Bangalore, India ,17-18 December 2012
Sustainable Broadband Communications: International Perspective – Common Criteria
David Martin,Head of International Assurance,
Common Criteria Scheme Director, CESG, UK,
Joint ITU-GISFI Workshop on “Bridging the Standardization Gap: Workshop on
Sustainable Rural Communications”(Bangalore, India, 17-18 December 2012)
David Martin
Involved in Information Assurance Standards for many yearsChair of International Common Criteria Development BoardScheme Director for the UK Common Criteria Scheme (operated by UK government)Representing UK Scheme - reporting on new CC vision statement
Bangalore, India ,17-18 December 2012 2
Bangalore, India ,17-18 December 2012 3
Common Criteria - Background
Standards for Assurance of IT Product Security 26 Nations (more to come)16 Nations evaluate/certify productsAlso an ISO standard (15408 and 18045)Run by a Management Committee (with an executive to support) and a Development Board
Bangalore, India ,17-18 December 2012 4
Common Criteria – The Value
Manufacturers do not have to evaluate products in multiple places.
Evaluation is very expensive in time and moneyGood cyber defence (and sustainable telecom) needs many more products evaluatedAll nations agree and procure to the common standardIndustry involvement (CCUF)
Bangalore, India ,17-18 December 2012 5
Common Criteria – New Vision – Rationale -1
CC usage has been little changed for more than 12 years A number of nations found that:-
The focus on ‘assurance level (EAL)’ was damaging product security Not enough products are evaluated - Cyber defence needs many moreExpertise is applied in the wrong place, inconsistently, and without wide peer review.
Bangalore, India ,17-18 December 2012 6
Common Criteria – New Vision – Rationale -2
Smartcard Community has developed a very effective way of using CCWork has taken place to support a similar approach for general IT products Resulting in the CCMC (management Committee) vision statement – published in September 2012
Bangalore, India ,17-18 December 2012 7
For more information
Common Criteria Portal: www.commoncriteriaportal.orgThe vision statement links from the
front pageOther links show the products,
schemes, operating documents etc.Also see CCUF at
www.ccusersforum.org
Existing Approach
Bangalore, India ,17-18 December 2012 8
New Approach
Bangalore, India ,17-18 December 2012 9
Technical Communities
Bangalore, India ,17-18 December 2012 10
Meeting virtually
Bangalore, India ,17-18 December 2012 11
Much quicker and more effective
Bangalore, India ,17-18 December 2012 12
Bespoke design/evaluation
Bangalore, India ,17-18 December 2012 13
Better to have known standards
Bangalore, India ,17-18 December 2012 14
Other Important developments
Common view on cryptographySecurity Configuration AutomationStrong Linkage to Vulnerability/Weakness reportingSupply Chain working groupConsistent Government Procurement (and other major users) – addressing what ‘recognition’ really means
Bangalore, India ,17-18 December 2012 15
Common support for procurement
Bangalore, India ,17-18 December 2012 16
Bangalore, India ,17-18 December 2012 17
Common Criteria – New Vision – Summary
More assurance than a simple ‘EAL approach’ Uses worldwide expertise, instead of relying on single ‘expert’Open, Transparent, Repeatable – as befitting an International StandardStep change in volume – better for cyberdefenceLowers procurement costs
Bangalore, India ,17-18 December 2012 18
What does this mean for Sustainable Broadband Communications?
More assurance (Ignore ‘EAL’ look at what is assured)More responsiveLower costWider range and choice of productsUses worldwide expertise, instead of relying on single ‘expert’Open, Transparent, Repeatable – as befitting an International Standard
Bangalore, India ,17-18 December 2012 19
Further detail
First International Technical Community about to launch – based on USB storage deviceMany more to follow next yearAlready many TCs exist (mostly US based)
Example TC Areas
Networking (NDPP, Firewalls, VPNs, etc)Storage (USB, Hard disks, etc)Applications on Operating systemsMobile telecoms (VOIP, SIP, MDM, etc) Multifunction devices (printers etc.)
Bangalore, India ,17-18 December 2012 20
Bangalore, India ,17-18 December 2012 21
Telecoms Applicability
3gPP discussion – potential development of cPPsCould extend to system approachesKey is to have the real technical expertise setting the standards CCRA maintains the fairness, the reliability/reputation, and the worldwide recognition for vendors
Conclusions and Recommendations
Bangalore, India ,17-18 December 2012 22