Sustainable Broadband Communications: International Perspective – Common Criteria
description
Transcript of Sustainable Broadband Communications: International Perspective – Common Criteria
Bangalore, India ,17-18 December 2012
Sustainable Broadband Communications: International Perspective – Common Criteria
David Martin,Head of International Assurance,
Common Criteria Scheme Director, CESG, UK,
Joint ITU-GISFI Workshop on “Bridging the Standardization Gap: Workshop on
Sustainable Rural Communications”
(Bangalore, India, 17-18 December 2012)
David Martin
Involved in Information Assurance Standards for many yearsChair of International Common Criteria Development BoardScheme Director for the UK Common Criteria Scheme (operated by UK government)Representing UK Scheme - reporting on new CC vision statement
Bangalore, India ,17-18 December 2012 2
Bangalore, India ,17-18 December 2012 3
Common Criteria - Background
Standards for Assurance of IT Product Security 26 Nations (more to come)16 Nations evaluate/certify productsAlso an ISO standard (15408 and 18045)Run by a Management Committee (with an executive to support) and a Development Board
Bangalore, India ,17-18 December 2012 4
Common Criteria – The Value
Manufacturers do not have to evaluate products in multiple places.
Evaluation is very expensive in time and money
Good cyber defence (and sustainable telecom) needs many more products evaluatedAll nations agree and procure to the common standardIndustry involvement (CCUF)
Bangalore, India ,17-18 December 2012 5
Common Criteria – New Vision – Rationale -1
CC usage has been little changed for more than 12 years A number of nations found that:-
The focus on ‘assurance level (EAL)’ was damaging product security Not enough products are evaluated - Cyber defence needs many moreExpertise is applied in the wrong place, inconsistently, and without wide peer review.
Bangalore, India ,17-18 December 2012 6
Common Criteria – New Vision – Rationale -2
Smartcard Community has developed a very effective way of using CCWork has taken place to support a similar approach for general IT products Resulting in the CCMC (management Committee) vision statement – published in September 2012
Bangalore, India ,17-18 December 2012 7
For more information
Common Criteria Portal: www.commoncriteriaportal.orgThe vision statement links from the
front pageOther links show the products,
schemes, operating documents etc.Also see CCUF at
www.ccusersforum.org
Existing Approach
Bangalore, India ,17-18 December 2012 8
New Approach
Bangalore, India ,17-18 December 2012 9
Technical Communities
Bangalore, India ,17-18 December 2012 10
Much quicker and more effective
Bangalore, India ,17-18 December 2012 11
Time
Meeting virtually
Bangalore, India ,17-18 December 2012 12
Bespoke design/evaluation
Bangalore, India ,17-18 December 2012 13
Better to have known standards
Bangalore, India ,17-18 December 2012 14
Other Important developments
Common view on cryptographySecurity Configuration AutomationStrong Linkage to Vulnerability/Weakness reportingSupply Chain working groupConsistent Government Procurement (and other major users) – addressing what ‘recognition’ really means
Bangalore, India ,17-18 December 2012 15
Common support for procurement
Bangalore, India ,17-18 December 2012 16
Procurement Links
Provide developers with larger marketLower cost and better productsRecognise there may be additional national needsThese are likely to be <5% of marketMajor requirement is common and delivered by evaluation anywhere
Bangalore, India ,17-18 December 2012 17
Bangalore, India ,17-18 December 2012 18
Common Criteria – New Vision – Summary
More assurance than a simple ‘EAL approach’ Uses worldwide expertise, instead of relying on single ‘expert’Open, Transparent, Repeatable – as befitting an International StandardStep change in volume – better for cyberdefenceLowers procurement costs
Bangalore, India ,17-18 December 2012 19
Further detail
First International Technical Community about to launch – based on USB storage deviceMany more to follow next yearAlready many TCs exist (mostly US based)
Example TC Areas
Networking (NDPP, Firewalls, VPNs, etc)Storage (USB, Hard disks, etc)Applications on Operating systemsMobile telecoms (VOIP, SIP, MDM, etc) Multifunction devices (printers etc.)
Bangalore, India ,17-18 December 2012 20
Process to form an iTC
Not yet fully defined but likely to be:-Work with national bodies to formulate an ESR (Essential Security Requirements)Obtain commitmentStart iTC – using CCUF etc.Publish cPP (and supporting documents)Continual update
Bangalore, India ,17-18 December 2012 21
Outline Process & Detail Notes (1)
Request iTC formation
Initiate iTC
Solicit iTC members
CCDB
CCUF
CCMC
CCDB Work Group
CreateESR
Draft ToRs Agree initial
iTC Chair&
hold initial meeting
Establish levels of
commitment &
Committed Nations
portal
iTC entry
Define Workpla
n
Define ToRs
Elect Chair
Define infrastructure
Outline Process & Detail Notes (2)
Levels of commitment:Intention to Adopt – MandatedIntention to Adopt – RecommendedUncommittedOpposed
Only those with an Intention to Adopt can vote on ESR contents.Intention to Adopt is refreshed every 6 months (by CCDB) as part of monitoring progress.Levels may change, but reducing commitment requires a rationale.
Bangalore, India ,17-18 December 2012 24
GISFI Applicability
3GPP discussion – potential development of cPPsCould extend to system approachesKey is to have the real technical expertise setting the standards CCRA maintains the fairness, the reliability/reputation, and the worldwide recognition for vendors 3GPP sets the technical standards
Conclusions and Recommendations
This time of change for CCRA is a good time to get involved!Look at www.commoncriteriaportal.org Join CCUF (no cost) www.ccusersforum.orgGreat opportunity for 3GPP to use CCRA for its needs (become an international Technical Community)Liaison request from GISFI
Bangalore, India ,17-18 December 2012 25