Monday, June 3, 2019
Compare And Contrast Tcsec And Cc Information Technology Essay
Comp be And Contrast Tcsec And Cc Information Technology EssayTo evaluate a estimator administration of rules or crossway to see it meets the shelter measures requirements found on the information security rating bars.Trusted Computer System valuation Criteria (TCSEC) was the first electronic computer security valuation standard which was published by the U.S. defense department in1985. TCSEC influenced other European countries and very soon some countries based on TCSEC to develop their own security military rank standards.In 1996, America combined with 5 European countries (UK, France, Germ some(prenominal), Netherlands and Canada) and NSA (National certification Agency) and NIST (National Institute of Standards and Technology) developed a new criterion which was called habitual Criteria (CC). In 1999 commonplace Criteria (CC) was recognized by ISO and named ISO/IEC 15408-1999.In this essay TCSEC and CC will be discussed, comp ared and contrasted to find come on the similarities and differences and the strength of CC will be indicated.The answers for the topic are based on research on relevant articles and journals and most of the resources are from the internet. The materials are then analyzed and discussed.The outline of the report is as followsIntroduction- brief definition of the topic.Background- explanation of TCSEC and CC.Compare and contrast the two standardsDescribe the similarities and differences amongst the two standards and state the advantages of CC.Some journals, articles and books are used in this report which kindle be found in the references.BackgroundThis session discusses TCSEC with the military rank class of TCSEC. And also describes the CC and evaluation of arrogance level of CC and the evaluation process.TCSEC Evaluation phratryCC- Assurances trainsDLowest protectionsEAL1functionally testedC1Discretionary ProtectionEAL2structurally testedC2Controlled Access ProtectionEAL3Methodically tested checkedB1Labeled S ecurity ProtectionEAL4Methodically nameed, tested, reviewedB2Structured ProtectionEAL5Semi-formally intented and testedB3Security DomainsEAL6Semi-formally verified design and testedA1Verified ProtectionEAL7Formally verified design and testedTable 1- Evaluation Class of TCSEC and Evaluation Assurances Level CCTCSEC is comm further called the Orange Book (the cover of book is orange). TCSEC has 4 divisions and 7 evaluation classes. Each class contains security requirements and it is used to finalise the level of trust of a computing dodge.The divisions of TCSEC are A, B, C, D and the seven evaluation classes are D (last-place), C1, C2, B1, B2, B3 and A1 ( tallest). A is more secure than D, and 2 is more secure than 1. (See Table 1)Level D non-secure organisation Level D only contains D1 evaluation class. D1 is the lowest protections and only posts security protection for file and user. Level D can be applied to any system which has been evaluated barely did not meet the higher( prenominal) evaluation class requirements.Level C Discretionary protection Level C leave alones audit trial protection and Level C includes C1 and C2.C1 is discretionary security protection and its class is lower in Level C. C1 provides discretionary access control and it has the responsibility for Identification and authentication. C2 has all the security features of C1 and has the function of audit cut through and access protection. C2 requires single- user log-in with password and an audit trail system. C2 works through log-in process, security event and source isolation to increase access.Level B Mandatory Control. There are 3 classes in Level B and they are B1, B2 and B3.B1 has all the requirements of C2 and it also has some new requirements each end has a label which is under system control. It uses sensitivity labels as a basis of all the access control and labels the object which will import to the system. When the system decision maker adds a new communication channel o r I/O mechanism, he has to manually assign security level to the channel and mechanism. The system uses user password to determine the user access level and it also uses audit to record any unauthorized access 13. B2 has all the requirements of B1. Besides that, the B2 administrator must have clear and documentation style of security policy for trusted computing base. B2 has some new security requirements system must at one time inform any changes between user and associated network, only user is able to do initial communication in the trusted path and the trusted computer base supports independent administrator and operator. B3 has all the requirements of B2. But B3 has stronger ability to monitor access and anti-interference. B3 system has to set the security of the administrator. The new security requirements for B3 are provide a readable security list, some objects are not allowed for certain users to access, the system has to provide a description of the users and to secern u ser before any operation and the trusted computing base establishes security audit trail for each labeled object 13.Level A has the highest security. Level A only has A1 class. A1 is similar to B3. A1has the obvious features a developer of system must adopt for a formal design specification to analyze a system. After analysis, the developer has to use validation technology to ensure that the system meets the design specifications. The entire installation operation must be done by the system administrator and each stair has to provide formal documentation.In TCSEC, to identify the security and to give some assurance to the system, it has to meet the security requirements 14.The TCSEC was replaced by CC. CC is a framework of reciprocally recognized evaluation criteria and it contains 3 parts security model, security functional requirements and security assurance requirements.Security assurance components are the basis for the security assurance requirements and it expresses in Prote ction visibility (PP) or Security Target (ST) 15.A Protection Profile is the security requirements of customers and a company of users for a class of Targets of Evaluation (toenail) 15. A PP uses a template independently to express security requirement. This is useful when implementing a product line or a family of related products 7.Protection Profile copy TCSEC security requirements of C2 and B1. Protection Profile include a template of moneymaking(prenominal) security visibleness, Firewall profiles which use for packet filters and application gateways, Smart card profiles, Database profile and a role which is based on control profile 16.A Security Target consists of a collection of security requirements and used to evaluate computer system or product 7.Figure 1 The PP/ST specification framework 7Evaluation is that use defined criteria to evaluate a computer system or IT product 16. Figure 1 shows specification framework to the Targets of Evaluation. The Common Criteria evaluat ion process starts from identifying a TOE (Target of Evaluation), and then input an ST which describes the security functions of the TOE 16, the spokesperson of TOE is computer system or product, To see if the result of the system is secure, it should meet a set of security requirements or protection profile 7.Common Criteria provides a set of Evaluation Assurance Levels (EAL) from EAL1 (lowest) to EAL7 (highest) and it will be awarded to products and system upon successful completion of evaluation (see Table 1). The Common Criteria is absorbed by ISO (NO. 15408)EAL1- Functionally