a security business case for the common criteria
DESCRIPTION
A Security Business Case for the Common Criteria. Marty Ferris Ferris & Associates, Inc. 202-234-9683 [email protected]. Outline. Security Problem Overview Bounding a Moving Target Role of Standards Common Criteria . Security Concepts and Relationships. Evaluation. Threats. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/1.jpg)
A Security Business Case for the
Common Criteria
Marty Ferris Ferris & Associates, Inc.
![Page 2: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/2.jpg)
Outline
• Security Problem Overview – Bounding a Moving Target
• Role of Standards • Common Criteria
![Page 3: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/3.jpg)
Owners
ConfidenceAssets
Threats
Exposures
SecurityFunctions
Assurance
Evaluation
create
to
value require
thatreduce
giving
leads to
Security Concepts and Relationships
![Page 4: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/4.jpg)
Bound the Exposure Problem – Organizational Security
Management
• Develop Policies and Standards• Develop Operational Security
Practices• On-Going Assessment of Security
Program
![Page 5: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/5.jpg)
Operational Security Practices Defining “Good Enough”
• Risk/Acceptability Model– Security Program as Starting Place – Ongoing assessment and refinement
• Marketplace dependence for IT Security Solutions
• Security Infrastructures Evolve
![Page 6: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/6.jpg)
Security Infrastructures
• Physical Security• “People” Security
– Internal Personnel Security– Customer’s Security Role
• IT Product, Systems and Services Security
• Anomaly Processing– Identification of Security Events
![Page 7: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/7.jpg)
Physical/People
Communications Security
Computer Security
Application Security
Old Security Infrastructures
![Page 8: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/8.jpg)
Computer Security-Central Technical Security
Infrastructure• Application Security
– Smart Cards– Browsers
• Virtual Private Networks– Firewalls– IPSec– TLS/SSL
• Public Key Infrastructure
![Page 9: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/9.jpg)
Physical/People
Computer Security
Communications Security
Application Security
New Security Infrastructures
![Page 10: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/10.jpg)
Bad Security
?
![Page 11: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/11.jpg)
Good Security
?
![Page 12: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/12.jpg)
Security “Reality”
?
![Page 13: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/13.jpg)
Protected Assets
Assets
Security Gap
}} Actual
Asset Exposur
e(Reality)
Asset Protection
Policy (Perceived)
![Page 14: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/14.jpg)
The Security ManagementChallenge:
Bounding a Moving Target
• Building and Maintaining Security Infrastructures
• Managing “Security Gaps”• Security Planning
– Support both IT Vision and Security Policies
– Marketplace dependence– Best Value Solutions
![Page 15: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/15.jpg)
Role of Security Standards
• Support Management Process for New IT Services(?)– Business case for IT Investment– Cost Containment Strategies
• Requirements and specifications• Equivalence and Interoperability • Voluntary consensus vs “de facto”• Limited operational practices context• Compliance assurances
![Page 16: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/16.jpg)
Standards Development Process• Business need driven• Scope – within a business context• Balanced participation
– open to buyers and sellers of technology as well as technology experts
• Document requirements/specifications• Voting process for consensus and
resolving disagreements• Public comment
![Page 17: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/17.jpg)
What is the Common Criteria
• International Standard Meta-language for describing IT security requirements– Features and assurances– Supports both buyer “I need” and Seller “I
provide”• How “one applies” the Meta language
is:– Constituent (Seller or Buyer) dependent
• Security Management Tool
![Page 18: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/18.jpg)
Infrastructure Support for Common Criteria
• International Registry of Buyer and Seller requirements
• Assurances Laboratories for both Buyer and Seller
• International Mutual Acceptance of Features and Assurances
![Page 19: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/19.jpg)
Common Criteria Potential Benefits
• Better Tool to Bound problem(s) – More accurate definition of
requirements– Threat and policy – IT and Non-IT assumptions– Interoperability and equivalence– Features and Assurances
![Page 20: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/20.jpg)
Common Criteria Potential Benefits (cont.)
• Market friendlier• Friendlier to integrating both
established and emerging security technologies and practices
• Supports buyers IT business case development
• Supports Seller’s business case to bring IT services to market
![Page 21: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/21.jpg)
1985 1990 1997
USTCSEC
FederalCriteria
ITSEC1.2
EuropeanNational
& RegionalInitiatives
CanadianInitiatives
CTCPEC3
ISOInitiatives
CommonCriteriaProject
NIST’sMSFR
ISOStandard
1998
A Brief History of Common Criteria
![Page 22: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/22.jpg)
Common Criteria as International Standard
• 1990 - Working Group 3, Subcommittee 3, Joint Technical Committee 1 begins addressing IT security
• 1993 - Member Nations pool resources and assist WG3
• Common Criteria (CC) Version 2 provided, May 1998
• CC, Version 2, as International Standard ISO/IEC 15408 being reviewed and voted upon
![Page 23: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/23.jpg)
Part 3 SecurityAssurance Requirements
• Assurance Classes
• Assurance Families
• Assurance Components
• Detailed Req’ts
• Eval. Assur. Levels
Part 2 SecurityFunctional Requirements
• Functional Classes
• Functional Families
• Functional Components
• Detailed Req’ts
Part 1Introduction & Model
• Introduction to Approach
• Terms & Model
• Requirements for Protection Profiles & Security Targets
Part 4Registry ofProtection Profiles
Overview of Common Criteria Structure
![Page 24: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/24.jpg)
Common Criteria Look and Feel
• Official title - Common Criteria for Information Technology Security Evaluations
• Part 1, Introduction• Part 2, Functional Requirements
– Desired information technology security behavior
![Page 25: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/25.jpg)
Common Criteria Look and Feel(cont.)
• Part 3, Assurance Requirements– Measures providing confidence
that the Security Functionality is effective and correctly implemented
• CC intro at <http://csrc.nist.gov/cc/info/cc-sum/content.htm>
![Page 26: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/26.jpg)
Functional Requirements Classes
• FAU -- Security Audit (35)• FCO -- Communication (Non-Repudiation) (4)• FCS -- Cryptographic Support (40)• FDP -- User Data Protection (46)• FIA -- Identification & Authentication (27)• FPR -- Privacy (Anonymity, etc.) (8)• FPT -- Protection of Trusted Security
Functions (43)• FRU -- Resource Utilization (8)• FTA -- TOE Access (11)• FTP -- Trusted Path (2)
![Page 27: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/27.jpg)
Evaluation Assurance Levels• Levels - EAL 1 through 7
– increasing rigor and formalism from 1 up to 7• Seven classes addressed for each level
– Configuration Management– Delivery and operation– Development– Guidance documents– Life-cycle support– Testing– Vulnerability Assessment
![Page 28: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/28.jpg)
Vendor/Customer Requirements
• Protection Profiles (PP)– User requirements (“I need”)– Multiple implementations may satisfy
• Security Targets (ST)– Vendor claims (“I will provide”)– Implementation specific
• Methodology– First, threats and policy stated– then Features and Assurances selected
![Page 29: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/29.jpg)
CC Product Validation and Evaluation Scheme
• Targeted to begin in 1999• Using security specifications from
Common Criteria (CC)• Procedures based upon Common
Evaluation Methodology (CEM)• Testing and evaluations performed by
NVLAP accredited commercial labs• International recognition of evaluations
(Mutual Recognition) • Results posted on NIAP’s WWW page
![Page 30: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/30.jpg)
Laboratories• NSA’s TTAP laboratories are the Interim CC
labs• ARCA Systems, BAH, COACT, CSC,
Cygnacom Solutions, NSTL and SAIC• Will have to reapply for CCEVS accreditation• Mutual Recognition between Canada,
France, Germany and UK and US for CC-based evaluations
• Netherlands are developing their scheme• Australia and New Zealand applying
![Page 31: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/31.jpg)
Product evaluations As of 19 Oct. 98
• CC-based Evaluation Completed:– ITT Dragonfly
EAL 2 Guard– Milkyway Black
Hole V3.01 EAL3 Firewall in Canada
• CC-based Evaluations Underway
• 3 EAL2 Firewalls – Checkpoint– CISCO Pix– Lucent Managed
Firewall
![Page 32: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/32.jpg)
Product evaluations(cont.)
• “OS” evaluations underway:– IBM RS6000 - C2 OS– IBM NT 4.0 - C2 OS– IBM SQL Server - C2 DB– Sybase Anywhere Adaptive
Server - C2 DB
![Page 33: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/33.jpg)
Assistance
• Classes– schedule on web
page (niap.nist.gov)
– CC familiarization, 1 day
– PP development, 4 days
• CC Toolbox– CCDA version 1,
(ST), Oct. 98– PDA version 2,
(PP), Dec. 98– PDA version 1,
July 99– CCDA version 2,
Jan. 00
![Page 34: A Security Business Case for the Common Criteria](https://reader033.vdocuments.net/reader033/viewer/2022042500/56815e3d550346895dcca7b5/html5/thumbnails/34.jpg)
Right Time for Common Criteria?