Protection Profile
Encyclopedia
A Protection Profile is a document used as part of the certification process according to the Common Criteria
(CC). As the generic form of a Security Target
(ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance
security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.
A PP specifies generic security evaluation criteria to substantiate vendors' claims of a given family of information system products. Among others, it typically specifies the Evaluation Assurance Level
(EAL), a number 1 through 7, indicating the depth and rigor of the security evaluation, usually in the form of supporting documentation and testing, that a product meets the security requirements specified in the PP.
The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have agreed to cooperate on the development of validated U.S.
government PPs.
In order to get a product evaluated and certified according to the CC, the product vendor has to define a Security Target
(ST) which may comply with one or more PPs.
In this way a PP may serve as a template for the product's ST.
The problem of applying evaluations is not new. This problem was addressed decades ago by a massive research project that defined software features that could protect information, evaluated their strength, and mapped security features needed for specific operating environment risks. The results were documented in the Rainbow Series
. Rather than separating the EAL and functional requirements, the Orange Book
followed a less advanced approach defining functional protection capabilities and appropriate assurance requirements as single category. Seven such categories were defined in this way. Further, the Yellow Book
defined a matrix of security environments and assessed the risk of each. It then established precisely what security environment was valid for each of the Orange Book categories. This approach produced an unambiguous layman's cookbook for how to determine whether a product was usable in a particular application. Loss of this application technology seems to have been an unintended consequence
of the superseding of the Orange Book by the Common Criteria.
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
(CC). As the generic form of a Security Target
Security Target
In an IT product certification process according to the Common Criteria ,a Security Target is the central document, typically provided by the developer of the product,...
(ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance
Information Assurance
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.
A PP specifies generic security evaluation criteria to substantiate vendors' claims of a given family of information system products. Among others, it typically specifies the Evaluation Assurance Level
Evaluation Assurance Level
The Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to...
(EAL), a number 1 through 7, indicating the depth and rigor of the security evaluation, usually in the form of supporting documentation and testing, that a product meets the security requirements specified in the PP.
The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have agreed to cooperate on the development of validated U.S.
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
government PPs.
Purpose
A PP states a security problem rigorously for a given collection of system or products, known as the Target of Evaluation (TOE) and to specify security requirements to address that problem without dictating how these requirements will be implemented. A PP may inherit requirements from one or more other PPs.In order to get a product evaluated and certified according to the CC, the product vendor has to define a Security Target
Security Target
In an IT product certification process according to the Common Criteria ,a Security Target is the central document, typically provided by the developer of the product,...
(ST) which may comply with one or more PPs.
In this way a PP may serve as a template for the product's ST.
Problem Areas
Although the EAL is easiest for laymen to compare, its simplicity is deceptive because this number is rather meaningless without an understanding the security implications of the PP(s) and ST used for the evaluation. Technically, comparing evaluated products requires assessing both the EAL and the functional requirements. Unfortunately, interpreting the security implications of the PP for the intended application requires very strong IT security expertise. Evaluating a product is one thing, but deciding if some product's CC evaluation is adequate for a particular application is quite another. It is not obvious what trusted agency possesses the depth in IT security expertise needed to evaluate systems applicability of Common Criteria evaluated products.The problem of applying evaluations is not new. This problem was addressed decades ago by a massive research project that defined software features that could protect information, evaluated their strength, and mapped security features needed for specific operating environment risks. The results were documented in the Rainbow Series
Rainbow Series
The Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S...
. Rather than separating the EAL and functional requirements, the Orange Book
Rainbow Series
The Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S...
followed a less advanced approach defining functional protection capabilities and appropriate assurance requirements as single category. Seven such categories were defined in this way. Further, the Yellow Book
Rainbow Series
The Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S...
defined a matrix of security environments and assessed the risk of each. It then established precisely what security environment was valid for each of the Orange Book categories. This approach produced an unambiguous layman's cookbook for how to determine whether a product was usable in a particular application. Loss of this application technology seems to have been an unintended consequence
Unintended consequence
In the social sciences, unintended consequences are outcomes that are not the outcomes intended by a purposeful action. The concept has long existed but was named and popularised in the 20th century by American sociologist Robert K. Merton...
of the superseding of the Orange Book by the Common Criteria.
Validated US Government PP
- Anti-Virus
- Key Recovery
- PKI/KMI
- Biometrics
- Certificate Management
- Tokens
- DBMS
- Firewalls
- Operating System
- IDS/IPS
- Peripheral Switch
Draft US Government PP
- Switches and Routers
- Biometrics
- Remote Access
- Mobile Code
- Secure Messaging
- Multiple Domain Solutions
- VPN
- Wireless LAN
- Guards
- Single-Level Web Server
- Separation Kernel