An Overview of Common Criteria Protection Profiles

2662 days ago, 944 views
PowerPoint PPT Presentation

Presentation Transcript

Slide 1

An Overview of Common Criteria Protection Profiles Mar í a M. Larrondo Petrie, PhD March 26, 2004

Slide 2

Overview Common Criteria CC Information Assurance IATFF CC Protection Profiles Structure Development Tools Case Study – Role Based Access Control References

Slide 3

Common Criteria Common Criteria (CC) – replaces security criteria and procedures utilized as a part of the (14) basic criteria nations with the objective that item assessments directed in one nation would be acknowledged in different nations US substances required in CC is National Information Assurance Partnership NIAP, an association between National Institute of Standards and Technology NIST National Security Agency NSA

Slide 4

Developers Product Vendors Accreditors Common Criteria Certifiers Approvers Consumers Evaluators Common Criteria: What is it? Normal Criteria (CC) – index of criteria and a structure for arranging a subset of the criteria into security particular Who utilizes it?

Slide 5

Orange Book (TCSEC) 1985 Canadian Criteria CTCPEC) 1993 Federal Criteria (FC) Draft 1993 UK Confidence Levels 1989 Common Criteria V 1.0 1996 V 2.0 1998 V 2.1 1999 ITSEC 1991 German Criteria French Criteria ISO International Standard 15408 1999 Common Criteria Evolution of International Security Standards

Slide 6

Common Criteria - Terminology PP - Protection Profile– usage free criteria SP - Security Profile– execution subordinate criteria TOE – Target of Evaluation – what you are depicting – your item EAL – Evaluation Assurance Level – CC confirmation levels – 7 various leveled – EAL1thru EAL7 – EAL1 (slightest sum) CEM – Common Evaluation Method – set of ventures for approving affirmation prerequisites in a SP – Only addresses levels EAL1 through EAL4.

Slide 7

CC Protection Profile (PP) High-level articulation of coveted security properties (i.e. security environment, security destinations and security prerequisites) An instrument to give Consumers the capacity to determine their security necessities Generic so numerous usage may meet the expressed necessities PP speaks to "I need" from giles.ppt

Slide 8

CC Security Target (ST) High-level articulation of guaranteed security properties A system to give Vendors the capacity to make claims in regards to their security items Specific to an execution ST speaks to "I give"

Slide 9

IATFF What? A security direction archive created by NSA's ISSO association with support from security advocates in government and industry Constraints? Unclassified Published on the Internet Primary Coordination discussion? Data Assurance Technical Framework Forum (IATFF)

Slide 10

IATF Help government clients get to be more shrewd customers of executing security arrangements Assist industry in comprehension the administration's needs and the way of the fancied answers for these requirements Focus Government and Industry venture assets on the security innovation holes

Slide 11

How does the Framework help Government Users? By portraying their needs to the business suppliers By "recommending" the essential attributes of security answers for various classes of issues By giving an appraisal of the security innovation accessible on the open market

Slide 12

Security Countermeasures Non Technical Security Methodology Mission Needs National/Service/Agency Policies, Regulations, Standards Adversaries, Motivations, and Attacks Organizational Security Policy Risk Assessment Certification and Accreditation Life-Cycle Security Management

Slide 13

Supporting Infrastructures Defend the Computing Environment Defend the Network & Infrastructure Defend the Enclave Boundary Information Assurance Technical Framework Detect & Respond KMI/PKI Executive Summaries, Protection Profiles Flow from Policy to Specification National Policy NSTISSIC, NSTISSAM GIG Policy Intel Comm. DCID 6/3 GIG IA Policy & Implementation Guidance GIG Architecture Services, Protocols, and so forth. Individuals Technology Operations DITSCAP NIAP Certification and Accreditation prepare - Testing - Evaluation - Certification

Slide 14

Successful Mission Execution Operations Information Assurance Defense In Depth Strategy Technology People Supporting Infrastructures Defend the Enclave Boundary Defend the Computing Environment Defend the Network & Infrastructure Detect & Respond KMI/PKI IATF: Chapter 5 Chapter 6 Chapter 7 Chapter 8 How It's Organized Central Change: Alignment with Defense-In-Depth NSF Chapter 5 "Security Solutions Framework"