tested. For the correct operation of EAL1, it requires a certain confidence of occasion. This situation is of the view that the security threats are not serious 7. EAL1 provide the evidence of interrogation and its documentation.EAL2- Structurally tested. In the delivery of the design information and test results, EAL2 requires the developer collaboration. But do not spend too much energy beyond the goo d commercial operation of consistency.EAL3- Methodically tested checked. Without a lot of changes on the premise of reasonable development practices, it allows a conscientious developer to obtain maximum assurance during the design phase from the correct security engineering.EAL4- Methodically designed, tested, reviewed. It allows the developers to obtain maximum guarantee from the correct security engineering, the security engineering is based on good and austere commercial development practice. This development practice does not need much professional knowledge, skills or other resources. In the rational economic conditions, and to renovate an living production line, EAL can achieve the highest level of result 7.EAL5- Semi-formally designed and tested. It enables the developers to obtain maximum security from the security engineering. The security engineering is based on a strictly commercial development practice. It relies on the appropriate application of professional safety engineering technology for support.EAL6- Semi-formally verified design and tested. It enables the developers to gain a high level of certification through the application of safety engineering technology and strict development environment, and. This is to produce a costly TOE to protect high-value assets against study risks 16.EAL7- Formally verified design and tested. It is applicable to safe TOE development and it applies to places where the risk is very high, or high value assets that worth higher expenses.In this session discussed TCSEC and CC, an explained evaluation class of TCSEC, evaluation assurance level of CC and the evaluation process. Those discussions are very important that helps to find out the similarities and difference of TCSEC and CC. nigh session, TCSEC and CC will be compared and contrasted based on the above discussion.Compare and contrast TCSEC and CCThis session will discuss the similarities and differences between the security standards based on the above description on TCSEC and CC. It will also state the strength of CC and to explain why CC is a relatively successful security evaluation standard.SimilaritiesEven though TCSEC has been replaced by CC, they still have some similarities. Both of them are security evaluation standard and evaluate computer system by security level classification and each level has security requirements. Both of them provide confidentiality security functionality and evaluate Computer Operation System.DifferencesAlthough CC has some similarities as TCSEC, but both of them are different.TSCEC is only used in U.S. In the beginning, it was proposed that TCSEC was to focus on independent computer system and it suit evaluation of military operating system. TCSEC does not involve security criteria for open system and it is the criteria for static model. TSCEC just considered protecting system owner and operator but did not cover user security area especially for the security of telecommunication system user. And also only considered confidentiality for documents of system owner and it did not terminus integrity and availability. From Table 1 we see that the evaluation of TCSEC is mix security and functionality. So if any hardware of software is changed, it will start to evaluate the system again.But CC is recognized by ISO organization and it applies to nations. Compared CC with TCSEC, CC is more complete. Common Criteria is not only focus on operating system but also for Network and Database. Common Criteria involve security criteria for open system and the criteria for dynamic model. CC keeps system confidentiality, availability and integrity through TOEs security specifications. CC has distinguished security and functionality, any change does not affect the evaluation.The evaluation process of both also is different. TCSEC checks system to see if it is secure by employ the security requirements which is classified by evaluation class. In a Common Criteria evaluation, use Common Cri teria to evaluate the product or computer system. The evaluation stages are Protection Profile evaluation, Security Targets evaluation, TOE evaluation and Assurance maintenance.CC evaluates system starting from identifying a TOE, and then developing a set of criteria to the TOE for evaluation. For each step, detailed information will be added. To get to know if the system is secure, it should meet a set of security criteria or protection profile. finally TCSEC has been substituted by CC. That means TCSEC was abandoned but CC is still the ongoing security evaluation standard.The advantages of CCForm the above proportion of the differences between TCSEC and CC, we can point out that CC is a relatively successful security evaluation standard because CC has some advantages. CC is an international security standard and many countries acknowledge the testing result.CC is absorbed in security objectives and the related threats and the evaluation process help to enhance confidentiality, a vailability and integrity of the system.CC provides a set of security criteria in detail and the criteria details are easily understood by customer and supplier. Customer can use them to determine the security level of the products and also to find out their own security requirements. So that supplier can design product for them and also use them to identify their product or system security features.Customer can trust the evaluation because the testing is done independently and not by the supplier.In this session, the similarities and differences between TCSEC and CC have been discussed and after comparison, the advantages of CC have been indicated.ConclusionTo sum up, through the discussion of the evaluation process and assurance level of TCSEC and CC, we found out the similarities and differences between the two standards and also the advantages of CC.TCSEC is firstly a security standard and it develops 4 levels and 7 evaluation classes. Each evaluation class contains security req uirements and using the requirements it will help to identify the security level of the system or product. TCSEC has provided identification and authentication for user to access the system document and also to provide audit trial and access protection.TCSEC evaluates system or products by checking security requirements to see if the system meets them.TCSEC has been replaced by CC and CC is an international security evaluation standard.CC provides Protection Profiles and Security Targets which are documents for specifying security requirements. 2 CC has 7 Evaluation assurance levels.Because CC came from TCSEC, they have some similarities but actually they are quite different. TCSEC only applies to operation system and it focuses on the demand of confidentiality. CC has full description of security mode, security concepts and security functionality.Compared with TCSEC, CC has some advantages. The testing result is accepted by nations, supplier can design product for customer based on their requirements. CC keeps system confidentiality, availability and integrity. After comparison we can say that CC is relatively a successful security evaluation standard.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.