Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683

Published byFelix Bradley Modified over 9 years ago

Similar presentations

Presentation on theme: "A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683"— Presentation transcript:

1 A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683 jmferris@erols.com

2 Outline Security Problem Overview – Bounding a Moving Target Role of Standards Common Criteria

3 Owners Confidence Assets Threats Exposures Security Functions Assurance Evaluation create to valuerequire thatreduce giving leads to Security Concepts and Relationships

4 Bound the Exposure Problem – Organizational Security Management Develop Policies and Standards Develop Operational Security Practices On-Going Assessment of Security Program

5 Operational Security Practices Defining “Good Enough” Risk/Acceptability Model – Security Program as Starting Place – Ongoing assessment and refinement Marketplace dependence for IT Security Solutions Security Infrastructures Evolve

6 Security Infrastructures Physical Security “People” Security – Internal Personnel Security – Customer’s Security Role IT Product, Systems and Services Security Anomaly Processing – Identification of Security Events

7 Physical/People Communications Security Computer Security Application Security Old Security Infrastructures

8 Computer Security- Central Technical Security Infrastructure Application Security – Smart Cards – Browsers Virtual Private Networks – Firewalls – IPSec – TLS/SSL Public Key Infrastructure

9 Physical/People Computer Security Communications Security Application Security New Security Infrastructures

10 Bad Security ? ?

11 Good Security ? ?

12 Security “Reality” ? ?

13 Protected Assets Assets Security Gap } } Actual Asset Exposure (Reality) Asset Protection Policy (Perceived)

14 The Security Management Challenge: Bounding a Moving Target Building and Maintaining Security Infrastructures Managing “Security Gaps” Security Planning – Support both IT Vision and Security Policies – Marketplace dependence – Best Value Solutions

15 Role of Security Standards Support Management Process for New IT Services(?) – Business case for IT Investment – Cost Containment Strategies Requirements and specifications Equivalence and Interoperability Voluntary consensus vs “de facto” Limited operational practices context Compliance assurances

16 Standards Development Process Business need driven Scope – within a business context Balanced participation – open to buyers and sellers of technology as well as technology experts Document requirements/specifications Voting process for consensus and resolving disagreements Public comment

17 What is the Common Criteria International Standard Meta-language for describing IT security requirements – Features and assurances – Supports both buyer “I need” and Seller “I provide” How “one applies” the Meta language is: – Constituent (Seller or Buyer) dependent Security Management Tool

18 Infrastructure Support for Common Criteria International Registry of Buyer and Seller requirements Assurances Laboratories for both Buyer and Seller International Mutual Acceptance of Features and Assurances

19 Common Criteria Potential Benefits Better Tool to Bound problem(s) – More accurate definition of requirements – Threat and policy – IT and Non-IT assumptions – Interoperability and equivalence – Features and Assurances

20 Common Criteria Potential Benefits (cont.) Market friendlier Friendlier to integrating both established and emerging security technologies and practices Supports buyers IT business case development Supports Seller’s business case to bring IT services to market

21 1985 1990 1997 US TCSEC Federal Criteria ITSEC 1.2 European National & Regional Initiatives Canadian Initiatives CTCPEC 3 ISO Initiatives Common Criteria Project NIST’s MSFR ISO Standard 1998 A Brief History of Common Criteria

22 Common Criteria as International Standard 1990 - Working Group 3, Subcommittee 3, Joint Technical Committee 1 begins addressing IT security 1993 - Member Nations pool resources and assist WG3 Common Criteria (CC) Version 2 provided, May 1998 CC, Version 2, as International Standard ISO/IEC 15408 being reviewed and voted upon

23 Part 3 Security Assurance Requirements Assurance Classes Assurance Families Assurance Components Detailed Req’ts Eval. Assur. Levels Part 2 Security Functional Requirements Functional Classes Functional Families Functional Components Detailed Req’ts Part 1 Introduction & Model Introduction to Approach Terms & Model Requirements for Protection Profiles & Security Targets Part 4 Registry of Protection Profiles Overview of Common Criteria Structure

24 Common Criteria Look and Feel Official title - Common Criteria for Information Technology Security Evaluations Part 1, Introduction Part 2, Functional Requirements – Desired information technology security behavior

25 Common Criteria Look and Feel (cont.) Part 3, Assurance Requirements – Measures providing confidence that the Security Functionality is effective and correctly implemented CC intro at

26 Functional Requirements Classes FAU -- Security Audit (35) FCO -- Communication (Non- Repudiation) (4) FCS -- Cryptographic Support (40) FDP -- User Data Protection (46) FIA -- Identification & Authentication (27) FPR -- Privacy (Anonymity, etc.) (8) FPT -- Protection of Trusted Security Functions (43) FRU -- Resource Utilization (8) FTA -- TOE Access (11) FTP -- Trusted Path (2)

27 Evaluation Assurance Levels Levels - EAL 1 through 7 – increasing rigor and formalism from 1 up to 7 Seven classes addressed for each level – Configuration Management – Delivery and operation – Development – Guidance documents – Life-cycle support – Testing – Vulnerability Assessment

28 Vendor/Customer Requirements Protection Profiles (PP) – User requirements (“I need”) – Multiple implementations may satisfy Security Targets (ST) – Vendor claims (“I will provide”) – Implementation specific Methodology – First, threats and policy stated – then Features and Assurances selected

29 CC Product Validation and Evaluation Scheme Targeted to begin in 1999 Using security specifications from Common Criteria (CC) Procedures based upon Common Evaluation Methodology (CEM) Testing and evaluations performed by NVLAP accredited commercial labs International recognition of evaluations (Mutual Recognition) Results posted on NIAP’s WWW page

30 Laboratories NSA’s TTAP laboratories are the Interim CC labs ARCA Systems, BAH, COACT, CSC, Cygnacom Solutions, NSTL and SAIC Will have to reapply for CCEVS accreditation Mutual Recognition between Canada, France, Germany and UK and US for CC-based evaluations Netherlands are developing their scheme Australia and New Zealand applying

31 Product evaluations As of 19 Oct. 98 CC-based Evaluation Completed: – ITT Dragonfly EAL 2 Guard – Milkyway Black Hole V3.01 EAL3 Firewall in Canada CC-based Evaluations Underway 3 EAL2 Firewalls – Checkpoint – CISCO Pix – Lucent Managed Firewall

32 Product evaluations (cont.) “ OS” evaluations underway : – IBM RS6000 - C2 OS – IBM NT 4.0 - C2 OS – IBM SQL Server - C2 DB – Sybase Anywhere Adaptive Server - C2 DB

33 Assistance Classes – schedule on web page (niap.nist.gov) – CC familiarization, 1 day – PP development, 4 days CC Toolbox – CCDA version 1, (ST), Oct. 98 – PDA version 2, (PP), Dec. 98 – PDA version 1, July 99 – CCDA version 2, Jan. 00

34 Right Time for Common Criteria?

Download ppt "A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc. 202-234-9683"

Similar presentations

Security Requirements

Security Requirements
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan

Software Quality Assurance Plan
Information Security of Embedded Systems 6.1.2010: Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.

Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
The Common Criteria for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.

1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.
Security Controls – What Works

Security Controls – What Works

Similar presentations

Ads by Google