.

Friday, March 29, 2019

Compare And Contrast Tcsec And Cc Information Technology Essay

Comp be And Contrast Tcsec And Cc Information Technology EssayTo pass judgment a reckoner governance or product to deliberate it accumulates the certificate requirements ground on the tuition protection corpse valuation normals.Trusted Computer System rating Criteria (TCSEC) was the first signal computer trade protection paygrade standard which was published by the U.S. disproof department in1985. TCSEC influenced other European countries and rattling soon some countries found on TCSEC to develop their own trade protection military rating standards.In 1996, the States combined with 5 European countries (UK, France, Germ some(prenominal), Netherlands and Canada) and NSA (National tri moreovere Agency) and NIST (National Institute of Standards and Technology) developed a new criterion which was c eithered greens Criteria (CC). In 1999 ballpark Criteria (CC) was recognized by ISO and named ISO/IEC 15408-1999.In this essay TCSEC and CC will be discussed, comp arg ond and contrasted to find book away the uniformities and differences and the strength of CC will be indicated.The answers for the topic are ground on research on relevant articles and journals and most of the resources are from the internet. The materials are then analyzed and discussed.The taboo key of the report is as followsIntroduction- brief definition of the topic.Background- explanation of TCSEC and CC. mountainvass and contrast the deuce standardsDescribe the similarities and differences mingled with the two standards and state the advantages of CC.Some journals, articles and books are used in this report which dope be found in the references.BackgroundThis academic session discusses TCSEC with the evaluation elucidate of TCSEC. And overly describes the CC and evaluation of assurance direct of CC and the evaluation process.TCSEC Evaluation ClassCC- pledges takesDLowest protective cover departmentsEAL1Function every last(predicate)y well-triedC1 arbitrary protectionEAL2Structur whollyy testedC2Controlled Access surety department measureEAL3Methodically tested checkedB1Labeled Security ProtectionEAL4Methodically bearinged, tested, reviewedB2Structured ProtectionEAL5Semi- form-only(prenominal)ly designed and testedB3Security DomainsEAL6Semi-formally verify design and testedA1 confirm ProtectionEAL7Formally support design and tested add-in 1- Evaluation Class of TCSEC and Evaluation Assurances train CCTCSEC is comm lonesome(prenominal) called the Orange tidings (the cover of book is orange). TCSEC has 4 divisions and 7 evaluation crystallisees. Each class contains hostage requirements and it is used to determine the level of trust of a cipher organisation.The divisions of TCSEC are A, B, C, D and the seven evaluation classes are D ( final), C1, C2, B1, B2, B3 and A1 (highest). A is more secure than D, and 2 is more secure than 1. (See Table 1)Level D non-secure constitution Level D only contains D1 evaluation class. D1 is t he lowest protections and only provides protection protection for file and user. Level D finish be applied to any brass which has been evaluated but did non meet the higher evaluation class requirements.Level C Discretionary protection Level C provides audit trial protection and Level C includes C1 and C2.C1 is discretionary protective covering protection and its class is lower in Level C. C1 provides discretionary access control and it has the responsibility for Identification and authentication. C2 has all the credentials features of C1 and has the function of audit trail and access protection. C2 requires single- user log-in with password and an audit trail transcription. C2 works with log-in process, shelter typeface and source isolation to increase access.Level B Mandatory Control. in that location are 3 classes in Level B and they are B1, B2 and B3.B1 has all the requirements of C2 and it besides has some new requirements distributively object has a enounce whi ch is under system control. It uses sensitivity labels as a basis of all the access control and labels the object which will import to the system. When the system decision maker adds a new communication channel or I/O mechanism, he has to manually assign security level to the channel and mechanism. The system uses user password to determine the user access level and it besides uses audit to record any unauthorized access 13. B2 has all the requirements of B1. to a fault that, the B2 administrator must admit clear and chronicleation style of security policy for sure computing base. B2 has some new security requirements system must immediately inform any changes between user and associated network, only user is able to do initial communication in the swear path and the trusted computer base supports independent administrator and operator. B3 has all the requirements of B2. But B3 has stronger ability to monitor access and anti-interference. B3 system has to set the security of the administrator. The new security requirements for B3 are provide a readable security list, some objects are not allowed for