1 / 34

A Security Business Case for the Common Criteria

A Security Business Case for the Common Criteria. Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com. Outline. Security Problem Overview Bounding a Moving Target Role of Standards Common Criteria . Security Concepts and Relationships. Evaluation. Threats.

melina
Download Presentation

A Security Business Case for the Common Criteria

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com

  2. Outline • Security Problem Overview • Bounding a Moving Target • Role of Standards • Common Criteria

  3. Security Concepts and Relationships Evaluation Threats Owners leads to create value require Assurance to giving Exposures Assets Confidence reduce that Security Functions

  4. Bound the Exposure Problem – Organizational Security Management • Develop Policies and Standards • Develop Operational Security Practices • On-Going Assessment of Security Program

  5. Operational Security Practices Defining “Good Enough” • Risk/Acceptability Model • Security Program as Starting Place • Ongoing assessment and refinement • Marketplace dependence for IT Security Solutions • Security Infrastructures Evolve

  6. Security Infrastructures • Physical Security • “People” Security • Internal Personnel Security • Customer’s Security Role • IT Product, Systems and Services Security • Anomaly Processing • Identification of Security Events

  7. Old Security Infrastructures Application Security Computer Security Communications Security Physical/People

  8. Computer Security-Central Technical Security Infrastructure • Application Security • Smart Cards • Browsers • Virtual Private Networks • Firewalls • IPSec • TLS/SSL • Public Key Infrastructure

  9. New Security Infrastructures Application Security Communications Security Computer Security Physical/People

  10. Bad Security ?

  11. Good Security ?

  12. Security “Reality” ?

  13. } Security Gap Assets Actual Asset Exposure (Reality) Asset Protection Policy (Perceived) } ProtectedAssets

  14. The Security ManagementChallenge:Bounding a Moving Target • Building and Maintaining Security Infrastructures • Managing “Security Gaps” • Security Planning • Support both IT Vision and Security Policies • Marketplace dependence • Best Value Solutions

  15. Role of Security Standards • Support Management Process for New IT Services(?) • Business case for IT Investment • Cost Containment Strategies • Requirements and specifications • Equivalence and Interoperability • Voluntary consensus vs “de facto” • Limited operational practices context • Compliance assurances

  16. Standards Development Process • Business need driven • Scope – within a business context • Balanced participation • open to buyers and sellers of technology as well as technology experts • Document requirements/specifications • Voting process for consensus and resolving disagreements • Public comment

  17. What is the Common Criteria • International Standard Meta-language for describing IT security requirements • Features and assurances • Supports both buyer “I need” and Seller “I provide” • How “one applies” the Meta language is: • Constituent (Seller or Buyer) dependent • Security Management Tool

  18. Infrastructure Support for Common Criteria • International Registry of Buyer and Seller requirements • Assurances Laboratories for both Buyer and Seller • International Mutual Acceptance of Features and Assurances

  19. Common Criteria Potential Benefits • Better Tool to Bound problem(s) • More accurate definition of requirements • Threat and policy • IT and Non-IT assumptions • Interoperability and equivalence • Features and Assurances

  20. Common Criteria Potential Benefits (cont.) • Market friendlier • Friendlier to integrating both established and emerging security technologies and practices • Supports buyers IT business case development • Supports Seller’s business case to bring IT services to market

  21. A Brief History of Common Criteria 1985 1990 1997 Canadian Initiatives CTCPEC 3 US TCSEC Common Criteria Project NIST’s MSFR Federal Criteria European National & Regional Initiatives ITSEC 1.2 1998 ISO Initiatives ISO Standard

  22. Common Criteria as International Standard • 1990 - Working Group 3, Subcommittee 3, Joint Technical Committee 1 begins addressing IT security • 1993 - Member Nations pool resources and assist WG3 • Common Criteria (CC) Version 2 provided, May 1998 • CC, Version 2, as International Standard ISO/IEC 15408 being reviewed and voted upon

  23. Overview of Common Criteria Structure • Part 3Security • Assurance Requirements • Assurance Classes • Assurance Families • Assurance • Components • Detailed Req’ts • Eval. Assur. Levels • Part 2Security • Functional Requirements • Functional Classes • Functional Families • Functional • Components • Detailed Req’ts • Part 1 • Introduction & Model • Introduction to • Approach • Terms & Model • Requirements for • Protection Profiles • & Security Targets Part 4 Registry of Protection Profiles

  24. Common Criteria Look and Feel • Official title - Common Criteria for Information Technology Security Evaluations • Part 1, Introduction • Part 2, Functional Requirements • Desired information technology security behavior

  25. Common Criteria Look and Feel(cont.) • Part 3, Assurance Requirements • Measures providing confidence that the Security Functionality is effective and correctly implemented • CC intro at <http://csrc.nist.gov/cc/info/cc-sum/content.htm>

  26. Functional Requirements Classes • FAU -- Security Audit (35) • FCO -- Communication (Non-Repudiation) (4) • FCS -- Cryptographic Support (40) • FDP -- User Data Protection (46) • FIA -- Identification & Authentication (27) • FPR -- Privacy (Anonymity, etc.) (8) • FPT -- Protection of Trusted Security Functions (43) • FRU -- Resource Utilization (8) • FTA -- TOE Access (11) • FTP -- Trusted Path (2)

  27. Evaluation Assurance Levels • Levels - EAL 1 through 7 • increasing rigor and formalism from 1 up to 7 • Seven classes addressed for each level • Configuration Management • Delivery and operation • Development • Guidance documents • Life-cycle support • Testing • Vulnerability Assessment

  28. Vendor/Customer Requirements • Protection Profiles (PP) • User requirements (“I need”) • Multiple implementations may satisfy • Security Targets (ST) • Vendor claims (“I will provide”) • Implementation specific • Methodology • First, threats and policy stated • then Features and Assurances selected

  29. CC Product Validation and Evaluation Scheme • Targeted to begin in 1999 • Using security specifications from Common Criteria (CC) • Procedures based upon Common Evaluation Methodology (CEM) • Testing and evaluations performed by NVLAP accredited commercial labs • International recognition of evaluations (Mutual Recognition) • Results posted on NIAP’s WWW page

  30. Laboratories • NSA’s TTAP laboratories are the Interim CC labs • ARCA Systems, BAH, COACT, CSC, Cygnacom Solutions, NSTL and SAIC • Will have to reapply for CCEVS accreditation • Mutual Recognition between Canada, France, Germany and UK and US for CC-based evaluations • Netherlands are developing their scheme • Australia and New Zealand applying

  31. CC-based Evaluation Completed: ITT Dragonfly EAL 2 Guard Milkyway Black Hole V3.01 EAL3 Firewall in Canada CC-based Evaluations Underway 3 EAL2 Firewalls Checkpoint CISCO Pix Lucent Managed Firewall Product evaluationsAs of 19 Oct. 98

  32. Product evaluations(cont.) • “OS” evaluations underway: • IBM RS6000 - C2 OS • IBM NT 4.0 - C2 OS • IBM SQL Server - C2 DB • Sybase Anywhere Adaptive Server - C2 DB

  33. Classes schedule on web page (niap.nist.gov) CC familiarization, 1 day PP development, 4 days CC Toolbox CCDA version 1, (ST), Oct. 98 PDA version 2, (PP), Dec. 98 PDA version 1, July 99 CCDA version 2, Jan. 00 Assistance

  34. Right Time for Common Criteria?

More Related