Security is a main concern for companies which are quickly becoming aware of it but still often ignore how to handle it adequately. The Common Criteria approach was recently presented during a discussion group organised at CETIC.
Information security has become a critical aspect in the life of many companies, from multinational to SME. Failure to address it adequately can have very damageable consequences for the company: data unavailability can freeze the organization, crucial information can be stolen and be sold to competitors, etc.
In a ever more connected world, ever more exposed to malicious users, many companies have made that painful experience before becoming aware of the importance of managing security. This starts from correctly specifying what to protect, against what threat, in which environment.
Over the years, a number of approaches have been developed separately to finally converge to produce the "Common Criteria" (CC for short), a method to precisely analyse the security requirements for a product, and provide an evaluation of the level of assurance ranging from 1 to 8 and which is proportional to the effort and techniques used. The resulting process is illustrated in the following figure and is a typical requirements engineering process with a analysis of the environment, the definition of high level objective to address potential threats and their refinement into concrete requirements. Certification requires strong rationales to be provided between those artifacts.
Despite their qualities, the common criteria are often ignored or perceived to be restricted to the certification of very specific systems (such as smartcards) by specialised bodies and restricted to big companies. In order to cope with this, an workshop was organised last June and attracted several industrial participants both from the public and private sector. After a short presentation of the CC by Eric Gheur, a specialist in international standards, the tone was definitely practical: the effective deployment of the CC was illustrated on several examples, including some issues related to a certified Linux distribution by Mandriva.
The discussion was very active with many participants sharing their problems, concerns and experiences. The main lesson learned by the participants is that they can reuse interesting documents such as the "Protection Profile", that they can adopt the approach to fit their assurance level (wrt to the criticality of their system and their resources). It is also possible to apply only part of the process as done in the Electronic Money System Security Objectives: based on a comprehensive risk analysis for
e-money systems, this document develops a list of security
objectives that should be fulfilled in order to
cover these risks/threats in a given environment.
As security is a vertical concern implying all system levels, from hardware to middleware to software application, CETIC has adopted an interdisciplinary approach relying on three main axis: software quality, distributed systems and electronic systems. It also shares expertise with Belgian universities and international partners, especially within European research projects.
Based on the strong expertise in requirements engineering for critical systems, CETIC is currently working on the specification of domain specific protection profiles and the development of an adapted tool support for easing the use of the Common Criteria. Domains such as the GRID and ambient intelligence are being investigated.
Christophe Ponsard, CETIC