luděk novák, [email protected]
DESCRIPTION
Effective Design of Trusted Information Systems. Luděk Novák, [email protected]. Content. Brief Introduction into Security Design Five Steps of Security Design General Description Security Environment Security Objectives Security Requirements Rationale Conclusion. - PowerPoint PPT PresentationTRANSCRIPT
CATE 2001 - Security and Protection of Information 2May 2001
Content
• Brief Introduction into Security Design
• Five Steps of Security Design• General Description• Security Environment• Security Objectives• Security Requirements• Rationale
• Conclusion
CATE 2001 - Security and Protection of Information 3May 2001
International Standards
• ISO/IEC PDTR 15446:2000– Information technology – Security
techniques – Guide for the production of protection profiles and security targets
• ISO/IEC 15408:1999 – Information technology – Security
techniques – Evaluation criteria for IT security
CATE 2001 - Security and Protection of Information 4May 2001
Basic Term
• Target of Evaluation - TOE– IT product or system and its associated
administrator and user guidance documentation that is the subject of an evaluation
– A formal evaluation is not necessity
CATE 2001 - Security and Protection of Information 5May 2001
Structure of Design
Target of Evaluation
General Description
SecurityEnvironment
SecurityObjectives
SecurityRequirements
Rationale
CATE 2001 - Security and Protection of Information 6May 2001
General Description
• Background information on TOE and its purpose, usage, operation etc.
– Document Identification
– General TOE Functionality
– TOE Boundary
– TOE Operational Environment
CATE 2001 - Security and Protection of Information 7May 2001
Security Environment
Assumptions Threats OrganisationalSecurity Policies
Security Needs
Assets
CATE 2001 - Security and Protection of Information 8May 2001
Security Environment
• Asset – information or a resource, which needs to
be protected by TOE countermeasures
– Data Objects– Software– Hardware
CATE 2001 - Security and Protection of Information 9May 2001
Security Environment
• Threat – undesirable event
characterised by:
• threat agent• attack method• vulnerability• assets under the
attack
• Threat Agent– source of event,
which can be:
• human• non-human
CATE 2001 - Security and Protection of Information 10May 2001
Security Environment
• Assumption – potential threat to assets not relevant to or
not involved in TOE security
• Organisational Security Policy – rules, procedures, practices, etc. imposed
by organisation or other authorities
CATE 2001 - Security and Protection of Information 11May 2001
Security Objectives
• Security Objectives for TOE – express what is the responsibility of the
TOE and its security functions
• Security Objectives for Environment – address aspects of the security needs the
TOE will not to do
CATE 2001 - Security and Protection of Information 12May 2001
Security Objectives
Security NeedsThreats OSPsAssumptions
SecurityObjectives
EnvironmentObjectives
TOEObjectives
IT Security RequirementsIT EnvironmentTOE Non-IT Security
Requirements
CATE 2001 - Security and Protection of Information 13May 2001
Security Objectives• Preventative Objectives
– measures prevent a threat from being carried out
• Detective Objectives
– means detect/monitor events
• Corrective Objectives
– actions take in response
CATE 2001 - Security and Protection of Information 14May 2001
Security Requirements
Environment SecurityObjectives
TOE SecurityObjectives
Security AssuranceRequirements
Security FunctionalRequirements
Environment SecurityRequirements
ISO/IEC 15408-2 ISO/IEC 15408-3
CATE 2001 - Security and Protection of Information 15May 2001
Functional Requirements
Security Functional Requirements identify demands for the security functions
which the TOE must provide to fulfil the security objectives for the TOE
It can be based on:– ITSEC’s Generic Headings– ISO15408 – Common Criteria
CATE 2001 - Security and Protection of Information 16May 2001
Functional Requirements
• Identification and Authentication
• Access Control• Audit• Integrity• Availability• Privacy• Data Exchange
• Security Audit
• Communication
• Cryptographic Support
• User Data Protection
• Identification and Authentication
• Security Management
• Privacy
• Protection of TOE Security Functions
• Resource Utilisation
• TOE Access
• Trusted Path/Channels
CATE 2001 - Security and Protection of Information 17May 2001
Assurance Requirements
Security Assurance Requirements prescribes clear objective criteria which
express quality of the TOE development
Evaluation Assurance Level – EAL– EAL1 up to EAL4 – Commercial Security– EAL5 up to EAL7 – Special Security Tools
CATE 2001 - Security and Protection of Information 18May 2001
Requirements on Environment
Security Requirements on Environment bring up the claims which would not be under a direct control of any IT security
function within the TOE.
– Personnel Security– Physical Security– Procedural Security
CATE 2001 - Security and Protection of Information 19May 2001
Rationale
• Security Objectives Rationale – demonstrates the identified security
objectives are suitable to cover all aspects of the security needs
• Security Requirements Rationale – makes evident the identified security
requirements are suitable to meet the security objectives
CATE 2001 - Security and Protection of Information 20May 2001
RationaleSecurity Needs
Threats OSPsAssumptions
SecurityObjectives
EnvironmentObjectives
TOEObjectives
IT SecurityRequirements
SOFClaims
mutually supportive
suitableto meet
consistentwith
suitableto meetuphold
SecurityRequirements
CATE 2001 - Security and Protection of Information 21May 2001
Conclusions
Advantages• Clear, Transparent
and Effective Way• Simple Sharing of
Know-How• Based on Well-
Known Common Criteria Project
Disadvantages• Not Officially
Approved• No Direct
Connection to Special Security Tools