Information Security News mailing list archives
Orange Book is Dead
From: Marjorie Simmons <lawyer () carpereslegalis com>
Date: Mon, 22 Jan 2001 08:20:05 -0500
(excerpt from January 18, 2001issue of Security Wire Digest and Information Security magazine) The article concludes with the following piece of insight as to why corporate America is paying about as much interest in the CC as it did to the TCSEC: 'The fault doesn't lie within the CC; rather, it reflects the reality that any attempt to both quantify and standardize present-day information security is a digital violation of the Heisenberg uncertainty principle in quantum mechanics. Just as the position and momentum of an electron can't be measured simultaneously, neither can information security be both codified and standardized. Unfortunately, infosec changes far too quickly to be etched in stone. In this dynamic environment, it's only a matter of time before we ask, "When shall we hold a wake for the Common Criteria?"' ======================== 3. SECURITY PERSPECTIVES THE ORANGE BOOK IS DEAD, LONG LIVE THE COMMON CRITERIA? By Ben Rothke A wake was held at the Computer Security Applications Conference in December, but don't think it was a gloomy event, as music played and spirits flowed. It was not for a person; rather, this send off was for the Orange Book, a security standard that was recently pronounced dead (though some would argue it had been lifeless since conception). The Orange Book, officially titled the Trusted Computer Standards Evaluation Criteria (TCSEC), was the most noteworthy part of the Rainbow Series (http://www.radium.ncsc.mil/tpep/library/rainbow) of security standards developed by the U.S. Department of Defense in the early 1980s. It defined seven security levels for trusted hardware, software and data components of a system, namely: 1. Verified design, which demands the highest level. 2. Formal security verification methods to ensure that security controls can protect classified and other sensitive information 3. Mandatory protection, specifying that the Trusted Computer Base (TCB) protection systems should be mandatory, not discretionary. 4. Discretionary protection, which applies to the TCB with optional object (e.g. file, directory, devices) protection. 5. Minimal protection, reserved for systems that have been evaluated, but have failed to meet the requirements for a higher evaluation class (operating systems such as MS-DOS and Windows 95/98 fall into this category). The Orange Book's noble goal was to provide a level of measurement and guidance in designing secure systems. So why did corporate America turn a blind eye to it? Some of the reasons include: --Information security standards are inherently difficult to create. Imagine thousands of companies from scores of different sectors, all with different needs, attempting to formulate a common security framework. --It was designed for government installations, not corporate networks. The security threats, vulnerabilities and requirements of the government and military are radically different from those of corporate America. --It's based on the 1973 Bell-LaPadula model, which was the first mathematical model of a multilevel secure computer system. Such formal systems simply don't scale well in corporate environments because they don't really address many day-to-day security concerns outside the military sphere. The most significant flaw is the omission of a solidly defined initial secure state and problems with the concept of what exactly constitutes a user. --The Orange Book, expressly designed for standalone systems, was doomed by the advent of client-server computing. With today's systems connecting users to varied intranets, extranets and the Internet, a standalone host in today's world offers a lot of security, but little functionality. Seeing the deficiencies in the Rainbow Series (and the fact that most government facilities failed to implement them), the DoD made several attempts over the years to update the standards, but they never got beyond an initial draft. At that point, the designers forgot W.C. Fields' adage "If at first you don't succeed, quit. There's no use being a damn fool about it." Ignoring this pearl of wisdom, the National Institute of Standards and Technology (NIST) joined forces with their counterparts at the European Commission (http://europa.eu.int/comm/index_en.htm) and entered into the Common Criteria (CC) Initiative (http://www.commoncriteria.org) in 1993. The CC is collectively an ISO, based on the Europe Information Technology Security Evaluation Criteria. Officially started in 1993, the CC was designed to bring security standardization efforts together into a single international standard. Providing a general model of assessment by defining general concepts and principles of security evaluation, it also presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems. Despite all of the interest that the CC is garnering in the government sector, corporate America is still ignoring it. What does the CC offer that the Orange Book didn't? In truth, not much--certainly nothing that is persuading corporate America to embrace it. The CC, like the Orange Book, is heavy on generalities, but light on specifics. If you want to know how to securely deploy H.323 applications on a Cisco PIX, or how to configure a Microsoft proxy server to interoperate with Check Point's FW-1, don't look to the CC. . . . . Marjorie Simmons, Esq. lawyer () carpereslegalis com http://www.carpereslegalis.com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Orange Book is Dead Marjorie Simmons (Jan 22)