An Overview of Common Criteria Protection Profiles Mar í a M. Larrondo Petrie, PhD March 26, 2004
Slide 2Overview Common Criteria CC Information Assurance IATFF CC Protection Profiles Structure Development Tools Case Study – Role Based Access Control References
Slide 3Common Criteria Common Criteria (CC) – replaces security criteria and procedures utilized as a part of the (14) basic criteria nations with the objective that item assessments directed in one nation would be acknowledged in different nations US substances required in CC is National Information Assurance Partnership NIAP, an association between National Institute of Standards and Technology NIST National Security Agency NSA
Slide 4Developers Product Vendors Accreditors Common Criteria Certifiers Approvers Consumers Evaluators Common Criteria: What is it? Normal Criteria (CC) – index of criteria and a structure for arranging a subset of the criteria into security particular Who utilizes it?
Slide 5Orange Book (TCSEC) 1985 Canadian Criteria CTCPEC) 1993 Federal Criteria (FC) Draft 1993 UK Confidence Levels 1989 Common Criteria V 1.0 1996 V 2.0 1998 V 2.1 1999 ITSEC 1991 German Criteria French Criteria ISO International Standard 15408 1999 Common Criteria Evolution of International Security Standards
Slide 6Common Criteria - Terminology PP - Protection Profile– usage free criteria SP - Security Profile– execution subordinate criteria TOE – Target of Evaluation – what you are depicting – your item EAL – Evaluation Assurance Level – CC confirmation levels – 7 various leveled – EAL1thru EAL7 – EAL1 (slightest sum) CEM – Common Evaluation Method – set of ventures for approving affirmation prerequisites in a SP – Only addresses levels EAL1 through EAL4.
Slide 7CC Protection Profile (PP) High-level articulation of coveted security properties (i.e. security environment, security destinations and security prerequisites) An instrument to give Consumers the capacity to determine their security necessities Generic so numerous usage may meet the expressed necessities PP speaks to "I need" from giles.ppt
Slide 8CC Security Target (ST) High-level articulation of guaranteed security properties A system to give Vendors the capacity to make claims in regards to their security items Specific to an execution ST speaks to "I give"
Slide 9IATFF What? A security direction archive created by NSA's ISSO association with support from security advocates in government and industry Constraints? Unclassified Published on the Internet Primary Coordination discussion? Data Assurance Technical Framework Forum (IATFF)
Slide 10IATF Help government clients get to be more shrewd customers of executing security arrangements Assist industry in comprehension the administration's needs and the way of the fancied answers for these requirements Focus Government and Industry venture assets on the security innovation holes
Slide 11How does the Framework help Government Users? By portraying their needs to the business suppliers By "recommending" the essential attributes of security answers for various classes of issues By giving an appraisal of the security innovation accessible on the open market
Slide 12Security Countermeasures Non Technical Security Methodology Mission Needs National/Service/Agency Policies, Regulations, Standards Adversaries, Motivations, and Attacks Organizational Security Policy Risk Assessment Certification and Accreditation Life-Cycle Security Management
Slide 13Supporting Infrastructures Defend the Computing Environment Defend the Network & Infrastructure Defend the Enclave Boundary Information Assurance Technical Framework Detect & Respond KMI/PKI Executive Summaries, Protection Profiles Flow from Policy to Specification National Policy NSTISSIC, NSTISSAM GIG Policy Intel Comm. DCID 6/3 GIG IA Policy & Implementation Guidance GIG Architecture Services, Protocols, and so forth. Individuals Technology Operations DITSCAP NIAP Certification and Accreditation prepare - Testing - Evaluation - Certification
Slide 14Successful Mission Execution Operations Information Assurance Defense In Depth Strategy Technology People Supporting Infrastructures Defend the Enclave Boundary Defend the Computing Environment Defend the Network & Infrastructure Detect & Respond KMI/PKI IATF: Chapter 5 Chapter 6 Chapter 7 Chapter 8 How It's Organized Central Change: Alignment with Defense-In-Depth NSF Chapter 5 "Security Solutions Framework"
