Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Common Criteria OS Protection Profile Jointly Published

Atsec Information Security : 07 July, 2010  (Company News)
Working with standards groups and operating system vendors, atsec has produced a common criteria protection profile
atsec is pleased to announce that a new Common Criteria protection profile for operating systems has been published. The protection profile was developed for the German Federal Office for Information Security (BSI) by atsec in cooperation with the OSPP Forum (Argus Systems, HP, IBM (AIX group, z/OS group, Linux group), Juniper Networks, Microsoft, Novell (SUSE), Oracle, Red Hat, SUN, Univention, BSI, NIAP, and atsec).

The need for a second generation certified Operating System Protection Profile (OSPP) becomes apparent when you take a look at the current reality of networked systems and the few general purpose OSPPs that specify industry-agreed functional and assurance requirements applicable to them. The OS paradigm has evolved from single isolated systems to more complex distributed and networked multi-machine environments, thus rendering several of the original protection profiles, including the much cited Labelled Security PP (LSPP), Role-Based Access Control (RBAC), and Controlled Access (CAPP) PPs obsolete. In addition, applications executing on operating systems depend upon a secure platform. The security assurance provided by many modern operating systems has been raised over the last decade with EAL4 being the norm for this technology and with leading vendors raising the bar further.

The OSPP forum included atsec experts, with many decades of security experience, and security architects from leading vendors that are working with key operating systems. Bringing such cooperation to OS security standards is an exemplary model for consolidating the improvements of the last years into the overall security posture of modern operating systems.

Gerald Krummeck, atsec's laboratory director, summarized "atsec was excited that BSI provided us the opportunity to distill our outstanding expertise as the lab performing most of the OS evaluations worldwide into this protection profile. Together with the OSPP Forum we combined all the expertise that BSI could muster to define a PP that actually worked for both servers and workstations and that fulfils the needs of government and commercial users alike. That's really a new quality for operating system PPs."

The OSPP project defines a common base of security functions, adds a flexible set of agreed security requirements, and has extensive industry endorsement.

An important feature of the OSPP is its flexibility. By using a base package of mandatory security functions and a set of extended packages, the OSPP makes use of - and enhances - the CC package mechanism. It is also open for future updates, which are intended on a regular basis.

The OSPP Forum agreed on these basic security functions:

* Local auditing
* Cryptographically protected communication links
* User data protection based on discretionary access control
* Packet filter functionality
* Security Management
* Assurance Level EAL4 augmented by flaw remediation

In addition, the following security functions can optionally be claimed by evaluations compliant with the OSPP:

* Role-based management
* Central audit server
* General-purpose cryptography
* Central identification and authentication mechanisms
* Integrity verification
* Access control based on labels
* Trusted boot capability
* Virtualization (hardware-based as well as software-based)

Matthias Intemann, BSI overseer for the development of the OSPP, stated:"When initiating this project, we wanted to create a unified way of evaluating operating systems. Often, you had to cover different protection profiles with different approaches, partly based on different CC versions. Having one approach to the relevant security functional requirement packages helps all involved parties concentrating on security and worrying less about covering formal aspects. Additionally, we wanted to stay under the terms of the international Common Criteria Recognition Agreement (CCRA). Along the way we defined what security functions both customers and developers expect from every modern operating system in a managed environment."

Helmut Kurth, atsec's Chief Scientific Officer, co-editor of ISO/IEC TR 15446 "A guide for the production of Protection Profiles and Security Targets", and one of the editors of the OSPP commented: "We are very happy with the result of this project: the OSPP offers a flexible approach allowing the consideration of many security functions, which are often implemented by different cooperating systems. The OSPP is based on today's best practices in the security functions expected from a modern operating system and addresses secure OS deployment. The development included expert advice from industry and government. Best of all, it is designed to be open for future development. The process taken to develop the Protection Profile in close cooperation between vendors, users, evaluators and certifiers should become a standard for the development of Common Criteria protection profiles and other such areas of industry significance where cybersecurity is dependent on a united position. atsec's long term experience with the security evaluation of many operating systems from different vendors including Apple, Cray, IBM, Microsoft, Novell SUSE, Red Hat, and Silicon Graphics was a key factor to develop a protection profile capable of addressing the security functionality modern operating systems provide."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo