Embed Size (px)
Citation preview
Testing and Evaluation of Privacy Enhancing Technologies using the Common Criteria
Paul Zatychec
Director
EWA-Canada Ltd
2
Commissioner’s Challenge
Yesterday, Commissioner Cavoukian issued 2 charges:
1. Find the [privacy] design correlates in architecture!
2. “Privacy is not just about risk aversion, it’s about attracting opportunity.”
This presentation is about a commitment to a practical means of rising to these challenges.
3
AIM
Present work done on a formal, standards-based approach for dealing with Privacy Considerations in technology
Raise awareness and open a dialogue
4
Outline
History Goals, Motivation and Challenges
Highlight key messages
What are the Common Criteria and why the Privacy community should care Describe evaluation and certification process
Conclude with what this means
Open Discussion
5
History
Situation: Development and Use of Privacy Enhancing Technologies have not lived up to the promising scenario of the mid-1990’s.
IPC wanted to boost the development and use of Privacy Enhancing Technologies
6
More History
Formed an international team to take on the challenge of developing testing criteria for PET’s Value: level playing field for developers, common
understanding for organisations deploying PETs Part of a project named and created by John Borking (father
of PETs)
IPC/CSE and EWA-Canada conducted a joint study to adapt the CC for Privacy
7
Our Goals
Build an internationally accepted framework that will:
1. Provide engineering standards and guidance to technology developers and consumers on how to formally specify and build privacy requirements and functionality into new products
2. Allow products to be independently evaluated and Certified as Privacy Enhancing Technologies if they meet these requirements
Motivation
9
10
eBUSINESS
SYSTEM
OPERATIONS
11
ASSURANCE for e-BUSINESS
eBUSINESS
SYSTEM
OPERATIONS
RiskManagement
Decisions
OPS
Metrics
Process
Metrics
ACTIVESECURITY
CYCLE
12
ASSURANCE for e-BUSINESS
eBUSINESS
SYSTEM
OPERATIONS
RiskManagement
Decisions
Changing Threats
New Exposures
OPS
Metrics
Process
Metrics
Real World
VolatilityE-Business environment
ACTIVESECURITY
CYCLE
13
ASSURANCE for e-BUSINESS
eBUSINESS
SYSTEM
OPERATIONS
RiskManagement
Decisions
OPS
Metrics
Process
Metrics
ACTIVESECURITY
CYCLE
Major SystemChanges
DevelopmentalCertification & Accreditation
Visible Maps / Status
Minor SystemAdjustments
On-GoingAccreditation
Configuration Management Tools
Changing Threats
New Exposures
Real World
VolatilityE-Business environment
14
ASSURANCE for e-BUSINESS
eBUSINESS
SYSTEM
OPERATIONS
RiskManagement
Decisions
New Exposures
OPS
Metrics
Process
Metrics
Real World
VolatilityE-Business environment
ACTIVESECURITY
CYCLE
Major SystemChanges
DevelopmentalCertification & Accreditation
Visible Maps / Status
Minor SystemAdjustments
On-GoingAccreditation
Configuration Management Tools
Throughput / Availability
Performance Monitoring & Network Management
Alarms, Incidents / Trends
Intrusion Detection Systems, Firewalls
Current Vulnerabilities
Security Posture Assessment Tools
Changing Threats
15
ASSURANCE for e-BUSINESS
eBUSINESS
SYSTEM
OPERATIONS
RiskManagement
Decisions
New Exposures
OPS
Metrics
Process
Metrics
Real World
VolatilityE-Business environment
ACTIVESECURITY
CYCLE
Major SystemChanges
DevelopmentalCertification & Accreditation
Visible Maps / Status
Minor SystemAdjustments
On-GoingAccreditation
Configuration Management Tools
Throughput / Availability
Performance Monitoring & Network Management
Alarms, Incidents / Trends
Intrusion Detection Systems, Firewalls
Current Vulnerabilities
Security Posture Assessment Tools
Changing Threats
Business ContinuityPlan
Business Impact Analysis
Recovery Plan
Business ContinuityPlan
Business Impact Analysis
Recovery Plan
16
ASSURANCE for e-BUSINESS
Major SystemChanges
DevelopmentalCertification & Accreditation
eBUSINESS
IT SYSTEM
OPERATIONS
Visible Maps / Status
Minor SystemAdjustments
On-GoingAccreditation
Configuration Management Tools
Throughput / Availability
Performance Monitoring & Network Management
RiskManagement
Decisions
Alarms, Incidents / Trends
Intrusion Detection Systems, Firewalls
Current Vulnerabilities
Security Posture Assessment Tools
OPS
Metrics
Process
Metrics
Capability Maturity
Capability Maturity
Technology
People
Process
Process Improvement (PI)
Capability Maturity
Capability Maturity
Technology
People
Process
Process Improvement (PI)
Business ContinuityPlan
Business Impact Analysis
Recovery Plan
