Building an Assurance Foundation for 21 st Century Information Systems and Networks

Transcription

1 Building an Assurance Foundation for 21 st Century Information Systems and Networks The Role of IT Security Standards, Metrics, and Assessment Programs Dr. Ron Ross National Information Assurance Partnership 1

2 National Information Assurance Partnership 2 Agenda Introduction NIAP Mission and Functions Common Criteria Project Mutual Recognition Arrangement IT Systems and Networks Summary and Conclusions

3 National Information Assurance Partnership 3 Today s Climate Rapidly changing information technologies and compressed technology life cycles Growing complexity of IT products and systems Increasing connectivity among systems Dependence on commercial off-the-shelf IT products and systems Need for greater assurance in critical information infrastructures (both public and private sector)

4 National Information Assurance Partnership 4 Today s Challenge Consumers have access to an increasing number of security-enhanced IT products with different capabilities and limitations Consumers must decide which products provide an appropriate degree of protection for their information systems Impact: Choice of products affects the security of systems in the critical information infrastructure

5 Conceptual Life Cycle View Enterprise IT System Integrated Products Applications OS Components Network Components Design - Develop - Deploy - Operate - Maintain National Information Assurance Partnership 5

6 The Fundamentals Building more secure systems depends on the use of--- Well defined IT security requirements and security specifications - describing what types of security features we want Quality security metrics and appropriate testing, evaluation, and assessment procedures - providing assurance we received what we asked for National Information Assurance Partnership 6

7 National Information Assurance Partnership 7 What Is Needed? Producers of IT products need to have a better understanding of consumer s information security requirements Consumers of IT products, systems, and networks need to have better ways to: specify desired security features and assurances assess the security claims made by producers

8 National Information Assurance Partnership Part I National Information Assurance Partnership 8

9 Introducing NIAP The National Information Assurance Partnership (NIAP) is a U.S. Government initiative designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under the Computer Security Act of 1987 National Information Assurance Partnership 9

10 The Partnership Combines the extensive security experience of both agencies to promote the development of technically sound security requirements for IT products and systems and appropriate metrics for evaluating those products and systems The long-term goal of NIAP is to help increase the level of trust consumers have in their information systems and networks through the use of costeffective security testing, evaluation, and assessment programs National Information Assurance Partnership 10

11 National Information Assurance Partnership 11 Partnership Objectives Foster development of IT security requirements, test methods, tools, techniques, and assurance metrics Champion the development and use of national and international standards for IT security Promote the development and use of evaluated IT products and systems Facilitate the development and growth of a commercial IT security testing industry within the U.S. Support a framework for international recognition and acceptance of IT security evaluation results

12 Program Areas Security Requirements Definition and Specification How do we tell product and systems developers what types of IT security we want? Product and System Security Testing, Evaluation, and Assessment How do we know if developers produced what we asked for? Information Assurance Research How can we improve the ways we achieve assurance in our products and systems? National Information Assurance Partnership 12

13 National Information Assurance Partnership 13 Activities and Services Operate the Common Criteria Evaluation and Validation Scheme (CCEVS SM ) for IT Security Issue Common Criteria certificates for IT products that have been successfully evaluated and validated Support the international Common Criteria Recognition Arrangement for IT security evaluations Maintain list of approved testing laboratories, validated products, and test methods Provide state-of-the-art automated tools and information sources for security requirements definition and testing

14 National Information Assurance Partnership 14 Activities and Services Promote government and industry forums for the development of IT security requirements and specifications Support information systems security testing, evaluation and assessment programs Provide a state-of-the-art, web-based repository of security requirements and testing information Sponsor IT security classes, conferences, and workshops for product developers, testing laboratories and consumers Collaborate with industry in the development of advanced tools, techniques, and methods for security testing

15 Current Projects Common Criteria Evaluation and Validation Scheme System Certification and Accreditation Research Cryptographic Module Protection Profile Development Healthcare Security Forum Smart Card Security Project Common Criteria Toolbox TM Forum Automated Security Testing INFOSEC Assessment Program Threat and Vulnerability Research (ICAT-CVE) National Information Assurance Partnership 15

16 Common Criteria Project Part II National Information Assurance Partnership 16

17 National Information Assurance Partnership 17 International Security Standards Driving Factors Common IT security requirements among nations System security challenges of the past decades International electronic commerce and e-business Global marketplace for high technology industries Continuing evolution and adaptation of national IT security standards resulting in a larger world view.

