ASecurityBusinessCasefortheCommonCriteria对于常见的标准安全业务的案例精选课件

1、 A Security Business Case for the Common CriteriaMarty Ferris Ferris & Associates, Inc.202-234-9683jmferriserols第1页，共34页。OutlineSecurity Problem Overview Bounding a Moving Target Role of Standards Common Criteria 第2页，共34页。OwnersConfidenceAssetsThreatsExposuresSecurityFunctionsAssuranceEvaluationcrea

2、tetovaluerequirethatreducegivingleads toSecurity Concepts and Relationships第3页，共34页。Bound the Exposure Problem Organizational Security ManagementDevelop Policies and StandardsDevelop Operational Security PracticesOn-Going Assessment of Security Program第4页，共34页。Operational Security Practices Defining

3、 “Good Enough” Risk/Acceptability ModelSecurity Program as Starting Place Ongoing assessment and refinementMarketplace dependence for IT Security SolutionsSecurity Infrastructures Evolve第5页，共34页。Security InfrastructuresPhysical Security“People” SecurityInternal Personnel SecurityCustomers Security R

4、oleIT Product, Systems and Services SecurityAnomaly ProcessingIdentification of Security Events第6页，共34页。Physical/PeopleCommunications SecurityComputer SecurityApplication SecurityOld Security Infrastructures第7页，共34页。Computer Security-Central Technical Security InfrastructureApplication SecuritySmart

5、 CardsBrowsersVirtual Private NetworksFirewallsIPSecTLS/SSLPublic Key Infrastructure第8页，共34页。Physical/PeopleComputer Security Communications SecurityApplication SecurityNew Security Infrastructures第9页，共34页。Bad Security?第10页，共34页。Good Security?第11页，共34页。Security “Reality”?第12页，共34页。Protected AssetsAs

6、setsSecurity GapActual Asset Exposure(Reality)Asset Protection Policy (Perceived)第13页，共34页。The Security ManagementChallenge:Bounding a Moving TargetBuilding and Maintaining Security Infrastructures Managing “Security Gaps”Security PlanningSupport both IT Vision and Security PoliciesMarketplace depen

7、denceBest Value Solutions第14页，共34页。Role of Security StandardsSupport Management Process for New IT Services(?)Business case for IT InvestmentCost Containment StrategiesRequirements and specificationsEquivalence and Interoperability Voluntary consensus vs “de facto”Limited operational practices conte

8、xtCompliance assurances第15页，共34页。Standards Development ProcessBusiness need drivenScope within a business contextBalanced participation open to buyers and sellers of technology as well as technology expertsDocument requirements/specificationsVoting process for consensus and resolving disagreementsPu

9、blic comment第16页，共34页。What is the Common CriteriaInternational Standard Meta-language for describing IT security requirementsFeatures and assurancesSupports both buyer “I need” and Seller “I provide”How “one applies” the Meta language is:Constituent (Seller or Buyer) dependentSecurity Management Too

10、l第17页，共34页。Infrastructure Support for Common CriteriaInternational Registry of Buyer and Seller requirementsAssurances Laboratories for both Buyer and Seller International Mutual Acceptance of Features and Assurances第18页，共34页。Common Criteria Potential BenefitsBetter Tool to Bound problem(s) More acc

11、urate definition of requirementsThreat and policy IT and Non-IT assumptionsInteroperability and equivalenceFeatures and Assurances第19页，共34页。Common Criteria Potential Benefits (cont.)Market friendlierFriendlier to integrating both established and emerging security technologies and practicesSupports b

12、uyers IT business case development Supports Sellers business case to bring IT services to market第20页，共34页。1985 1990 2019 USTCSECFederalCriteriaITSEC1.2EuropeanNational& RegionalInitiativesCanadianInitiativesCTCPEC3ISOInitiativesCommonCriteriaProjectNISTsMSFRISOStandard2019A Brief History of Common C

13、riteria第21页，共34页。Common Criteria as International Standard1990 - Working Group 3, Subcommittee 3, Joint Technical Committee 1 begins addressing IT security1993 - Member Nations pool resources and assist WG3Common Criteria (CC) Version 2 provided, May 2019CC, Version 2, as International Standard ISO/

14、IEC 15408 being reviewed and voted upon第22页，共34页。Part 3 SecurityAssurance Requirements Assurance Classes Assurance Families Assurance Components Detailed Reqts Eval. Assur. LevelsPart 2 SecurityFunctional Requirements Functional Classes Functional Families Functional Components Detailed ReqtsPart 1I

15、ntroduction & Model Introduction to Approach Terms & Model Requirements for Protection Profiles & Security TargetsPart 4Registry ofProtection ProfilesOverview of Common Criteria Structure第23页，共34页。Common Criteria Look and FeelOfficial title - Common Criteria for Information Technology Security Evalu

16、ations Part 1, IntroductionPart 2, Functional RequirementsDesired information technology security behavior第24页，共34页。Common Criteria Look and Feel(cont.)Part 3, Assurance RequirementsMeasures providing confidence that the Security Functionality is effective and correctly implementedCC intro at 第25页，共

17、34页。Functional Requirements ClassesFAU - Security Audit (35)FCO - Communication (Non-Repudiation) (4)FCS - Cryptographic Support (40)FDP - User Data Protection (46)FIA - Identification & Authentication (27)FPR - Privacy (Anonymity, etc.) (8)FPT - Protection of Trusted Security Functions (43)FRU - Re

18、source Utilization (8)FTA - TOE Access (11)FTP - Trusted Path (2)第26页，共34页。Evaluation Assurance LevelsLevels - EAL 1 through 7increasing rigor and formalism from 1 up to 7Seven classes addressed for each levelConfiguration ManagementDelivery and operationDevelopmentGuidance documentsLife-cycle suppo

19、rtTestingVulnerability Assessment第27页，共34页。Vendor/Customer RequirementsProtection Profiles (PP)User requirements (“I need”)Multiple implementations may satisfySecurity Targets (ST)Vendor claims (“I will provide”)Implementation specificMethodologyFirst, threats and policy statedthen Features and Assu

20、rances selected第28页，共34页。CC Product Validation and Evaluation SchemeTargeted to begin in 2019Using security specifications from Common Criteria (CC)Procedures based upon Common Evaluation Methodology (CEM)Testing and evaluations performed by NVLAP accredited commercial labsInternational recognition

21、of evaluations (Mutual Recognition) Results posted on NIAPs WWW page第29页，共34页。LaboratoriesNSAs TTAP laboratories are the Interim CC labsARCA Systems, BAH, COACT, CSC, Cygnacom Solutions, NSTL and SAICWill have to reapply for CCEVS accreditationMutual Recognition between Canada, France, Germany and UK and US for CC-based evaluationsNetherlands are developin