Slide 15Information Assurance Technical Framework (IATF) User Situation & Need for Information Assurance Solution Information Assurance Tutorial & General Guidance Main Body Concise, Definitive Security Requirements For Specific Cases Executive Summaries Formal Common Criteria Documents for Defining Testable Requirements Protection Profiles Protection Profile for ______ Protection Profile for ______ Protection Profile for ______ Today's Framework Elements IATF Release 2.0, Figure 1-2, Composition of the IATF The "Archive" Executive Summary for ______ Appendix F: Case Specific Guidance (otherwise known as "official outlines") Appendix G: Protection Profiles
Slide 16IATF: Information Assurance Technical Framework Forum http://www.iatf.net/protection_profiles/profiles.cfm
Slide 17IATF: Information Assurance Technical Framework Forum
Slide 18Three Kinds of Protection Profiles DoD (COTS) Acquisition Protection Profiles Developed To Become Binding Procurement Guidance for DoD Must Be Achievable with Today's Technology May Be Accompanied by Additional Specification Data Will Be Coordinated DoD-Wide by OSD Ultimately "Claimed" by OASD(C3I) Technology Goal Protection Profiles Developed To Influence Development of New Technology Focused on Future Needs or Implementations "Possessed" by NSA Specific Need Protection Profiles Developed In Response to a Customer's Specific Need Subject to Customer Approval "Possessed" by the Customer
Slide 19Common Criteria Protection Profile Common Criteria Protection Profile (CC PP) – a usage autonomous articulation of security prerequisites that is appeared to address dangers that exist in a predetermined domain A PP is appropiate when Consumer amass wishes to indicate security necessities for an application sort (e.g., electronic assets exchange) Government wishes to determine security necessities for a class of security items (e.g., firewalls) An association wishes to buy an IT framework to address its security necessities (e.g., understanding records for a healing facility)
Slide 20PP Introduction PP Identification PP Overview Target of Evalustion (TOE) TOE Security Environment Assumptions Threats Organizational security strategies Security Objectives Security destinations for the TOE Security destinations for nature IT Security Requirements TOE Security Requirements Security utilitarian req. Security confirmation req. Sec. reqs. for IT environment PP Application Notes Rationales Security targets method of reasoning Security prerequisites judicious Contents of a Protection Profile
Slide 21What is in a PP Security Environment Defined The TOE will be utilized as a part of situations in which no higher than touchy however unclassified data is handled, or the affectability level of data in both the inner and outside systems is the same. Firewalls consistent give get to control approaches, broad reviewing and a low level of affirmation. Secure Usage Assumptions Connectivity Assumptions Single section point Physical Assumptions Control of physical get to Personnel Assumptions Trustworthy Administrator
Slide 22What is in a PP Organizational Security Policies Threats to Security Threats Addressed by the TOE An unapproved individual may increase legitimate access to TOE Lack of review trail Undetected entrance endeavors Threats to be Addressed by Operating Environment Hostile framework overseer Sophisticated assaults on more elevated amount conventions Security Objectives Functional Security Requirements and Assurance
Slide 23The CC Toolbox Information Assurance "TurboTax" outline apparatus for: Architects System Engineers Requirements Activities Focused on: Application of the CC Describing Security Features Specifying Security Requirements Drafting ST's and PP's http://cctoolbox.sparta.com
Slide 24Registered Protection Profiles Sets of enlisted Protection Profiles exist at the accompanying areas: http://www.radium.ncsc.mil/tpep/protection_profiles/index.html http://www.cesg.gov.uk/cchtml/ippr/list_by_type.html http://csrc.nist.gov/cc/pp/pplist.htm – (as of now being overhauled so I couldn't look into the rundown to check whether it including what we are attempting to propose) http://www.scssi.gouv.fr/display/si/ccsti/pp.html
Slide 25References [NIST, 2003] "Regular Criteria for IT Security Evaluation: Common Language to Express Common Needs", Computer Security Resource Center (CSRC), National Institute of Standards and Technology, made 12 November 2002, last redesigned 19 May 2003, http://csrc.nist.gov/cc/"Basic Criteria for Information Technology Security Evaluation, User Guide, CESG, UK and NIST, USA, Syntegra, October 2999. [Towns and Britton, 1999] Towns, M. what's more, K. Britton. Insurance Profile Development Workshop: Student Handbook , Ver. 2.0, NIAP/NIST, 2000. [Grainger 2000] Granger, G. Normal Criteria Tools, Mitretek Systems, May 25, 2000.
SPONSORS
SPONSORS
SPONSORS