Slide 15

Information Assurance Technical Framework (IATF) User Situation & Need for Information Assurance Solution Information Assurance Tutorial & General Guidance Main Body Concise, Definitive Security Requirements For Specific Cases Executive Summaries Formal Common Criteria Documents for Defining Testable Requirements Protection Profiles Protection Profile for ______ Protection Profile for ______ Protection Profile for ______ Today's Framework Elements IATF Release 2.0, Figure 1-2, Composition of the IATF The "Archive" Executive Summary for ______ Appendix F: Case Specific Guidance (otherwise known as "official outlines") Appendix G: Protection Profiles

Slide 16

IATF: Information Assurance Technical Framework Forum

Slide 17

IATF: Information Assurance Technical Framework Forum

Slide 18

Three Kinds of Protection Profiles DoD (COTS) Acquisition Protection Profiles Developed To Become Binding Procurement Guidance for DoD Must Be Achievable with Today's Technology May Be Accompanied by Additional Specification Data Will Be Coordinated DoD-Wide by OSD Ultimately "Claimed" by OASD(C3I) Technology Goal Protection Profiles Developed To Influence Development of New Technology Focused on Future Needs or Implementations "Possessed" by NSA Specific Need Protection Profiles Developed In Response to a Customer's Specific Need Subject to Customer Approval "Possessed" by the Customer

Slide 19

Common Criteria Protection Profile Common Criteria Protection Profile (CC PP) – a usage autonomous articulation of security prerequisites that is appeared to address dangers that exist in a predetermined domain A PP is appropiate when Consumer amass wishes to indicate security necessities for an application sort (e.g., electronic assets exchange) Government wishes to determine security necessities for a class of security items (e.g., firewalls) An association wishes to buy an IT framework to address its security necessities (e.g., understanding records for a healing facility)

Slide 20

PP Introduction PP Identification PP Overview Target of Evalustion (TOE) TOE Security Environment Assumptions Threats Organizational security strategies Security Objectives Security destinations for the TOE Security destinations for nature IT Security Requirements TOE Security Requirements Security utilitarian req. Security confirmation req. Sec. reqs. for IT environment PP Application Notes Rationales Security targets method of reasoning Security prerequisites judicious Contents of a Protection Profile

Slide 21

What is in a PP Security Environment Defined The TOE will be utilized as a part of situations in which no higher than touchy however unclassified data is handled, or the affectability level of data in both the inner and outside systems is the same. Firewalls consistent give get to control approaches, broad reviewing and a low level of affirmation. Secure Usage Assumptions Connectivity Assumptions Single section point Physical Assumptions Control of physical get to Personnel Assumptions Trustworthy Administrator

Slide 22

What is in a PP Organizational Security Policies Threats to Security Threats Addressed by the TOE An unapproved individual may increase legitimate access to TOE Lack of review trail Undetected entrance endeavors Threats to be Addressed by Operating Environment Hostile framework overseer Sophisticated assaults on more elevated amount conventions Security Objectives Functional Security Requirements and Assurance

Slide 23

The CC Toolbox Information Assurance "TurboTax" outline apparatus for: Architects System Engineers Requirements Activities Focused on: Application of the CC Describing Security Features Specifying Security Requirements Drafting ST's and PP's

Slide 24

Registered Protection Profiles Sets of enlisted Protection Profiles exist at the accompanying areas: – (as of now being overhauled so I couldn't look into the rundown to check whether it including what we are attempting to propose)

Slide 25

References [NIST, 2003] "Regular Criteria for IT Security Evaluation: Common Language to Express Common Needs", Computer Security Resource Center (CSRC), National Institute of Standards and Technology, made 12 November 2002, last redesigned 19 May 2003,"Basic Criteria for Information Technology Security Evaluation, User Guide, CESG, UK and NIST, USA, Syntegra, October 2999. [Towns and Britton, 1999] Towns, M. what's more, K. Britton. Insurance Profile Development Workshop: Student Handbook , Ver. 2.0, NIAP/NIST, 2000. [Grainger 2000] Granger, G. Normal Criteria Tools, Mitretek Systems, May 25, 2000.