In my first blog, I pointed out that although it’s a good idea, Common Criteria is expensive, not widely adopted beyond government, and could be improved by transforming to Protection Profiles for enterprise security management. Today the industry is on its way to doing just that – transforming Common Criteria.
The core of the problem with Common Criteria when it comes to enterprise security management (ESM) is there is nothing “common” about it. Each time we or any other vendor wants our products evaluated, we must rewrite a custom security target or requirements document.
Protection Profiles are what the industry is moving toward to simplify and reduce the cost of the Common Criteria process. Protection Profiles establish a set of standard features one would expect to find in a certain product. Call it a requirements document, if you want. These would allow government agencies to compare apples to apples and make better informed decisions when acquiring products. Today under Common Criteria, comparisons in the ESM space are not as straightforward because each product has its own security target document.
If Protection Profiles existed for ESM now, at least 64 products from CA, IBM, EMC, Oracle, Symantec, and Microsoft would be compliant. At the 10th International Common Criteria conference in Tromso, Norway, I gave a talk with Booz Allen Hamilton that laid out the plan to develop this new family of “Protection Profiles” for Enterprise Security Management. The plan was lauded by the Common Criteria Development Board (CCDB) as the community-based approach they wanted other technology types to follow to update and build out these new standards. Since this project started, a similar team was formed to update the Firewall Protection Profile.
This month I participated in the Common Criteria Vendor Forum meeting with the Common Criteria Development Board at the 2010 RSA Conference. I presented how we are leading a team of ESM Vendors in an effort to build out Protection Profiles to close the gap for Enterprise Security Management products.
We just kicked off the Global Threat Analysis portion of the project. A survey will be distributed world-wide to determine the priorities for this new standard. Participants are the government agencies that buy our software. The primary goal of the survey is to get our customers to set the priority among the six technology types in the ESM space: Access Control, Centralized Policy Management and Distributed Enforcement, Identity Management, Data Loss Prevention and Log Collection.
In my next blog I’ll present the results of the survey and announce which technology the team will focus on for the first ESM Protection Profile which we hope to publish by the end of the year.