Business ContinuityPlan
Business Impact Analysis
Recovery Plan
ACTIVESECURITY
CYCLE
Changing Threats
New Exposures
Real World
VolatilityE-Business environment
17
ASSURANCE for e-BUSINESS
Major SystemChanges
DevelopmentalCertification & Accreditation
eBUSINESS
IT SYSTEM
OPERATIONS
Visible Maps / Status
Minor SystemAdjustments
On-GoingAccreditation
Configuration Management Tools
Throughput / Availability
Performance Monitoring & Network Management
RiskManagement
Decisions
Alarms, Incidents / Trends
Intrusion Detection Systems, Firewalls
Current Vulnerabilities
Security Posture Assessment Tools
OPS
Metrics
Process
Metrics
Capability Maturity
Capability Maturity
Technology
People
Process
Process Improvement (PI)
Capability Maturity
Capability Maturity
Technology
People
Process
Process Improvement (PI)
Business ContinuityPlan
Business Impact Analysis
Recovery Plan
Business ContinuityPlan
Business Impact Analysis
Recovery Plan
ACTIVESECURITY
CYCLE
Changing Threats
New Exposures
Real World
VolatilityE-Business environment
PRIVACY C
ONCERNS
18
Motivation
1. Internationally accepted engineering standards and methodologies for privacy do not yet exist
2. Huge opportunity for Canadian leadership and contribution to the global privacy community
3. Clear demand! Address both public and private concerns
19
More Motivation
4. Need to differentiate products based on privacy characteristics
(….finding the opportunity part)
4. Create a formal system to prove or disprove vendor claims to reduce snake oil and partial solutions
20
4 Challenges
1. How to formally and measurably deal with Privacy Considerations for IT with credible due diligence/care regarding requirements defined in legislation, regulation, codes of ethics and best practices?
“Demonstrably” means: Claims are precise and confirmed through independent
analysis via credible third party Privacy enhancing functionality has been
independently evaluated, tested and documented Technologies that meet specified measurable
requirements are Certified by national authorities
21
4 Challenges (Con’t)
2. Need to create a comprehensive framework that can be used by developers to build privacy functionality into their products
3. Framework must provide confidence to people buying and using technologies that vendor privacy claims are real
4. How can we leverage international approaches for certification of IT security standards and enhance these for emerging privacy considerations?
22
Key Messages
We are working on a globally recognized, standards-based system to encourage formal specification and independent evaluation of IT for privacy considerations
Objective is to foster increased trust and confidence that responsible vendor privacy claims are demonstrably and provably real
23
Key Messages (2)
The new standard will be an extension of the ISO 15408 Common Criteria for IT Security Evaluation
It will recognize the distinct and complimentary nature of IT Security, Privacy and Assurance requirements
Successful evaluations will lead to certification by national authorities and these certifications will be mutually recognized in at least 16 countries world-wide
24
Leadership and Contribution
The work is being done under the leadership of the IPC (Mike Gurski) in conjunction with CSE, EWA-Canada and IBM. Sister agencies to CSE in the U.S. and other countries, as
well as product vendors and government departments are interested in this work.
Intention is to bring the completed work to the EU and other nations
25
Executive Support from Canada’s Privacy Commissioners
This approach has been formally and unanimously endorsed by all of the provincial Privacy Commissioners in June 2002, with the concurrence of the Federal Privacy Commissioner, who recognize the value of this leadership opportunity.
26
Why?
One of the reasons is to create a mechanism that allows organizations to exercise appropriate due diligence and due care with respect to privacy and be robust enough to meet their formal compliance obligations and legislative requirements
The privacy-extended Common Criteria will be fully traceable to mature privacy legislation, models and codes
What are the Common Criteria and Why Should We Care?
28
Common Criteria ISO 15408
International ISO IT Security standard for formally specifying IT Security Requirements and how these are to be independently evaluated and tested so products may be formally certified as being trustworthy
3-Part Standard, plus evaluation methodology
29
What is an Evaluation?
