The almost 99.9999% of us means Cybersecurity architects / Administrators / Managers / Engineers don’t have a lab, sophisticated equipment, and arrangement to test the security of an operating system product in depth and our executive management will go crazy if demand for such facility. Hence we have to trust the reputed agency and third-party evaluators testing operating system security providing assurance level and other ratings to these products. Let go through, in short, some of legacy evaluation criteria so will able understand the development of moderns evaluation methods.
First published in 1983 and later updated 1985, The TCSEC normally referred to as ‘Orange Book’, was a Government of US Department of Defense Standard for the military and government computer system. TCSEC sets basic standards for implementation of security protection in computer systems. If we talk about the specification and features of this standard it is strongly focused on confidentiality with low focus on Availability and Integrity aspects. Although it is superseded by Common Criteria, still it influenced a lot in the development of other product evaluation criteria, and some of its basic approach and terminology continues to be used in the industry.
Summary of Orange Book Division Criteria:
TCSEC introduced idea of Trusted Computing Base (TCB) into product evaluation in the essence of principle that there are some functions must be working correctly for security to be possible and consistently enforced security in a computer system. For example ability to define subject and object and ability distinguished between them is to fundamental that no system could be secure without it. The TCB defines these fundamental controls which must be implemented wither it is a hardware, Software, or Firmware.
The Information Technology Security Evaluation Criteria (ITSEC):
ITSEC is a UK scheme in which security features of IT systems and products are tested independently to identify logical vulnerabilities. It combined and harmonized the national criteria produced by the United Kingdom, Germany, France and the Netherlands after the publication of the TCSEC criteria in the United States. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective countries. Following extensive international review, Version 1.2 was subsequently published in June 1991 by the Commission of the European Communities for operational use within evaluation and certification schemes. The ITSEC has been largely replaced by Common Criteria, which provides similarly approach for product evaluation.
With evaluation criteria, consumer or vendor has the ability to define a set of requirement from the menu of the possible requirement into a Security Target (ST) and vendors development products (the Target of Evaluation or ToE) and have them evaluated against that targets. Unlike TCSEC, it also addressed a wider range of security needs, including integrity and availability requirements. ITSEC Assurance level can be defined as a level of confidence that evaluator has that the product not only meet the functional requirements but that it will continue to meet those requirements. ITSEC defined six different levels of assurance, each one more difficult to achieve than the last.
Common Criteria represents IT security criteria that are broadly useful within the international community. We see how TCSEC and ITSEC were developed. In the succeeding decade, various countries began initiatives to develop evaluation criteria that built upon the concepts of the TCSEC but were more flexible and adaptable to the evolving nature of IT in general. In Canada, the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) version 3.0 was published in early 1993 as a combination of the ITSEC and TCSEC approaches. In the United States, the draft Federal Criteria for Information Technology Security (FC) version 1.0 was also published in early 1993. Work had begun in 1990 in the International Organization for Standardization (ISO) to develop a set of international standard evaluation criteria for general use.
The publication of Common Criteria as ISO/IEC 15408 standard provided the first truly international product evaluation criteria for security properties of IT products. It adopted a similar approach to ITSEC by providing a flexible set of functional and assurance requirements, alike ITSEC, it is also not very restrictive in nature as TSEC had been. This product evaluation criterion focused on standardizing the general approach to product evaluation and providing mutual recognition of such evaluation all over the world. The Common Criteria introduced Protection Profiles (PP), these are a common set of functional and assurance requirement for a specific category of vendor products used or deployed in a particular type of environment. The vendor products (Referred to as ToE) is then examined against this specific profile by third-party evaluation labs using Common Evaluation Methodology (CEM).
The keynote to take here is that two products assigned the same level of EAL level shall not be compared as their functionality may differ even though both are from the same category but functionality may in common.