Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Symantec, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
/

Common Criteria for increasing confidence in security


In the wake of recent denial-of-service attacks, companies are spending millions on security gear. But can you be confident the products will work as advertised?

To ensure a positive answer to this question, vendors including Cisco, Check Point Software, Lucent, IBM and Oracle have begun specifying the security features of their products according to the Common Criteria (CC) - a new security standard that provides a common way to state both consumers' security needs and products' security specifications. These products are then tested at a new breed of accredited commercial security testing labs, which independently verify - at a specific level of confidence - that the products conform to their security claims.

The CC includes a two-part catalog of basic requirements for security functions and for assurances about the proper implementation of these functions. Consumers use the catalog to develop profiles of their security needs and state the level of confidence they want in the products they're looking to buy. Vendors use the CC to define their products and show how they meet the consumers' requirements. Testing laboratories use common test methods from a companion CC standard to verify that vendor security implementations are correct, complete and compliant to specifications. And the National Information Assurance Partnership - which helped author the scheme for using the CC - can validate testing results and "brand" successfully tested products for international markets.

At the First International CC Conference this May (niap.nist.gov/cc-scheme/iccc/program.html), many of the world's biggest IT building and buying nations are expected to sign multilateral agreements embracing the CC specification, testing and validation scheme. These agreements will allow vendors from any country to sell their wares with CC certificates in foreign markets with no product retesting - a benefit to both vendors and consumers.

The financial world is using the CC scheme to build confidence in its electronic services, simplify security product comparison and reduce testing costs. Led by Visa, the major credit card companies and smart card vendors are drafting CC-based profiles of security requirements for smart cards and common test suites to unify the current hodgepodge of customer/vendor-specific testing.

The health care sector is following suit. Vendors and providers can use the CC scheme to demonstrate their compliance with new patient information privacy laws associated with the Health Insurance Portability and Accountability Act. This will reduce liability, according to Gartner Group.

The telecom marketplace is eyeing the CC for improving consumer confidence in the security features of PBXs and telecom switches that interact with the Internet. The feds are also turning to products tested according to the CC scheme.

While nothing's a panacea in the security world, being able to buy security products that provide the level of confidence you want is a giant step in the right direction. Trust in security and privacy products is what will facilitate the growth of electronic commerce and services for all types of enterprises.

Brusil is a freelance security and network management consultant in Beverly, Mass. He can be reached at brusil@nist.gov.

RELATED LINKS


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.