Misplaced Pages

Protection Profile

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

A Protection Profile ( PP ) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.

#672327

30-480: A PP specifies generic security evaluation criteria to substantiate vendors' claims of a given family of information system products. Among others, it typically specifies the Evaluation Assurance Level (EAL), a number 1 through 7, indicating the depth and rigor of the security evaluation, usually in the form of supporting documentation and testing, that a product meets the security requirements specified in

60-471: A conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices. EAL3 is applicable in those circumstances where developers or users require a moderate level of independently assured security, and require a thorough investigation of the TOE and its development without substantial re-engineering. EAL4 permits

90-424: A developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require

120-464: A higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level. Although every product and system must fulfill the same assurance requirements to achieve a particular level, they do not have to fulfill the same functional requirements. The functional features for each certified product are established in

150-450: A higher EAL means nothing more, or less, than that the evaluation completed a more stringent set of quality assurance requirements. It is often assumed that a system that achieves a higher EAL will provide its security features more reliably (and the required third-party analysis and testing performed by security experts is reasonable evidence in this direction), but there is little or no published evidence to support that assumption. In 2006,

180-474: A minimum of EAL4. Examples with active Certificate include SUSE Linux Enterprise Server 15 (EAL 4+). Examples with expired Certificate are Trusted Solaris , Solaris 10 Release 11/06 Trusted Extensions , an early version of the XTS-400 , VMware ESXi version 4.1, 3.5, 4.0, AIX 4.3, AIX 5L, AIX 6, AIX7, Red Hat 6.2 & SUSE Linux Enterprise Server 11 (EAL 4+). vSphere 5.5 Update 2 did not achieve EAL4+ level it

210-729: A moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs. Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4. Examples with expired Certificate are AIX , HP-UX , Oracle Linux , NetWare , Solaris , SUSE Linux Enterprise Server 9 , SUSE Linux Enterprise Server 10 , Red Hat Enterprise Linux 5 , Windows 2000 Service Pack 3, Windows 2003 , Windows XP , Windows Vista , Windows 7 , Windows Server 2008 R2 , z/OS version 2.1 and z/VM version 6.3. Operating systems that provide multilevel security are evaluated at

240-555: A product evaluated and certified according to the CC, the product vendor has to define a Security Target (ST) which may comply with one or more PPs. In this way a PP may serve as a template for the product's ST. Although the EAL is easiest for laymen to compare, its simplicity is deceptive because this number is rather meaningless without an understanding the security implications of the PP(s) and ST used for

270-444: Is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principle security features are reliably implemented. The EAL level does not measure

300-525: Is not obvious what trusted agency possesses the depth in IT security expertise needed to evaluate systems applicability of Common Criteria evaluated products. The problem of applying evaluations is not new. This problem was addressed decades ago by a massive research project that defined software features that could protect information, evaluated their strength, and mapped security features needed for specific operating environment risks. The results were documented in

330-416: Is therefore applicable to the development of security TOEs for application in high risk situations where the value of the protected assets justifies the additional costs. Green Hills Software's INTEGRITY-178B RTOS has been certified to EAL6 augmented. EAL7 is applicable to the development of security TOEs for application in extremely high risk situations and/or where the high value of the assets justifies

SECTION 10

#1732886330673

360-485: The Security Target document tailored for that product's evaluation. Therefore, a product with a higher EAL is not necessarily "more secure" in a particular application than one with a lower EAL, since they may have very different lists of functional features in their Security Targets. A product's fitness for a particular security application depends on how well the features listed in the product's Security Target fulfill

390-606: The Rainbow Series . Rather than separating the EAL and functional requirements, the Orange Book followed a less advanced approach defining functional protection capabilities and appropriate assurance requirements as single category. Seven such categories were defined in this way. Further, the Yellow Book defined a matrix of security environments and assessed the risk of each. It then established precisely what security environment

420-518: The Security Target ( ST ) as an "implementation-dependent statement of security needs for a specific identified Target of Evaluation ( TOE )". In other words, the ST defines boundary and specifies the details of the TOE. In a product evaluation process according to the CC the ST document is provided by the vendor of the product. An ST defines information assurance security and functional requirements for

450-574: The EAL5 requirements, relative to rigorous development without the application of specialized techniques, will not be large. EAL5 is therefore applicable in those circumstances where developers or users require a high level of independently assured security in a planned development and require a rigorous development approach without incurring unreasonable costs attributable to specialist security engineering techniques. Numerous smart card devices have been evaluated at EAL5, as have multilevel secure devices such as

