The Daily Digest

Highlights from Day Two

Keynote

Chair of the Common Criteria Users Forum Alicia Squires gave an uplifting speech about the progress and importance of CCUF. Officially formed in 2012, CCUF now represents 25 nations with upwards of 400 members. Squires touched upon a number of accomplishments the forum has achieved including expanding a web presence, liaising with CC leadership and forming a number of working groups to help solve the various challenges the CC community faces. Some of the issues the CCUF groups are looking at include marketing the CC; exploring the lifecycle of Technical Communities and figuring out how to do repeated structured vulnerability testing. Collectively the contributions of the CCUF give a voice to members of the CC community that haven't always had a seat at the table, Squires noted.

"We have come a long way from the formation of the Common Criteria Vendor's forum back in 2004" Squires said, noting that the group is open to all interested parties. The progress is encouraging, but "we have only scratched the surface," Squires said.

Some of the goals she articulated for the CCUF include:

• Increasing the involvement of end users
• Increasing the number of active participants within the CCUF members
• Convincing skeptical parties that the CCUF is worth their time
• Letting the CCUF oversee the progress of Technical Communities being established
• Igniting the interest of scheme leaders to leverage the talent within the CCUF

In addition to substantive tasks, Squires raised some administrative issues the CCUF must consider. As the organization grows, it may need to become a nonprofit for structural and financial reasons, she noted. But as of today the CCUF is not pursuing that path.

Related Takeaways

Throughout the conference, a number of attendees have talked about the significance of the CCUF. Here are some of the highlights:

• "The user forum has given us a platform for everybody to give their input," said Nithya Rachamadugu, a director at Cygnacom.
• This group has fostered dialogue between different actors in this space that otherwise don't communicate enough, said Murray Donaldson of Innovative Intelligent Information Management. He also noted that it's housing technical discussions that aren't getting enough attention elsewhere.
• "The more voices, the better solutions we are getting," said Matthew Keller, a consultant with Corsec. The CCUF will also play a role in helping to clarify the new vision and helping to disseminate it, he said.

Panel on Marketing CC

Believe it or not, the morning panel on marketing CC featured conversation about Tigers, Starbucks and an Octopus. No, the discussion was not co-opted by the nearby Orlando attractions; these references were used in examples and analogies as the panel focused on what the CC community can do to hone its brand and sell it to the broader information security ecosystem. Mark Loepker , CC Executive Subcommittee Chair and US Scheme Director (NIAP), moderated a discussion with four industry experts on identifying the core value proposition of CC, developing messaging around it, and spreading the word. The panel also underscored that the CC experience must be good in order to succeed at promoting it.

Part of the challenge with marketing CC, the panelists noted, is that the value proposition and the messaging needs to be tweaked depending on the audience being targeted. Eric Winterton of Booz Allen Hamilton suggested the value boils down to boosting security performance through "independent third party evaluation." Generating talking points and figuring out how best to disseminate them are tasks Winterton is helping to undertake as the leader of a group on marketing CC.

The panelists, with the help from the audience members, came up with a number of actionable items.

• Private companies should tap the expertise of their marketing departments for help
• Make the ICCC conference friendlier to the end user
• Identify other ways to get the end user more involved.
• Publicize CC at widely attended industry events such as RSA. Ask major industry players to help give a voice to CC at such conferences
• Improve the content on existing CC-related websites; it should be more accessible to the uninformed
• Add CC-related information to other appropriate websites that receive a lot of web traffic

Ultimately, the panelists said, the CC community must proceed along dual tracks: Shepherding the standards to a level that can meet the demands of the modern security climate and marketing them effectively.

