certification schemes for products and services & advanced … · 2016. 5. 19. · atc mapping...
TRANSCRIPT
Certification schemes for products and services &
advanced Technical Communities (aTC)
May 2016 Eurosmart PSSC / Francois Guerin
PSSC
The Product and System Security Committee gathers a body of
experts with a combined knowledge of the major players of the
secure element industry, SE software developers, SE personalisers.
Most of them are also members of ISCI-WG1 and JHAS groups.
Cybersecurity contractual Public-Private
Partnership (cPPP)
Cybersecurity Products & Services
Verticaldomains
Industry Energy Transport Finance eGov Health(…)
Infrastructures OS Appli
Mobile IoT Network Web services
Cloud
Product&Services
Data Mgt Appli Mgt
Id Mgt Config Mgt
DeviceMgt
Network Mgt
Security activities
Evaluation Siteaudit
Certification Risk Mgt Training Awareness
Security Evaluation / Certification
means to reach objective : Confidence
Sponsor
Risk
acceptance
Uses
Decision
To take
System or
Product
To deploy
Environment
Countermeasures
To implement
To protect
Risk
Management
process
Level of
confidence
Imposes
requires
Security evaluation
May require
Confidence comes from evaluation / certification driven by :
Assurance x Resistance x Expertise x Independency
Hierarchy and type of requirements
According risk assessment for each business case, level of confidence
to reach for each type of requirements should be adapted.
Objective Type of Requirements Type of Evaluation
Correctness
of Product
Security Functional Requirements
Security Assurance Requirements
Review of Evidences +
SecurityTests
Correctness
of Process
Security Assurance Requirements Review of Evidences +
Audit
Correctness
of Environment
Security Assurance Requirements Review of Evidences +
Audit
Correctness
of Guidance
Security Assurance Requirements Review of Evidences
Robustness
of Product
Security Functional Requirements Vulnerability assessment
+ Penetration Tests
Robustness
of Environment
Security Assurance Requirements
(Minimum Site Security Requirements)
Review of Evidences +
Audit
Return from experience: Common Criteria
• National schemes driven by Certification authorities (CB)
• Using several labs accredited for dedicated technical
domains (or not)
• Requirements explicitly refined in CC, CEM and supporting
documents.
• CC provides several types of recognition
– Recognition at CCRA level between worldwide CBs (27)
– Recognition at SOG-IS level between EU CBs (10)
– Recognition by private issuers on case by case
Genericity of CC requirements allows usage for
most of types of products
CC and EAL scale
What Higher EAL means
More constraints on documentation,
testing and environment security
Better reliability on security features
implementation
Better confidence (EAL) that
product complies to its security
specifications,
Higher resistance (AVA_VAN) to
attack potential
MIN MAX
Common Criteria eco system
CCRA and iTC
• International Technical Community concept (iTC) has been
recently created* to maintain level for CCRA recognition to
(EAL4/AVA_VAN.3) using Collaborative Protection Profile (cPP)
• iTC regroups CB, Labs, Vendors and any entity interested to
contribute to define requirements for a Technical Domain
• iTC provides collaborative protection profile to evaluate
product
• Limitations are targeted level :
* for Correctness [EAL1 to 4]
* for Robustness [AVA_VAN.1 to 3]
(*) Note: iTC idea comes from success of ISCI working groups
managed by Eurosmart and dedicated to Secure Element
Return from experience: private schemes
Most of private schemes focused on
• a technical domain with local or global organizations
(Finance: EMVCo, PCI, Mobile : GSMA) or
• per Issuer (Entertainment: payTv, Transportation: ticketing)
• with security requirements often linked to a business case
and often not fully defined in supporting documents
• Given recognition limited to organization
– Recognition only by given private certification authority
– Recognition by Private issuers on case by case
Efficient for a product but usually few reuse for
other technical domain
Proposal for larger scale recognition and use
Definition of advanced Technical Communities (aTC)
to extend concept of iTC to obtain recognition between
scheme among EU (and even more) of High level of
assurance, and
to combine or select advantages of Standard (CC) and
Private schemes
• Allowing sharing of common methodology, expertise, tools
and specialize only when needed.
• Build on existing sharing solution that works to achieve high
level of confidence in Correctness (up to EAL7) and
Robustness (up to AVA_VAN.5) when required.
aTC mapping in cPPP
EUROPEAN COMMISSION
WG
Standardisation
Certification /
EU Label
WG Sectoral
demand
(market
applications)
WG Support
SME, East EU,
…
WG Value
Chain
Management
ECYSA - Board of Directors (management of the ECYSA Association:
policy / market actions)
European Cybersecurity
Council
(High Level Advisory Group:
EC, MEP, MS, CEOs, …)
WG
Market
development
/ Financing
Export
WG SRIA
Technical
areas
Products
Services
areas
WG Education,
training,
awareness,
exercises
Coordination / Strategy Committee
INDUST.
POLICYR&I
Our targeted WG as anchor of aTC(s)
ECYS - Cybersecurity cPPP
aTC as input for schemes
WG
Standardisation
Certification /
EU Label
aTC - SE
aTC - Automotive
aTC - Smart Energy
aTC - Mobile
aTC - Health
cPPP
WG deliverables
aTCdeliverables
Used in(public / private)
Certification schemes
driven by CA
aTC organization
Governance Group (at least 2 Certification Authorities)
• To manage application of aTC rules
Chairman and Vice Chairman for aTC management
• To manage aTC objectives and activities
Members
• National Certification Authorities [for CC]
• Private Certification Authorities [when required]
• Laboratories involved in CC and/or private schemes
• Vendors
• Product Issuer / Service Provider
Liaison with Standardization organization (ETSI, CEN)
aTC a cornerstone for new schemes
• Any security schemes need explicit rules and
recognised expertise to perform accurate and
repeatable evaluations.
• aTC will provide them by creating communities
between vendors, laboratories, certification
authorities working with such objectives.
– Labs will provide expertise for methodology definition
– CBs are required to create conditions for recognition and
independency vs vendor.
– Vendors will be involved for accuracy of definition of
security needs and evaluation work
Expected results from WG
o Manage a working group
o Facilitate collaboration between aTC(s)
o Defining objectives and roadmap for WG
o Follow action plan for generic activities
o Provide generic supporting documents
o generic Term of Reference (TOR)
o ITSEF expertise requirements & validation procedure
o Specific template to define rules for evaluation methodology
o Vulnerability assessment & Attack Quotation methodology
Expected results from aTC(s)
o Setup and maintain methodology
o Specific Term of Reference (TOR)
o Essential Security Requirements type of products
o Protection Profile per type of products
o Attack Path Dictionnary
o Attack Method (tools and techniques & rating)
o Laboraotry expertise requirements & qualification procedure
Expected Planning
23
Now Step1
Lobby
Founding members
By laws
Structure setup
Step2
Communication with CA
Member recruitment
ATC Kickoff
ATC documentation
aTC SE Live
Go / NOGO
aTC running
20172016
aTC template