Deriving security for mixed IT system architectures from evaluated products


We will present an analysis of the potential implications that the assembly of a larger system from a combination of Common Criteria evaluated products and non-evaluated products introduces. Such a system is typically networked and comprised of hardware, firmware, and multiple layers of software, such as operating systems, specialized applications (like an access control framework), and generic applications (for example a web server). We will show an approach for determining the overall security level that such a system can provide in terms of protecting information assets within the system. This includes discussing the significance of evaluation results for the security functions of the individually evaluated products in the larger context of a system exceeding the original evaluation scope, and examining which claims with regard to aspects such as usability and reliability of these security functions can be made in this context. Potential and likely threats that arise from the combination of non-evaluated products with evaluated products, and from the combination of individually evaluated products for both the evaluated security functions and the overall security of the system will be discussed. Strategies to reduce such threats by intelligent system architectures that either mitigate the overall threat or limit it to certain components of the system will be given.

The discussion will be applied to an example scenario. The presentation aims to illustrate a rather complete set of aspects that must be considered when creating heterogeneous systems by combining individual products with different assurance levels. It will provide an introduction to these issues and present possible strategies to address them as a means to increase consumer awareness and to stimulate further discussion and research of the individual areas within the professional community.