A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683

Slides:

Advertisements

Similar presentations

Security Requirements

Advertisements

Module 1 Evaluation Overview © Crown Copyright (2000)

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Software Quality Assurance Plan

Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Effective Design of Trusted Information Systems Luděk Novák,

The Common Criteria for Information Technology Security Evaluation

IT Security Evaluation By Sandeep Joshi

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.

Security Controls – What Works

8 November Common Criteria Protection Profiles and the NSA Strategy for Their Use Within the U.S. Department of Defense Louis.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Stephen S. Yau CSE , Fall Evaluating Systems for Functionality and Assurance.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Stephen S. Yau CSE , Fall Security Strategies.

Module BASICS OF THE QUALITY SYSTEM CONCEPT

National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.

1 Copyright © 2014 M. E. Kabay. All rights reserved. Standards for Security Products CSH5 Chapter 51 “Security Standards for Products” Paul J. Brusil and.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

1 A Common-Criteria Based Approach for COTS Component Selection Wes J. Lloyd Colorado State University Young Researchers Workshop (YRW) 2004.

Gurpreet Dhillon Virginia Commonwealth University

SEC835 Database and Web application security Information Security Architecture.

Web Development Process Description

1 Anthony Apted/ James Arnold 26 September 2007 Has the Common Criteria Delivered?

Evaluating Systems Information Assurance Fall 2010.

ISA 562 Internet Security Theory & Practice

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

ETICS2 All Hands Meeting VEGA GmbH INFSOM-RI Uwe Mueller-Wilm Palermo, Oct ETICS Service Management Framework Business Objectives and “Best.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Background. History TCSEC Issues non-standard inflexible not scalable.

OpenSG Conformity IPRM Overview July 20, ITCA goals under the IPRM at a high level and in outline form these include: Organize the Test and Certification.

1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

CACR CC Briefing Stephen Booth Computer and System Security Section Communications Security Establishment

Common Criteria V3 Overview Presented to P2600 October Brian Smithson.

CMSC : Common Criteria for Computer/IT Systems

TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.

1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.

Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

Information Security tools for records managers Frank Rankin.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

CSCE 727 Awareness and Training Secure System Development and Monitoring.

Technology Services – National Institute of Standards and Technology Conformity Assessment ANSI-HSSP Workshop Emergency Communications December 2, 2004.

9 th International Common Criteria Conference Report to IEEE P2600 WG Brian Smithson Ricoh Americas Corporation 10/24/2008.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.

Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.

© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.

The Common Criteria for Information Technology Security Evaluation

Ch.18 Evaluating Systems - Part 2 -

Partnerships for VoIP Security VoIP Protection Profiles

2006 Annual Research Review & Executive Forum

IS4680 Security Auditing for Compliance

IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA

Presentation transcript:

A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc

Outline Security Problem Overview – Bounding a Moving Target Role of Standards Common Criteria

Owners Confidence Assets Threats Exposures Security Functions Assurance Evaluation create to valuerequire thatreduce giving leads to Security Concepts and Relationships

Bound the Exposure Problem – Organizational Security Management Develop Policies and Standards Develop Operational Security Practices On-Going Assessment of Security Program

Operational Security Practices Defining “Good Enough” Risk/Acceptability Model – Security Program as Starting Place – Ongoing assessment and refinement Marketplace dependence for IT Security Solutions Security Infrastructures Evolve

Security Infrastructures Physical Security “People” Security – Internal Personnel Security – Customer’s Security Role IT Product, Systems and Services Security Anomaly Processing – Identification of Security Events

Physical/People Communications Security Computer Security Application Security Old Security Infrastructures

Computer Security- Central Technical Security Infrastructure Application Security – Smart Cards – Browsers Virtual Private Networks – Firewalls – IPSec – TLS/SSL Public Key Infrastructure

Physical/People Computer Security Communications Security Application Security New Security Infrastructures

Bad Security ? ?

Good Security ? ?

Security “Reality” ? ?

Protected Assets Assets Security Gap } } Actual Asset Exposure (Reality) Asset Protection Policy (Perceived)

The Security Management Challenge: Bounding a Moving Target Building and Maintaining Security Infrastructures Managing “Security Gaps” Security Planning – Support both IT Vision and Security Policies – Marketplace dependence – Best Value Solutions

Role of Security Standards Support Management Process for New IT Services(?) – Business case for IT Investment – Cost Containment Strategies Requirements and specifications Equivalence and Interoperability Voluntary consensus vs “de facto” Limited operational practices context Compliance assurances

Standards Development Process Business need driven Scope – within a business context Balanced participation – open to buyers and sellers of technology as well as technology experts Document requirements/specifications Voting process for consensus and resolving disagreements Public comment