Independent Verification and Validation (IV&V) by a and accredited and competent Trusted Third Party
Provides a basis for international Certification against specific formal standards (i.e. CC) by national authorities
30
Evaluation Process
Assurance Techniques
IndependentEvaluations
Assurance
Produce provide formal evidence of
PrivacyRequirements
that
are
Properly Managed
Privacy Rights
to protect
InformationAsset Owners Confidence
require
giving
31
CC Evaluations Involve:
ANALYSIS Product Documentation Product Design (Security & Privacy Focus) Development Processes & Procedures Operation & Administration Guidance and Procedures Vulnerability Assessments
TESTING Independent & Witnessed Fully Documented & Repeatable
REPORTS Lead to International Certification
32
Scope
Interviews Full Documentation Review Independent Testing Witness of Developer Testing Observation Reports When Required Deliverables:
Security/Privacy Target or Protection Profile Evaluation Technical Report Certification Report (published by CSE, and recognized by
NSA and other Certification Bodies)
33
Why should we care?
The CC are a flexible standard with a proven methodology already recognized in 16 countries that can be extended to include all privacy requirements
We need to deal with the complimentary distinctions between privacy and security in a single, holistic standard
Need for credibility
Developers need formal standards
34
Decoding CC Terminology
Security Target (ST) or Protection Profile (PP) Requirements Specification in CC Terms Covers Privacy and Security “Functional Requirements” and
“Assurance Requirements” Things like: Environment, Threats, Security Objectives &
Assumptions etc.
TOE = Target of Evaluation = IT product or system
35
CC Terminology (Con’t)
Assurance Classes Configuration Management Delivery & Operation Development (including design) Guidance Documentation (User & Administrator) Life Cycle Support (at higher levels) Tests Vulnerability Assessment
Functional Classes Many Types (product dependent & defined in ST)
36
What Do CC Evaluations Give Us?
Confidence & Trust in privacy and security characteristics of products and the processes used to develop and support them (full product life cycle)
Build official assurance arguments Prove technologies are indeed privacy enhancing as
claimed formal, independently verifiable and repeatable
methods Provide basis for international certification Provide Certification Report Differentiate products Formally support demonstrable due diligence/care
37
How the Process Works
1. Privacy (and security) requirements for a technology and associated claims are precisely specified using the CC
2. Technology is built, documented and tested to these requirements
3. Technology is submitted to nationally accredited labs for evaluation against the standards
4. Evaluation is conducted under the oversight of national authority
38
Process (Continued)
5. Once vendor claims are proven, national authority confers certification and publishes a Certification Report
6. Results are internationally recognized under a Mutual Recognition Arrangement
39
How does the CC Currently Deal with Privacy?
Security and Assurance Requirements are Enablers for Privacy Enhancing Technologies
Currently CC are Insufficient for Privacy
Limited to only 4 Basic Areas Privacy FPR_ANO Anonymity FPR_PSE Pseudonymity FPR_UNL Unlinkability FPR_UNO Unobservability
Clearly these are insufficient to meet all of the privacy requirements
40
Requirements for Privacy Extensions
Different legislative requirements Canada is great place to start International
Regulatory requirements for different sectors e.g. healthcare, financial, telcos etc.
Build on accepted standard Fair Information Practice Statements
Leverage Mature Privacy Models
41
Proposed Extensions (1/2)
Accountability Identifying purposes Inform (prior to consent) Consent Collection Limiting linkability Limiting collection
42
Proposed Extensions (2)
Limiting Use, Disclosure, retention Accuracy Safeguards Openness Individual Access Challenging Compliance
43
When?
Formal Privacy Functional Requirements for 2 of the Fair Information Practice Statements have already been done in a proof of concept demonstration, and results have been vetted by world-renowned privacy experts
Remaining FIPS and associated evaluation methodology can be done within 6-9 months Initial standard will then be fully ready for use
44
What this Means
We are creating a robust and technically sound standard to allow and encourage technology developers to specify, build, document and test their solutions against formal requirements that are being vetted by world-leading privacy experts
Certification of Privacy Enhancing Technologies will require independent verification by accredited labs under national level oversight for credibility
45
Way Ahead
1. Finish the Development of the FPR Class of CC Part 2 Privacy Functional Requirements
Continue Process for remaining 9 FIPS
2. Define useful packages and comprehensive Protection Profiles and Privacy Targets
3. Develop Example/Sample Privacy Policy Statements
4. Evaluate and certify products
5. Go Global!