certain users to access, the system has to provide a description of the users and to identify user before any exertion and the trusted computing base establishes security audit trail for all(prenominal) labeled object 13.Level A has the highest security. Level A only has A1 class. A1 is similar to B3. A1has the obvious features a developer of system must adopt for a formal design specification to analyze a system. After analysis, the developer has to use bridle technology to ensure that the system meets the design specifications. The entire installation carrying out must be done by the system administrator and each step has to provide formal documentation.In TCSEC, to identify the security and to give some assurance to the system, it has to meet the security requirements 14.The TCSEC was replaced by CC. CC is a poser of mutually recognized evaluation cr iteria and it contains 3 parts security model, security functional requirements and security assurance requirements.Security assurance components are the basis for the security assurance requirements and it expresses in Protection Profile (PP) or Security Target (ST) 15.A Protection Profile is the security requirements of clients and a company of users for a class of Targets of Evaluation (TOE) 15. A PP uses a templet independently to express security requirement. This is useful when implementing a product line or a family of related products 7.Protection Profile copy TCSEC security requirements of C2 and B1. Protection Profile include a template of commercial security profile, Firewall profiles which use for packet filters and application gateways, Smart card profiles, Database profile and a role which is based on control profile 16.A Security Target consists of a collection of security requirements and used to evaluate computer system or product 7.Figure 1 The PP/ST specification framework 7Evaluation is that use defined criteria to evaluate a computer system or IT product 16. Figure 1 shows specification framework to the Targets of Evaluation. The Common Criteria evaluation process starts from identifying a TOE (Target of Evaluation), and then input an ST which describes the security functions of the TOE 16, the example of TOE is computer system or product, To see if the run of the system is secure, it should meet a set of security requirements or protection profile 7.Common Criteria provides a set of Evaluation Assurance Levels (EAL) from EAL1 (lowest) to EAL7 (highest) and it will be awarded to products and system upon prospering completion of evaluation (see Table 1). The Common Criteria is intent by ISO (NO. 15408)EAL1- Functionally tested. For the correct cognitive process of EAL1, it requires a certain confidence of occasion. This situation is of the view that the security threats are not serious 7. EAL1 provide the evidence of interrogation and its documentation.EAL2- Structurally tested. In the incubate of the design information and test results, EAL2 requires the developer collaboration. But do not surpass too much energy beyond the reasoned commercial operation of consistency.EAL3- Methodically tested checked. Without a lot of changes on the premise of commonsensical development practices, it allows a conscientious developer to obtain maximum assurance during the design phase from the correct security engine room.EAL4- Methodically designed, tested, reviewed. It allows the developers to obtain maximum ascertain from the correct security engineering, the security engineering is based on good and strict commercial development practice. This development practice does not consume much professional knowledge, skills or other resources. In the rational scotch conditions, and to renovate an existing production line, EAL ass achieve the highest level of result 7.EAL5- Semi-formally designed and tested. It enables th e developers to obtain maximum security from the security engineering. The security engineering is based on a strictly commercial development practice. It relies on the appropriate application of professional safety engineering technology for support.EAL6- Semi-formally verified design and tested. It enables the developers to gain a high level of certification with the application of safety engineering technology and strict development environment, and. This is to prepare a costly TOE to protect high-value assets against major risks 16.EAL7- Formally verified design and tested. It is applicable to safe TOE development and it applies to places where the risk is very high, or high value assets that worth higher expenses.In this session discussed TCSEC and CC, an explained evaluation class of TCSEC, evaluation assurance level of CC and the evaluation process. Those discussions are very important that helps to find out the similarities and difference of TCSEC and CC. beside session, T CSEC and CC will be compared and contrasted based on the above discussion.Compare and contrast TCSEC and CCThis session will discuss the similarities and differences between the security standards based on the above description on TCSEC and CC. It will also state the strength of CC and to