Docstoc

business consulting on white bg

Document Sample
business consulting on white bg Powered By Docstoc
					            security consulting




What about the ITSEC?
                       What about the ITSEC?
 security consulting


 Where      it came from
 Where      it is going
 How     it relates to CC and other criteria
 Comparison           of ITSEC/CC/FIPS140 rationale
 Mutual      Recognition
                       Where it came from
 security consulting


 UK   (mainly government) criteria
 German       criteria
 French     and Dutch proposals
 Proposed        new UK criteria
 European        harmonisation ...
                        Where it came from 2
security consulting
                             Security Objectives

                             Security Target
                SEFs                                  Threats


              Traceability
               Analysis
                                               Vulnerability
                                                Analysis


              Functional
               Testing
                                                   Penetration
                                                     Testing

             Correctness                       Effectiveness
                       The future
 security consulting


 Common         Criteria (CC)
  – Upgrade path defined in UK

 Common         Evaluation Method (CEM)
 ISO   standard 15408
 Mutual      Recognition
 Global     market
                       The future 2
 security consulting


 Certificate      Maintenance Scheme (CMS)
  – Based on Logica‟s Traffic Light Method for re-
    evaluation
  – The UK‟s version of RAMP
  – In CC as Maintenance of Assurance (AMA)
                           How it relates to CC and
                           other criteria
     security consulting

         1983          1989   1991       1993         1996   1999
     ORANGE                            FEDERAL
US    BOOK                             CRITERIA


CANADA                               CTCPEC

                                                  COMMON      ISO
                     MEMO 3                       CRITERIA   15408
UK                    DTI

                      ZSEIC    ITSEC
GERMANY

                      B-W-R
FRANCE                BOOK
                                                 How it relates to CC etc -
                                                 2
    security consulting

                                 Typical ITSEC                                                      WARNING:
                                  funcionality                                                      Not to scale
                                                                               B3         A1
                                                                    B2
Functionality




                                                         B1




                                                  C2

                                      C1




                      D                                                   2          3          4        FIPS 140
                                                               1
                 E0                   E1          E2     E3         E4         E5        E6              ITSEC

                EAL0      EAL1      EAL2         EAL3   EAL4       EAL5       EAL6       EAL7              CC
                          Comparisons
    security consulting


   Orange Book                    ITSEC
     – Specific functionality       – General functionality

   FIPS 140                        – General architecture

     – Specific crypto              – Not really for crypto,
       architecture                   but not excluded

   Derived Test                   Requirements case-by-
    Requirements                    case
     – consistency, etc             – more subjective?
                          Comparisons 2
    security consulting


   ITSEC                          CC
     – 163 pages                    – 638 pages
     – E1 to E6                     – EAL1 to EAL7
     – Separate Correctness         – Effectiveness „merged
       and Effectiveness              in‟ with correctness
     – No pre-defined               – No pre-defined
       functionality                  functionality mandated
                          Comparisons 3
    security consulting


   Orange Book/FIPS                 ITSEC/CC
     – Defines the security           – Lets you define the
       “problem”                        security “problem”
     – Guides architecture and        – Allows any “solution”,
       functionality to                 since there may be any
       sensible “solution”              “problem”
     – Defines how it is tested       – Defines what
                                        evaluators must do to
                                        derive how to test it
                          Mutual Recognition -
                          ITSEC
    security consulting


   Originally bi-partite           Extended with bi-
    arrangements                     partite arrangements
     – UK-Germany                    – UK-Australia
     – Germany-France               Applies E1-E6
     – France-UK
                                    Not legally binding
   Then SOG-IS MRA
     – 11 nations in EU
                          Mutual Recognition - CC
    security consulting


   Interim Recognition             Formal Recognition
     – October 1997                  – October 1998
     – UK/US/Canada                  – UK/US/Canada/France/
                                       Germany/Netherlands/A
     – EAL1-EAL3                       ustralia
                                     – EAL1-EAL4

                                    Not legally binding
                      Combined Evaluation
                      Simple Crypto Device
security consulting




                          KM



                          Z
                      Combined Evaluation
                      Example Software
security consulting
                      Product


                                            CA's Crypto
                                       CA     Library




                            Database


                                            O/S Crypto
                        Operating System      Library




                           Hardware          Hardw are
                                              Crypto
                          Combined Evaluation
                          Issues
security consulting

                           User Interface




                                                   CA's Crypto
                                            CA       Library
      Network Interface




                                 Database


                                                   O/S Crypto
                            Operating System         Library




                                Hardware         Hardw are Crypto
                       So; what about the
                       ITSEC?
 security consulting


 ITSEC     experience is very valuable
 ITSECevaluations (and CMS) will be around
 for some time to come
 Puttingevaluations and assessments
 together to get assurance in real systems is
 hard