Afternoon Takeaways

• Dag Stroman offered insights into developing Protection Profiles based on Sweden's work in the space. At the beginning of the process, Sweden realized "from the first sentence to the last" the whole PP "has to be established in an open group," Stroman said. Otherwise a lot of time will be wasted going over the same issues in separate forums, he noted. The move toward PPs, he said, is one that embraces a market-oriented approach instead of regulatory one.
• Using ePassport technology as an example, Igor Fugel of T-Systems spoke to attendees about creating a slim and comprehensive PP. In the big picture, the development of PPs is "good news," Fugel said. However, some challenges remain to bridge the theories of PPs to a "working praxis ensuring comprehensive and clearness."
• Kim Frawley Braun and Greg Lague of EWA-Canada, a systems engineering company, gave a mixed review to using cPPs. Braun articulated some of the benefits noting that cPPs save time by reducing amount of evidence needed. In one example she noted that it wouldn't be necessary to configure a management document or conduct a site visit. On the other hand, Lague noted, the new system has created some logjams in other places. The developer has more responsibilities than ever before to verify their product can meet the assurances required before the evaluation starts, he said. Therefore, he noted, communication between the lab and documentation consultants will be key before evaluation starts.
• Matthias Intemann of Germany's Federal Office for Information Security shared his experience working on the OperatingSystem Protection Profile and Community. What happened in this case, Intemann noted, can be seen as the starting point of new era. Some choices, he said, were dictated by politics rather than customer needs. Not everything worked out, but out of it came some valuable lessons. Two pieces of advice from Intemann: Make sure customers understand the changes and help them through the update phase; maintain the protection profiles that are being developed.
• Ahmad Dahari Jarno of Malaysia gave an inside look at the country's effort to produce PPs for an Internet banking app. Malaysia has formed four PP working groups, one of which is on an Internet banking app. The process includes developing a list of specifications and requirements that supports the government's objectives to buy local. Jarno and his colleagues have been working on the project for the better part of a year, and are struggling now to decide whether they need to hire a CC consultant or "experience the hardship of writing PP as a CC document."
• Michael Grimm of Microsoft led a session reporting on the progress of the Supply Chain Technical Working Group formed in 2012. This group is motivated by the need to increase visibility and transparency into IT product supply chains in order to mitigate the threats of counterfeit or tainted products or components. One of the challenges is to satisfy the requirements and speak to professional languages of two audiences: IT security specialists and supply chain specialists. Lessons already learned were shared, including a recommendation that the CCDB consider developing a guide on how to create an acceptable Supporting Document.

Awards

Countries awarded certificates to industry over a dinner celebration at Margaritaville.

• Australia
• Cisco (2)
• Juniper

• Canada
• NetApp
• Juniper
• Solera Networks
• McAfee
• FranceGemalto (10)
• Samsung Electronics
• Athena Smartcard Solutions (4)
• Trusted Labs*
• Blue Coat Systems*

• Germany
• IBM
• NXP Semiconductors
• Infineon Technologies
• gateProtect
• LANCOM Systems
• Atos IT Solutions & Services
• SUSE Linux Products
• MaskTech International
• Atsec information security *
• SRC Security Research & Consulting*
• TüV Informationstechnik*

• Japan
• Renesas Electronics
• Ricoh (8)
• Canon (5)
• ECSEC*

• Malaysia
• Tecforte
• Reisetech (M)
• Radmik Solutions
• AEP Networks
• IBM
• Juniper (2)
• EA Link System
• CSM MySEF*
• BAE Detica Lab*

• Netherlands
• NXP Semiconductors (BUI)(5)
• Sony (2)
• Safenet

• Norway
• Good Technology
• Huawei Technologies

• Republic of Korea
• KOMSCO
• Samsung SDS
• Wins Technet
• AhnLab
• TTA*
• KTL*
• AhnLab*

• Spain
• ASELSAN
• Oberthus Technologies (4)
• Huawei Technologies (2)
• Watchdata Technologies
• KONA I Co. (2)
• Elitecore Technologies
• SOMA
• Epoche and Espri*
• Oberthur Technologies*
• APPLUS*
• Elitecore Technologies*

• Turkey
• TüBİTAK BİLGEM UEKAE (3)
• RIOREY
• SISOFT Healthcare Information Systems
• Turkish Ministry of Finance - Revenue Admin
• TüBİTAK BİLGEM UEKAE*
• CygnaCom Solutions*
• SISOFT Healthcare Information Systems*

• United Kingdom
• Citrix Systems (3)
• Oberthur Technologies
• Secure Electrans
• Adder Technology
• Black Box Corp.
• Oberthur Technologies*
• CGI Global IT Security Labs*

• United States
• Check Point Software Technologies (3)
• RioRey
• eIQNetworks
• SolarWinds Worldwide
• Microsoft
• Xerox (2)
• CygnaCom Lab*
• SAIC Lab*
• CSC STCL*

*Indicates lab certificates