20. 4 Challenges (Con’t) • Need to create a comprehensive framework that can be used by developers to build privacy functionality into their products • Framework must provide confidence to people buying and using technologies that vendor privacy claims are real • How can we leverage international approaches for certification of IT security standards and enhance these for emerging privacy considerations?

  21. Key Messages • We are working on a globally recognized, standards-based system to encourage formal specification and independent evaluation of IT for privacy considerations • Objective is to foster increased trust and confidence that responsible vendor privacy claims are demonstrably and provably real

  22. Key Messages (2) • The new standard will be an extension of the ISO 15408 Common Criteria for IT Security Evaluation • It will recognize the distinct and complimentary nature of IT Security, Privacy and Assurance requirements • Successful evaluations will lead to certification by national authorities and these certifications will be mutually recognized in at least 16 countries world-wide

  23. Leadership and Contribution • The work is being done under the leadership of the IPC (Mike Gurski) in conjunction with CSE, EWA-Canada and IBM. • Sister agencies to CSE in the U.S. and other countries, as well as product vendors and government departments are interested in this work. • Intention is to bring the completed work to the EU and other nations

  24. Executive Support from Canada’s Privacy Commissioners • This approach has been formally and unanimously endorsed by all of the provincial Privacy Commissioners in June 2002, with the concurrence of the Federal Privacy Commissioner, who recognize the value of this leadership opportunity.

  25. Why? • One of the reasons is to create a mechanism that allows organizations to exercise appropriate due diligence and due care with respect to privacy and be robust enough to meet their formal compliance obligations and legislative requirements • The privacy-extended Common Criteria will be fully traceable to mature privacy legislation, models and codes

  26. What are the Common Criteria and Why Should We Care?

  27. Common Criteria ISO 15408 • International ISO IT Security standard for formally specifying IT Security Requirements and how these are to be independently evaluated and tested so products may be formally certified as being trustworthy • 3-Part Standard, plus evaluation methodology

  28. What is an Evaluation? • Independent Verification and Validation (IV&V) by a and accredited and competent Trusted Third Party • Provides a basis for international Certification against specific formal standards (i.e. CC) by national authorities

  29. Produce provide formal evidence of Assurance giving Information Asset Owners Confidence require Privacy Requirements Properly Managed Privacy Rights that to protect are Evaluation Process Assurance Techniques Independent Evaluations

  30. CC Evaluations Involve: • ANALYSIS • Product Documentation • Product Design (Security & Privacy Focus) • Development Processes & Procedures • Operation & Administration Guidance and Procedures • Vulnerability Assessments • TESTING • Independent & Witnessed • Fully Documented & Repeatable • REPORTS • Lead to International Certification

  31. Scope • Interviews • Full Documentation Review • Independent Testing • Witness of Developer Testing • Observation Reports When Required • Deliverables: • Security/Privacy Target or Protection Profile • Evaluation Technical Report • Certification Report (published by CSE, and recognized by NSA and other Certification Bodies)

  32. Why should we care? • The CC are a flexible standard with a proven methodology already recognized in 16 countries that can be extended to include all privacy requirements • We need to deal with the complimentary distinctions between privacy and security in a single, holistic standard • Need for credibility • Developers need formal standards

  33. Decoding CC Terminology • Security Target (ST) or Protection Profile (PP) • Requirements Specification in CC Terms • Covers Privacy and Security “Functional Requirements” and “Assurance Requirements” • Things like: Environment, Threats, Security Objectives & Assumptions etc. • TOE = Target of Evaluation = IT product or system

  34. CC Terminology (Con’t) • Assurance Classes • Configuration Management • Delivery & Operation • Development (including design) • Guidance Documentation (User & Administrator) • Life Cycle Support (at higher levels) • Tests • Vulnerability Assessment • Functional Classes • Many Types (product dependent & defined in ST)

  35. What Do CC Evaluations Give Us? • Confidence & Trust in privacy and security characteristics of products and the processes used to develop and support them (full product life cycle) • Build official assurance arguments • Prove technologies are indeed privacy enhancing as claimed • formal, independently verifiable and repeatable methods • Provide basis for international certification • Provide Certification Report • Differentiate products • Formally support demonstrable due diligence/care

  36. How the Process Works • Privacy (and security) requirements for a technology and associated claims are precisely specified using the CC • Technology is built, documented and tested to these requirements • Technology is submitted to nationally accredited labs for evaluation against the standards • Evaluation is conducted under the oversight of national authority

  37. Process (Continued) • Once vendor claims are proven, national authority confers certification and publishes a Certification Report • Results are internationally recognized under a Mutual Recognition Arrangement

  38. How does the CC Currently Deal with Privacy? • Security and Assurance Requirements are Enablers for Privacy Enhancing Technologies • Currently CC are Insufficient for Privacy • Limited to only 4 Basic Areas Privacy • FPR_ANO Anonymity • FPR_PSE Pseudonymity • FPR_UNL Unlinkability • FPR_UNO Unobservability Clearly these are insufficient to meet all of the privacy requirements

  39. Requirements for Privacy Extensions • Different legislative requirements • Canada is great place to start • International • Regulatory requirements for different sectors • e.g. healthcare, financial, telcos etc. • Build on accepted standard Fair Information Practice Statements • Leverage Mature Privacy Models

  40. Proposed Extensions (1/2) • Accountability • Identifying purposes • Inform (prior to consent) • Consent • Collection • Limiting linkability • Limiting collection

  41. Proposed Extensions (2) • Limiting Use, Disclosure, retention • Accuracy • Safeguards • Openness • Individual Access • Challenging Compliance

  42. When? • Formal Privacy Functional Requirements for 2 of the Fair Information Practice Statements have already been done in a proof of concept demonstration, and results have been vetted by world-renowned privacy experts • Remaining FIPS and associated evaluation methodology can be done within 6-9 months • Initial standard will then be fully ready for use

  43. What this Means • We are creating a robust and technically sound standard to allow and encourage technology developers to specify, build, document and test their solutions against formal requirements that are being vetted by world-leading privacy experts • Certification of Privacy Enhancing Technologies will require independent verification by accredited labs under national level oversight for credibility

  44. Way Ahead 1. Finish the Development of the FPR Class of CC Part 2 Privacy Functional Requirements • Continue Process for remaining 9 FIPS 2. Define useful packages and comprehensive Protection Profiles and Privacy Targets 3. Develop Example/Sample Privacy Policy Statements 4. Evaluate and certify products 5. Go Global!

  45. Questions? Paul Zatychec pzatychec@ewa-canada.com (613) 230.6067 ext 1227

More Related