Title Slide EVOLVING CRITERIA FOR INFORMATION SECURITY PRODUCTS Ravi Sandhu George Mason University Fairfax, Virginia USA.

Slides:



Advertisements
Similar presentations
Advanced Piloting Cruise Plot.
Advertisements

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.
George Mason University
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
THE ORANGE BOOK Ravi Sandhu ORANGE BOOK CLASSES A1Verified Design B3Security Domains B2Structured Protection B1Labeled Security Protection.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.
RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
Create an Application Title 1A - Adult Chapter 3.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Year 6 mental test 5 second questions
Year 6 mental test 10 second questions
1 Discreteness and the Welfare Cost of Labour Supply Tax Distortions Keshab Bhattarai University of Hull and John Whalley Universities of Warwick and Western.
Solve Multi-step Equations
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
Intel VTune Yukai Hong Department of Mathematics National Taiwan University July 24, 2008.
PP Test Review Sections 6-1 to 6-6
EU market situation for eggs and poultry Management Committee 20 October 2011.
EU Market Situation for Eggs and Poultry Management Committee 21 June 2012.
2 |SharePoint Saturday New York City
VOORBLAD.
1 Breadth First Search s s Undiscovered Discovered Finished Queue: s Top of queue 2 1 Shortest path from s.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
© 2012 National Heart Foundation of Australia. Slide 2.
Universität Kaiserslautern Institut für Technologie und Arbeit / Institute of Technology and Work 1 Q16) Willingness to participate in a follow-up case.
LO: Count up to 100 objects by grouping them and counting in 5s 10s and 2s. Mrs Criddle: Westfield Middle School.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
Model and Relationships 6 M 1 M M M M M M M M M M M M M M M M
25 seconds left…...
Januar MDMDFSSMDMDFSSS
Analyzing Genes and Genomes
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
Intracellular Compartments and Transport
PSSA Preparation.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
Essential Cell Biology
1 Chapter 13 Nuclear Magnetic Resonance Spectroscopy.
Energy Generation in Mitochondria and Chlorplasts
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
CSCE 727 Awareness and Training Secure System Development and Monitoring.
THE ORANGE BOOK Ravi Sandhu
Presentation transcript:

Title Slide EVOLVING CRITERIA FOR INFORMATION SECURITY PRODUCTS Ravi Sandhu George Mason University Fairfax, Virginia USA

2 SECURITY OBJECTIVES SECRECY (CONFIDENTIALITY) INTEGRITY AVAILABILITY (DENIAL OF SERVICE)

3 SECURITY TECHNIQUES Prevention access control Detectionauditing Tolerancepracticality good prevention and detection both require good authentication as a foundation

4 SECURITY TRADEOFFS SECURITY FUNCTIONALITYEASE OF USE COST

5 ACHIEVING SECURITY Policy what? Mechanismhow? Assurancehow well?

6 EVALUATION CRITERIA Policy Assurance SECURITY TARGET Mechanism PRODUCT ??

7 CRITERIA DATES ||||||||||| | USA ORANGE BOOK Canadian CTCPEC 1.0 | 2.0 | 3.0 | UK, Germany || France | 1.2 | European Community ITSEC 1.0 | US Federal Criteria 1.0 | Common Criteria

8 CRITERIA RELATIONSHIPS USA ORANGE BOOK UKGermanyFranceCanada European Community ITSEC Federal Criteria DRAFT Common Criteria PROPOSED

9 COMMON CRITERIA & PRODUCT EVALUATION INTERNATIONAL COMPUTER MARKET TRENDS MUTUAL RECOGNITION OF EVALUATIONS COMPATIBILITY WITH EXISTING CRITERIA SYSTEM SECURITY CHALLENGES OF THE 90'S DRIVING FACTORS

10 ORANGE BOOK USA ORANGE BOOK UKGermanyFranceCanada European Community ITSEC Federal Criteria DRAFT Common Criteria PROPOSED

11 ORANGE BOOK CLASSES A1Verified Design B3Security Domains B2Structured Protection B1Labeled Security Protection C2Controlled Access Protection C1Discretionary Security Protection DMinimal Protection NO SECURITY HIGH SECURITY

12 ORANGE BOOK CLASSES UNOFFICIAL VIEW C1, C2Simple enhancement of existing systems. No breakage of applications B1Relatively simple enhancement of existing systems. Will break some applications. B2Relatively major enhancement of existing systems. Will break many applications. B3Failed A1 A1Top down design and implementation of a new system from scratch

13 ORANGE BOOK CRITERIA SECURITY POLICY ACCOUNTABILITY ASSURANCE DOCUMENTATION

14 SECURITY POLICY C1C2B1B2B3A1 Discretionary Access Control++ + Object Reuse + Labels ++ Label Integrity + Exportation of Labeled Information + Labeling Human-Readable Output + Mandatory Access Control ++ Subject Sensitivity Labels + Device Labels + +added requirement

