1 / 25

Sustainable Broadband Communications: International Perspective – Common Criteria

Joint ITU-GISFI Workshop on “Bridging the Standardization Gap: Workshop on Sustainable Rural Communications” (Bangalore, India, 17-18 December 2012). Sustainable Broadband Communications: International Perspective – Common Criteria. David Martin,

edefelice
Download Presentation

Sustainable Broadband Communications: International Perspective – Common Criteria

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Joint ITU-GISFI Workshop on “Bridging the Standardization Gap: Workshop on Sustainable Rural Communications”(Bangalore, India, 17-18 December 2012) Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International Assurance, Common Criteria Scheme Director, CESG, UK, david.martin@cesg.gsi.gov.uk

  2. David Martin Involved in Information Assurance Standards for many years Chair of International Common Criteria Development Board Scheme Director for the UK Common Criteria Scheme (operated by UK government) Representing UK Scheme - reporting on new CC vision statement

  3. Common Criteria - Background • Standards for Assurance of IT Product Security • 26 Nations (more to come) • 16 Nations evaluate/certify products • Also an ISO standard (15408 and 18045) • Run by a Management Committee (with an executive to support) and a Development Board

  4. Common Criteria – The Value • Manufacturers do not have to evaluate products in multiple places. • Evaluation is very expensive in time and money • Good cyber defence (and sustainable telecom) needs many more products evaluated • All nations agree and procure to the common standard • Industry involvement (CCUF)

  5. Common Criteria – New Vision – Rationale -1 • CC usage has been little changed for more than 12 years • A number of nations found that:- • The focus on ‘assurance level (EAL)’ was damaging product security • Not enough products are evaluated - Cyber defence needs many more • Expertise is applied in the wrong place, inconsistently, and without wide peer review.

  6. Common Criteria – New Vision – Rationale -2 • Smartcard Community has developed a very effective way of using CC • Work has taken place to support a similar approach for general IT products • Resulting in the CCMC (management Committee) vision statement – published in September 2012

  7. For more information Common Criteria Portal: www.commoncriteriaportal.org • The vision statement links from the front page • Other links show the products, schemes, operating documents etc. • Also see CCUF at www.ccusersforum.org

  8. Existing Approach

  9. New Approach

  10. Technical Communities

  11. Much quicker and more effective Time

  12. Meeting virtually

  13. Bespoke design/evaluation

  14. Better to have known standards

  15. Other Important developments Common view on cryptography Security Configuration Automation Strong Linkage to Vulnerability/Weakness reporting Supply Chain working group Consistent Government Procurement (and other major users) – addressing what ‘recognition’ really means

  16. Common support for procurement

  17. Procurement Links Provide developers with larger market Lower cost and better products Recognise there may be additional national needs These are likely to be <5% of market Major requirement is common and delivered by evaluation anywhere

  18. Common Criteria – New Vision – Summary • More assurance than a simple ‘EAL approach’ • Uses worldwide expertise, instead of relying on single ‘expert’ • Open, Transparent, Repeatable – as befitting an International Standard • Step change in volume – better for cyberdefence • Lowers procurement costs

  19. Further detail • First International Technical Community about to launch – based on USB storage device • Many more to follow next year • Already many TCs exist (mostly US based)

  20. Example TC Areas Networking (NDPP, Firewalls, VPNs, etc) Storage (USB, Hard disks, etc) Applications on Operating systems Mobile telecoms (VOIP, SIP, MDM, etc) Multifunction devices (printers etc.)

  21. Process to form an iTC • Not yet fully defined but likely to be:- • Work with national bodies to formulate an ESR (Essential Security Requirements) • Obtain commitment • Start iTC – using CCUF etc. • Publish cPP (and supporting documents) • Continual update

  22. Outline Process & Detail Notes (1) CCUF CCMC CCDB portal CCDB Work Group Request iTC formation Solicit iTC members Establish levels of commitment & Committed Nations Initiate iTC Define Workplan CreateESR Draft ToRs Define ToRs Agree initial iTC Chair&hold initial meeting Elect Chair iTC entry Define infrastructure

  23. Outline Process & Detail Notes (2) Levels of commitment: • Intention to Adopt – Mandated • Intention to Adopt – Recommended • Uncommitted • Opposed Only those with an Intention to Adopt can vote on ESR contents. Intention to Adopt is refreshed every 6 months (by CCDB) as part of monitoring progress. Levels may change, but reducing commitment requires a rationale.

  24. GISFI Applicability • 3GPP discussion – potential development of cPPs • Could extend to system approaches • Key is to have the real technical expertise setting the standards • CCRA maintains the fairness, the reliability/reputation, and the worldwide recognition for vendors • 3GPP sets the technical standards

  25. Conclusions and Recommendations This time of change for CCRA is a good time to get involved! Look at www.commoncriteriaportal.org Join CCUF (no cost) www.ccusersforum.org Great opportunity for 3GPP to use CCRA for its needs (become an international Technical Community) Liaison request from GISFI

More Related