18 Objectives Develop a single international IT product and system security criteria, or common criteria Adopt the common criteria as an international IT security standard under ISO Promote international recognition of IT product security evaluations Create a level international playing field for product and system developers Facilitate greater world-wide availability of security-capable IT products National Information Assurance Partnership 18

19 An Evolutionary Process Two decades of research and development US-DOD TCSEC US-NIST MSFR 1990 Federal Criteria 1992 Common Criteria European National/Regional Initiatives Europe ITSEC 1991 Canadian Initiatives Canada TCPEC 1993 ISO Common Criteria 1999 National Information Assurance Partnership 19

20 The International Standard ISO/IEC What the standard is Common structure and language for expressing product/system IT security requirements (Part 1) Catalog of standardized IT security requirement components and packages (Parts 2 and 3) How the standard is used Develop protection profiles and security targets -- specific IT security requirements and specifications for products and systems Evaluate products and systems against known and understood IT security requirements National Information Assurance Partnership 20

21 Beneficiaries of the Standard Consumer Consortia (Users Groups) Use ISO/IEC to build protection profiles expressing their needs Work with developers to build matching IT products and systems Individual IT Consumers Look for protection profiles matching their security requirements -- use in procurement specifications Product and System Developers Use ISO/IEC to specify IT product and system security capabilities via security targets Product Evaluators and Certifiers Use ISO-compliant protection profiles and security targets to measure IT product and system compliance National Information Assurance Partnership 21

22 Defining Requirements ISO/IEC Standard Protection Profiles Access Control Identification Authentication Audit Cryptography Operating Systems Database Systems Firewalls Smart Cards Applications Biometrics Routers VPNs A flexible, robust catalogue of standardized IT security requirements (features and assurances) Consumer-driven security requirements in specific information technology areas National Information Assurance Partnership 22

23 Industry Responds Protection Profile Security Targets Firewall Security Requirements Security Features and Assurances CISCO Firewall Lucent Firewall Checkpoint Firewall Network Assoc. Firewall Consumer statement of IT security requirements to industry in a specific information technology area Vendor statements of security claims for their IT products National Information Assurance Partnership 23

24 Demonstrating Conformance Private sector, accredited security testing laboratories conduct evaluations Security IT Products Features and Assurances Common Criteria Testing Labs Test Reports Vendors bring IT products to independent, impartial testing facilities for security evaluation Test results submitted to NIAP for post-evaluation validation National Information Assurance Partnership 24

25 Validating Test Results Validation Body validates laboratory s test results Test Report Laboratory submits test report to Validation Body Common Criteria Validation Body Validation Report TM National Information Assurance Partnership Common Criteria Certificate NIAP issues Validation Report and Common Criteria Certificate National Information Assurance Partnership 25

26 Mutual Recognition Part III National Information Assurance Partnership 26

27 National Information Assurance Partnership 27 International Recognition of Test Results Motivating Factors Improve availability and range of choice of trusted products for consumers Reduce total cost of IT security testing and evaluation to developers Encourage formal IT security testing and evaluation

28 MRA Objectives Ensure that evaluations of IT products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles Increase the availability of evaluated, security-enhanced IT products and protection profiles for national use Eliminate or reduce duplicate evaluations of IT products and protection profiles Improve the efficiency and cost-effectiveness of security evaluations and the certification/validation process for IT products and protection profiles National Information Assurance Partnership 28

29 MRA History Interim Arrangement (October 1997) Canada, United Kingdom, United States Interim Arrangement (March 1998) Canada, France, Germany, United Kingdom, United States Full Arrangement (October 1998) Canada, France, Germany, United Kingdom, United States October 1999: Australia, New Zealand Harmonized Arrangement (May 2000) Australia, Canada, Finland, France, Germany, Greece, Italy, The Netherlands, New Zealand, Norway, Spain, United Kingdom, United States November 2000: Israel National Information Assurance Partnership 29