480-681: The PP. The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have agreed to cooperate on the development of validated U.S. government PPs. A PP states a security problem rigorously for a given collection of system or products, known as the Target of Evaluation (TOE) and to specify security requirements to address that problem without dictating how these requirements will be implemented. A PP may inherit requirements from one or more other PPs. In order to get

510-478: The Tenix Interactive Link. XTS-400 (STOP 6) is a general-purpose operating system which has been evaluated at EAL5 augmented. LPAR on IBM System z is EAL5 Certified. EAL6 permits developers to gain high assurance from application of security engineering techniques to a rigorous development environment in order to produce a premium TOE for protecting high-value assets against significant risks. EAL6

540-529: The US Government Accountability Office published a report on Common Criteria evaluations that summarized a range of costs and schedules reported for evaluations performed at levels EAL2 through EAL4. In the mid to late 1990s, vendors reported spending US$ 1 million and even US$ 2.5 million on evaluations comparable to EAL4. There have been no published reports of the cost of the various Microsoft Windows security evaluations. In some cases,

570-475: The application's security requirements. If the Security Targets for two products both contain the necessary security features, then the higher EAL should indicate the more trustworthy product for that application. EAL1 is applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious. It will be of value where independent assurance is required support

600-420: The contention that due care has been exercised with respect to the protection of personal or similar information. EAL1 provides an evaluation of the TOE (Target of Evaluation) as made available to the customer, including independent testing against a specification, and an examination of the guidance documentation provided. It is intended that an EAL1 evaluation could be successfully conducted without assistance from

630-399: The developer of the TOE, and for minimal cost. An evaluation at this level should provide evidence that the TOE functions in a manner consistent with its documentation, and that it provides useful protection against identified threats. EAL2 requires the cooperation of the developer in terms of the delivery of design information and test results, but should not demand more effort on the part of

SECTION 20

#1732886330673

660-436: The developer than is consistent with good commercial practice. As such it should not require a substantially increased investment of cost or time. EAL2 is therefore applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems. EAL3 permits

690-504: The evaluation may be augmented to include assurance requirements beyond the minimum required for a particular EAL. Officially this is indicated by following the EAL number with the word augmented and usually with a list of codes to indicate the additional requirements. As shorthand, vendors will often simply add a "plus" sign (as in EAL4+ ) to indicate the augmented requirements. The Common Criteria standards denote EALs as shown in this article:

720-404: The evaluation. Technically, comparing evaluated products requires assessing both the EAL and the functional requirements. Unfortunately, interpreting the security implications of the PP for the intended application requires very strong IT security expertise. Evaluating a product is one thing, but deciding if some product's CC evaluation is adequate for a particular application is quite another. It

750-431: The given information system product, which is called the Target of Evaluation (TOE). An ST is a complete and rigorous description of a security problem in terms of TOE description, threats, assumptions, security objectives, security functional requirements (SFRs), security assurance requirements (SARs), and rationales. The SARs are typically given as a number 1 through 7 called Evaluation Assurance Level (EAL), indicating

780-577: The higher costs. Practical application of EAL7 is currently limited to TOEs with tightly focused security functionality that is amenable to extensive formal analysis. The ProvenCore OS, developed by ProvenRun , has been certified to EAL7 in 2019 by the ANSSI . The Tenix Interactive Link Data Diode Device and the Fox-IT Fox Data Diode (one-way data communications device) claimed to have been evaluated at EAL7 augmented (EAL7+). Technically speaking,

810-441: The prefix "EAL" concatenated with a digit 1 through 7 (Examples: EAL1, EAL3, EAL5). In practice, some countries place a space between the prefix and the digit (EAL 1, EAL 3, EAL 5). The use of a plus sign to indicate augmentation is an informal shorthand used by product vendors (EAL4+ or EAL 4+). Security Target Common Criteria for Information Technology Security Evaluation, version 3.1 Part 1 (called CC 3.1 or CC) defines

840-408: The security of the system itself, it simply states at what level the system was tested. To achieve a particular EAL, the computer system must meet specific assurance requirements . Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving

870-408: Was an EAL2+ and certified on June 30, 2015. EAL5 permits a developer to gain maximum assurance from security engineering based upon rigorous commercial development practices supported by moderate application of specialist security engineering techniques. Such a TOE will probably be designed and developed with the intent of achieving EAL5 assurance. It is likely that the additional costs attributable to

900-566: Was valid for each of the Orange Book categories. This approach produced an unambiguous layman's cookbook for how to determine whether a product was usable in a particular application. Loss of this application technology seems to have been an unintended consequence of the superseding of the Orange Book by the Common Criteria. Evaluation Assurance Level The Evaluation Assurance Level ( EAL1 through EAL7 ) of an IT product or system

#672327