What is the Common Criteria International Standard Meta-language for describing IT security requirements – Features and assurances – Supports both buyer “I need” and Seller “I provide” How “one applies” the Meta language is: – Constituent (Seller or Buyer) dependent Security Management Tool

Infrastructure Support for Common Criteria International Registry of Buyer and Seller requirements Assurances Laboratories for both Buyer and Seller International Mutual Acceptance of Features and Assurances

Common Criteria Potential Benefits Better Tool to Bound problem(s) – More accurate definition of requirements – Threat and policy – IT and Non-IT assumptions – Interoperability and equivalence – Features and Assurances

Common Criteria Potential Benefits (cont.) Market friendlier Friendlier to integrating both established and emerging security technologies and practices Supports buyers IT business case development Supports Seller’s business case to bring IT services to market

US TCSEC Federal Criteria ITSEC 1.2 European National & Regional Initiatives Canadian Initiatives CTCPEC 3 ISO Initiatives Common Criteria Project NIST’s MSFR ISO Standard 1998 A Brief History of Common Criteria

Common Criteria as International Standard Working Group 3, Subcommittee 3, Joint Technical Committee 1 begins addressing IT security Member Nations pool resources and assist WG3 Common Criteria (CC) Version 2 provided, May 1998 CC, Version 2, as International Standard ISO/IEC being reviewed and voted upon

Part 3 Security Assurance Requirements Assurance Classes Assurance Families Assurance Components Detailed Req’ts Eval. Assur. Levels Part 2 Security Functional Requirements Functional Classes Functional Families Functional Components Detailed Req’ts Part 1 Introduction & Model Introduction to Approach Terms & Model Requirements for Protection Profiles & Security Targets Part 4 Registry of Protection Profiles Overview of Common Criteria Structure

Common Criteria Look and Feel Official title - Common Criteria for Information Technology Security Evaluations Part 1, Introduction Part 2, Functional Requirements – Desired information technology security behavior

Common Criteria Look and Feel (cont.) Part 3, Assurance Requirements – Measures providing confidence that the Security Functionality is effective and correctly implemented CC intro at

Functional Requirements Classes FAU -- Security Audit (35) FCO -- Communication (Non- Repudiation) (4) FCS -- Cryptographic Support (40) FDP -- User Data Protection (46) FIA -- Identification & Authentication (27) FPR -- Privacy (Anonymity, etc.) (8) FPT -- Protection of Trusted Security Functions (43) FRU -- Resource Utilization (8) FTA -- TOE Access (11) FTP -- Trusted Path (2)

Evaluation Assurance Levels Levels - EAL 1 through 7 – increasing rigor and formalism from 1 up to 7 Seven classes addressed for each level – Configuration Management – Delivery and operation – Development – Guidance documents – Life-cycle support – Testing – Vulnerability Assessment

Vendor/Customer Requirements Protection Profiles (PP) – User requirements (“I need”) – Multiple implementations may satisfy Security Targets (ST) – Vendor claims (“I will provide”) – Implementation specific Methodology – First, threats and policy stated – then Features and Assurances selected

CC Product Validation and Evaluation Scheme Targeted to begin in 1999 Using security specifications from Common Criteria (CC) Procedures based upon Common Evaluation Methodology (CEM) Testing and evaluations performed by NVLAP accredited commercial labs International recognition of evaluations (Mutual Recognition) Results posted on NIAP’s WWW page

Laboratories NSA’s TTAP laboratories are the Interim CC labs ARCA Systems, BAH, COACT, CSC, Cygnacom Solutions, NSTL and SAIC Will have to reapply for CCEVS accreditation Mutual Recognition between Canada, France, Germany and UK and US for CC-based evaluations Netherlands are developing their scheme Australia and New Zealand applying

Product evaluations As of 19 Oct. 98 CC-based Evaluation Completed: – ITT Dragonfly EAL 2 Guard – Milkyway Black Hole V3.01 EAL3 Firewall in Canada CC-based Evaluations Underway 3 EAL2 Firewalls – Checkpoint – CISCO Pix – Lucent Managed Firewall

Product evaluations (cont.) “ OS” evaluations underway : – IBM RS C2 OS – IBM NT C2 OS – IBM SQL Server - C2 DB – Sybase Anywhere Adaptive Server - C2 DB

Assistance Classes – schedule on web page (niap.nist.gov) – CC familiarization, 1 day – PP development, 4 days CC Toolbox – CCDA version 1, (ST), Oct. 98 – PDA version 2, (PP), Dec. 98 – PDA version 1, July 99 – CCDA version 2, Jan. 00

Right Time for Common Criteria?