Corporations spend millions of dollars in getting their products Common Criteria-certified. It is a validation of being tested per an international security evaluation standard for meeting stated security claims. Yet, the claims made by companies are not mandated to be at rigorous security levels by the Common Criteria standard—it merely advocates thorough testing.
Much has been written and voiced about the limitations and costs of Common Criteria by the technology industry, standards bodies and government sectors that utilize the certification as a buying criterion into their programs. Yet, Common Criteria certifications are being pursued at increasing rates to get accreditation for sales – especially into the government sector. Through 2007, almost 900 Common Criteria evaluations of products or Protection Profiles – and an increasing number of re-certifications – were completed internationally.
Are we doing the right thing?
Is Common Criteria delivering on the essence of security assurance in any way? Or are we caught in a massive, pointless churn?
Today, I am beginning to see a deeper meaning to Common Criteria— one that is giving me a lot more assurance in corporations and their product portfolios if— and this is a key ‘if’— they are doing security correctly. I think it is even possible that my observations might help vendors and buyers gauge the cumulative benefits of Common Criteria in a whole new way, leading to enhancing our confidence in product security.
There’s something deeper going on here…
In the past six months, EMC has certified or put into certification seven products. This is in addition to eleven products that were certified for Common Criteria as reportedin April, 2008. Now that’s quite a run rate and a huge commitment!
But make no mistake— this is not a numbers game where we have stuffed a pipeline of products through the Common Criteria process. It costs EMC [or anyone else for that matter] a sizable amount just to get the internationally-approved labs to do the testing and validation over a period of 12-18 months. The time and effort drawn off engineering teams into the process can also be formidable.
Moreover, it is important to note that EMC has put some of its most prominent and broadly-deployed products into the Common Criteria validation tests— Symmetrix, CLARiiON, Celerra, EDL, Control Center, SMARTS, Documentum Content Server, VMware ESX, and RSA’s Certificate Manager, Adaptive Authentication, DLP and enVision. Rather a formidable lineup of flagship products!
In reality, as I look deeply into the genesis of the EMC corporate commitment to Common Criteria, I have discovered a rich foundation that sustains the philosophy for ingrained security in our products.
It’s getting into the genes of the corporation!
EMC has a corporate policy for product security that is in its second generation with over 80 criteria derived from global customers’ and regulatory compliance security mandates. We scoreboard each product line, do comprehensive threat modeling, and have a lifecycle approach to building security in our product development processes— from design to development to testing and assurance. We extensively train our developers and support staff in security best practices geared towards assurance. Already, we have had measurable success in increasingly deploying proven and modularized security technology from RSA with the Toolkit from our Common Security Platform.
Today, I can see that our corporate Product Security Office can step product development groups through its Common Criteria certification processes much more efficiently through their ingrained EMC Security Development Lifecycle. The sharpness in our threat modeling and assurance testing is wrought through a common knowledge base and experienced approaches, thus making our security profiles more robust with claims focused on relevant information-centric risk mitigation.
Our security technology architectures are service-oriented, and beginning to offer our customers a way to deliver on their own security service level agreements. EMC’s Secure Services Credential controls service staff’s remote and local access and work permissions to support and service an EMC platform.
The way I see it, this is good evidence of comprehensive, consistent and conforming security. In fact, I see EMC developing demonstrable security DNA in our divisions— to securely build, deploy and support our products, solutions and services.
And the results are clear— a deeper assurance delivered to our customers!
My sense is that EMC is turning the tide on rising Common Criteria costs by making Common Criteria a subset of its inherent security program. As Common Criteria extends it’s Protection Profiles in version 3.1 and more so in version 4.0, EMC is poised to be more ready than most other vendors.
But more importantly, I see the increasing confidence that we are building among our customers – even those well beyond the government sector. I am beginning to believe that they are seeing that security is indeed built-in at EMC, and Common Criteria is purely a basic validation of this fact. Now wouldn’t it be good to have a vendor be so demonstrable with the entire lifecycle of product security? Isn’t that the kind of assurance that is ultimately being called for by Common Criteria?
I am seeing a lot of good in Common Criteria being done right!
Shouldn’t you be?
Blog also available on RSA's Speaking of Security, Oct 15, 2008.
Comments