30 MRA Organization Management Committee Executive Subcommittee Technical Working Technical Working Technical Group Working Group Groups Technical Working Technical Working Technical Group Working Group Groups National Information Assurance Partnership 30

31 Committee Responsibilities Develop and recommend procedures for the conduct of Arrangement Group business Assess the technical compliance of new Certification Bodies Recommend revisions to the Arrangement Manage continuous monitoring activities Manage the conduct of shadow certification activities for current participants and new applicants National Information Assurance Partnership 31

32 National Information Assurance Partnership 32 Committee Responsibilities Resolve technical disagreements about the terms and application of the Arrangement Manage the promotion and development of IT security evaluation criteria and evaluation methods Manage the maintenance of historical databases for criteria and methodology interpretations and any resultant decisions that could affect future versions of either the criteria or methodology

33 IT Systems and Networks Part IV National Information Assurance Partnership 33

34 National Information Assurance Partnership 34 Extending Assurance to Systems Building more secure systems requires -- Well defined system-level IT security requirements and security specifications Well designed component IT products Sound systems security engineering practices Competent systems security engineers Appropriate metrics for product/system assessment Comprehensive system life cycle management

35 National Information Assurance Partnership 35 Common Criteria for IT Systems Protection profile construct appropriate for defining generalized, system-level IT security requirements Security target construct appropriate for characterizing security claims for specific instantiations of IT systems and networks

36 Role of Protection Profiles Generalized, Consumer Driven Security Requirements Technology Area Protection Profiles Technology Area Protection Profiles Technology Area Protection Profiles Technology Area Protection Profiles Operating Systems Database Systems Firewalls Applications Operating System PP DBMS PP Firewall PP Application PP IT System Security Requirements Enterprise Information Systems National Information Assurance Partnership 36

37 Role of Protection Profiles Generalized, Consumer Driven Security Requirements Technology Area Protection Profiles Technology Area Protection Profiles Technology Area Protection Profiles Technology Area Protection Profiles Operating Systems Database Systems Firewalls Applications Enterprise Information Systems Operating System PP DBMS PP Firewall PP Application PP Security Architectures IT System Security Requirements IT Product IT Product IT Product IT Product Variety of Vendor Driven IT Products National Information Assurance Partnership 37

38 Uses of Common Criteria Common Criteria artifacts and work products Protection profiles and security targets Product and system testing results Evaluation evidence Evaluation and validation reports Common Criteria certificates can be re-used to support-- IT system procurement and acquisition System certification and accreditation Other IT systems assessment activities Auditing and compliance requirements National Information Assurance Partnership 38

39 National Information Assurance Partnership 39 A Comprehensive Approach Linking Critical Assessment Activities Products Laboratory Environment Product PPs Validated Products Operational Environment Accreditation Authority Real World Threats and Vulnerabilities Accredited Testing Labs NIAP CCEVS CC Evaluations Products Generic Systems e System-level Protection Profile Specific IT System Products Generic Systems Technical Security Systems Generic Systems (Configuration of Products) Evidence Security Target Evaluation Report Validation Report Evaluation Work Packages Risk Management Security Policies Standards Guidelines Personnel Security Procedural Security Certification Accreditation

40 Summary Part VI National Information Assurance Partnership 40

41 Common Criteria Benefits Specification of security features and assurances based on an international standard Evaluation methodology based on an international standard---leading to comparability of test results Security testing laboratory expertise assessed by recognized national bodies; quality technical oversight provided by government experts Testing results recognized by many nations Reduced testing costs to sponsors of evaluations National Information Assurance Partnership 41

42 National Information Assurance Partnership 42 The Future Development of technology-based protection profiles Continued research into the practical application of Common Criteria to systems and networks Expansion of Recognition Arrangement to include additional nations Revision and modification of the Common Criteria and associated evaluation methodology

43 Contact Information National Information Assurance Partnership 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Director Deputy Director Technical Advisor Dr. Ron S. Ross Terry Losonsky R. Kris Britton NIST-ITL NSA-V1 NSA-V1 (301) (301) (410) World Wide Web: National Information Assurance Partnership 43