Monday, August 13, 2007

Common Criteria

What is "Common Criteria" anyway? Let's get the definition from Wikipedia...
The Common Criteria (CC) is an international standard (ISO/IEC 15408) for computer security. Unlike standards such as FIPS 140, Common Criteria does not provide a list of product security requirements or features that products must contain. Instead, it describes a framework in which computer system users can specify their security requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.

So basically it is a standard for computer security. Common Criteria certifications are being asked for more and more by customers these days. It's not uncommon in Europe to have a customer specify that a solution has to have been Common Criteria evaluated (and certified) and with many U.S. government entities - certain "three letter" agencies especially - it has become mandatory.

We've currently got Quest's Vintela Authentication Services undergoing an evaluation for certification at "evaluation assurance level" 4+ (EAL4+) which is the same security certification as, for example, the Windows Server operating system, Trusted Solaris and VMWare's ESX Server. Why bother getting a product certified?

  • Customers can compare their specific requirements against the Common Criteria’s consistent standards to determine the level of security they require.

  • Because the Common Criteria require certification bodies to prepare detailed reports about the security features of successfully evaluated products, consumers can use those reports to judge the relative security of competing IT products.

  • Customers can depend on Common Criteria evaluations because they are not performed by the vendors, but by independent testing labs. The Common Criteria is increasingly used as a purchasing benchmark; for example, the U.S. Department of Defense has a policy of using only Common Criteria-evaluated information assurance products.

  • Because the Common Criteria is an international standard, it provides a common set of standards that customers with worldwide operations can use to help choose products that meet their local operations’ security needs.

So the end result is our customers will have more information about the security of our products. I also expect that this type of rigorous testing and evaluation will help Quest build more secure products.

Technorati Tags:
, , ,


James McGovern said...

Is there any evidence that the Vintela product was written using the notion of secure coding practices where tools such as ouncelabs, fortify and others inspected the code?

Unknown said...

Yes, while at Microsoft I noticed how the CC certification (EAL4+) did little to reduce security vulnerabilities... ;)

I honestly don't know the answer to your question, James. However, as I said in my post "I also expect that this type of rigorous testing and evaluation will help Quest build more secure products."

I know that the feedback we are getting as part of this process has already helped towards that goal...