Browse Prior Art Database

Methodology of Aggregating Security Functions for a Single Common Criteria Evaluation

IP.com Disclosure Number: IPCOM000012467D
Original Publication Date: 2003-May-08
Included in the Prior Art Database: 2003-May-08
Document File: 2 page(s) / 32K

Publishing Venue

IBM

Abstract

Disclosed is a method that allows multiple products to be certified by one Common Criteria (CC) evaluation. The method is to aggregate all security aspects of the products into a security core. A CC evaluation against the security core effectively certifies all security capabilities of the product suite.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 62% of the total text.

Page 1 of 2

  Methodology of Aggregating Security Functions for a Single Common Criteria Evaluation

The Common Criteria, an international standard ISO/IEC 15408 [*], evaluation of Information Technology (IT) products is mandated by the United States and other national Governments to ensure that the products perform security functionality correctly and reliably as advertised. A CC certification provides a level of security assurance on IT systems that incorporate the product. A typical IT environment may consist of multiple related but separate software products to support different business solutions. An example WebSphere platform environment shown in Fig. 1 includes an Application Server, a Portal Server and a Commerce Server. Each of these products has a unique security function to protect its own unique resources. Each such product with security functions is subject to a CC evaluation.

The total cost of certifying multiple products is great and multiplied by support for multiple operating systems and the required maintenance delta evaluations, after the first evaluation, on follow-on product releases to keep the CC status. This cost also reflects the complexity of security functions and management in a distributed multi-product IT system.

Figure 1. An example IT system and security

Portal Server

Portal Security

Commerce Server

Commerce Security

Platform Base

To alleviate the long-term cost burden and efficiently and effectively evaluate a product suite, it is proposed that...