250 likes | 392 Views
Joint ITU-GISFI Workshop on “Bridging the Standardization Gap: Workshop on Sustainable Rural Communications” (Bangalore, India, 17-18 December 2012). Sustainable Broadband Communications: International Perspective – Common Criteria. David Martin,
E N D
Joint ITU-GISFI Workshop on “Bridging the Standardization Gap: Workshop on Sustainable Rural Communications”(Bangalore, India, 17-18 December 2012) Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International Assurance, Common Criteria Scheme Director, CESG, UK, david.martin@cesg.gsi.gov.uk
David Martin Involved in Information Assurance Standards for many years Chair of International Common Criteria Development Board Scheme Director for the UK Common Criteria Scheme (operated by UK government) Representing UK Scheme - reporting on new CC vision statement
Common Criteria - Background • Standards for Assurance of IT Product Security • 26 Nations (more to come) • 16 Nations evaluate/certify products • Also an ISO standard (15408 and 18045) • Run by a Management Committee (with an executive to support) and a Development Board
Common Criteria – The Value • Manufacturers do not have to evaluate products in multiple places. • Evaluation is very expensive in time and money • Good cyber defence (and sustainable telecom) needs many more products evaluated • All nations agree and procure to the common standard • Industry involvement (CCUF)
Common Criteria – New Vision – Rationale -1 • CC usage has been little changed for more than 12 years • A number of nations found that:- • The focus on ‘assurance level (EAL)’ was damaging product security • Not enough products are evaluated - Cyber defence needs many more • Expertise is applied in the wrong place, inconsistently, and without wide peer review.
Common Criteria – New Vision – Rationale -2 • Smartcard Community has developed a very effective way of using CC • Work has taken place to support a similar approach for general IT products • Resulting in the CCMC (management Committee) vision statement – published in September 2012
For more information Common Criteria Portal: www.commoncriteriaportal.org • The vision statement links from the front page • Other links show the products, schemes, operating documents etc. • Also see CCUF at www.ccusersforum.org
Other Important developments Common view on cryptography Security Configuration Automation Strong Linkage to Vulnerability/Weakness reporting Supply Chain working group Consistent Government Procurement (and other major users) – addressing what ‘recognition’ really means
Procurement Links Provide developers with larger market Lower cost and better products Recognise there may be additional national needs These are likely to be <5% of market Major requirement is common and delivered by evaluation anywhere
Common Criteria – New Vision – Summary • More assurance than a simple ‘EAL approach’ • Uses worldwide expertise, instead of relying on single ‘expert’ • Open, Transparent, Repeatable – as befitting an International Standard • Step change in volume – better for cyberdefence • Lowers procurement costs
Further detail • First International Technical Community about to launch – based on USB storage device • Many more to follow next year • Already many TCs exist (mostly US based)
Example TC Areas Networking (NDPP, Firewalls, VPNs, etc) Storage (USB, Hard disks, etc) Applications on Operating systems Mobile telecoms (VOIP, SIP, MDM, etc) Multifunction devices (printers etc.)
Process to form an iTC • Not yet fully defined but likely to be:- • Work with national bodies to formulate an ESR (Essential Security Requirements) • Obtain commitment • Start iTC – using CCUF etc. • Publish cPP (and supporting documents) • Continual update
Outline Process & Detail Notes (1) CCUF CCMC CCDB portal CCDB Work Group Request iTC formation Solicit iTC members Establish levels of commitment & Committed Nations Initiate iTC Define Workplan CreateESR Draft ToRs Define ToRs Agree initial iTC Chair&hold initial meeting Elect Chair iTC entry Define infrastructure
Outline Process & Detail Notes (2) Levels of commitment: • Intention to Adopt – Mandated • Intention to Adopt – Recommended • Uncommitted • Opposed Only those with an Intention to Adopt can vote on ESR contents. Intention to Adopt is refreshed every 6 months (by CCDB) as part of monitoring progress. Levels may change, but reducing commitment requires a rationale.
GISFI Applicability • 3GPP discussion – potential development of cPPs • Could extend to system approaches • Key is to have the real technical expertise setting the standards • CCRA maintains the fairness, the reliability/reputation, and the worldwide recognition for vendors • 3GPP sets the technical standards
Conclusions and Recommendations This time of change for CCRA is a good time to get involved! Look at www.commoncriteriaportal.org Join CCUF (no cost) www.ccusersforum.org Great opportunity for 3GPP to use CCRA for its needs (become an international Technical Community) Liaison request from GISFI