15 ACCOUNTABILITY C1C2B1B2B3A1 Identification and Authentication+++ Audit ++++ Trusted Path ++ +added requirement

16 ASSURANCE C1C2B1B2B3A1 System Architecture+++++ System Integrity+ Security Testing Design Specification and Verification ++++ Covert Channel Analysis +++ Trusted Facility Management ++ Configuration Management + + Trusted Recovery + Trusted Distribution + +added requirement

17 DOCUMENTATION C1C2B1B2B3A1 Security Features User's Guide+ Trusted Facility Manual+++++ Test Documentation+ + + DesignDocumentation++++ +added requirement

18 ORANGE BOOK CRITICISMS Does not address integrity or availability Combines policy and assurance in a single linear rating scale Mixes policy and mechanism Mixes policy and assurance

19 POLICY VS ASSURANCE assurance C1 C2 B1 B2 B3A1 policypolicy

20 EUROPEAN ITSEC USA ORANGE BOOK UKGermanyFranceCanada European Community ITSEC Federal Criteria DRAFT Common Criteria PROPOSED

21 POLICY ASSURANCE UNBUNDLING EVALUATION POLICY or FUNCTIONALITY ASSURANCE EFFECTIVENESSCORRECTNESS

22 POLICY IN ITSEC Open ended Orange Book classes are grand-fathered in Some new classes are identified

23 ORANGE BOOK POLICY GRAND-FATHERING ITSECORANGE BOOK F-C1C1 F-C2C2 F-B1B1 F-B2B2 F-B3B3

24 ITSEC NEW POLICIES ITSECOBJECTIVE F-INHigh Integrity Requirements F-AVHigh Availability Requirements F-DIHigh Data Integrity during Data Exchange F-DCHigh Data Confidentiality during Data Exchange F-DXNetworks with High Confidentiality and Integrity others can be defined as needed

25 ASSURANCE: EFFECTIVENESS CONSTRUCTION Suitability Analysis Binding Analysis Strength of Mechanism Analysis List of Known Vulnerabilities in Construction OPERATION Ease of Use Analysis List of Known Vulnerabilities in Operational Use

26 ASSURANCE: CORRECTNESS ITSECORANGE BOOK (very roughly) E0D E1C1 E2C2 E3B1 E4B2 E5B3 E6A1

27 US DRAFT FEDERAL CRITERIA USA ORANGE BOOK UKGermanyFranceCanada European Community ITSEC Common Criteria PROPOSED Federal Criteria DRAFT

28 NIST/NSA Joint Work Commercial & Independent Initiatives NISTs IT Security Requirements Study Integrity Research NRC Report "GSSP" Minimum Security Functionality Requirements (MSFR) Federal Criteria for IT Security EC ITSEC Canada TPEP Orange Book Advances in Technology INFLUENCES ON FEDERAL CRITERIA

29 ITSEC EVALUATION Policy Assurance SECURITY TARGET Mechanism PRODUCT ??

30 FEDERAL CRITERIA EVALUATION Policy Assurance SECURITY TARGET Mechanism PRODUCT ?? Policy Assurance PROTECTION PROFILE ?? Vendor Supplied Customer Supplied

31 PROTECTION PROFILE STRUCTURE Descriptive Elements Section Product Rationale Section Development Assurance Requirements Section Functional Requirements Section Evaluation Assurance Requirements Section PROTECTION PROFILE

32 FROM PROFILE TO PRODUCT Protection Profile PPA = Protection Profile Analysis Protection Profiles Registry of PP1PP2... PPn Evaluation 2 Evaluation 3 Evaluation 1 PPA Security Target (ST) ST (PP) pp1ppn Product 1Product n

33 TOWARDS A COMMON CRITERIA USA ORANGE BOOK UKGermanyFranceCanada Common Criteria PROPOSED Federal Criteria DRAFT European Community ITSEC

34 EC-NA Alignment Common Criteria EC-NA Alignment Common Criteria CC Editorial Board Canada CTCPEC 3.0 ITSEC 1.2 FedCrit 1.0 Orange Book Usage Joint Technical Groups Usage & Reviews Public Comment Usage & Reviews 1994: initial target 1996: more likely ISO SC27 WG3 COMMON CRITERIA PLAN

35 CHALLENGES THAT REMAIN u Complexities of the open distributed computing and management environments (including use of crypto in conjunction with COMPUSEC) u Systems and composability Problems u Trusted applications development and evaluation methods, including high integrity and high availability systems u Guidance on using IT security capabilities cost effectively in commercial environments u Speedy but meaningful product and system evaluations, and evaluation rating maintenance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.