explain why CC is a relatively successful security evaluation standard.SimilaritiesEven though TCSEC has been replaced by CC, they still have some similarities. Both of them are security evaluation standard and evaluate computer system by security level classification and each level has security requirements. Both of them provide confidentiality security functionality and evaluate Computer Operation System.DifferencesAlthough CC has some similarities as TCSEC, but both of them are different.TSCEC is only used in U.S. In the beginning, it was proposed that TCSEC was to focus on independent computer system and it suited evaluation of armed forces operating system. TCSEC does not choose security cr iteria for open system and it is the criteria for silent model. TSCEC just considered protecting system owner and operator but did not cover user security area especially for the security of telecommunication system user. And also only considered confidentiality for documents of system owner and it did not address integrity and availableness. From Table 1 we see that the evaluation of TCSEC is mix security and functionality. So if any hardware of software is changed, it will start to evaluate the system again.But CC is recognized by ISO organization and it applies to nations. Compared CC with TCSEC, CC is more complete. Common Criteria is not only focus on operating system but also for Network and Database. Common Criteria involve security criteria for open system and the criteria for dynamic model. CC keeps system confidentiality, availability and integrity through TOEs security specifications. CC has distinguished security and functionality, any change does not affect the evalua tion.The evaluation process of both also is different. TCSEC checks system to see if it is secure by using the security requirements which is assort by evaluation class. In a Common Criteria evaluation, use Common Criteria to evaluate the product or computer system. The evaluation stages are Protection Profile evaluation, Security Targets evaluation, TOE evaluation and Assurance maintenance.CC evaluates system starting from identifying a TOE, and then developing a set of criteria to the TOE for evaluation. For each step, detailed information will be added. To get to know if the system is secure, it should meet a set of security criteria or protection profile. at long last TCSEC has been substituted by CC. That means TCSEC was abandoned but CC is still the ongoing security evaluation standard.The advantages of CCForm the above comparison of the differences between TCSEC and CC, we can point out that CC is a relatively successful security evaluation standard because CC has some adva ntages. CC is an outside(a) security standard and many countries acknowledge the testing result.CC is absorbed in security objectives and the related threats and the evaluation process help to rise confidentiality, availability and integrity of the system.CC provides a set of security criteria in detail and the criteria details are easily understood by customer and supplier. Customer can use them to determine the security level of the products and also to find out their own security requirements. So that supplier can design product for them and also use them to identify their product or system security features.Customer can trust the evaluation because the testing is done independently and not by the supplier.In this session, the similarities and differences between TCSEC and CC have been discussed and after comparison, the advantages of CC have been indicated.ConclusionTo sum up, through the discussion of the evaluation process and assurance level of TCSEC and CC, we found out th e similarities and differences between the two standards and also the advantages of CC.TCSEC is firstly a security standard and it develops 4 levels and 7 evaluation classes. Each evaluation class contains security requirements and using the requirements it will help to identify the security level of the system or product. TCSEC has provided identification and authentication for user to access the system document and also to provide audit trial and access protection.TCSEC evaluates system or products by checking security requirements to see if the system meets them.TCSEC has been replaced by CC and CC is an international security evaluation standard.CC provides Protection Profiles and Security Targets which are documents for specifying security requirements. 2 CC has 7 Evaluation assurance levels.Because CC came from TCSEC, they have some similarities but actually they are quite different. TCSEC only applies to operation system and it focuses on the demand of confidentiality. CC has full description of security mode, security concepts and security functionality.Compared with TCSEC, CC has some advantages. The testing result is judge by nations, supplier can design product for customer based on their requirements. CC keeps system confidentiality, availability and integrity. After comparison we can say that CC is relatively a successful security evaluation standard.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.