Testing and Evaluation of Privacy Enhancing Technologies using the Common Criteria Paul Zatychec Director EWA-Canada Ltd.

Testing and Evaluation of Privacy Enhancing Technologies using the Common Criteria

Paul Zatychec

Director

EWA-Canada Ltd

2

Commissioner’s Challenge

Yesterday, Commissioner Cavoukian issued 2 charges:

1. Find the [privacy] design correlates in architecture!

2. “Privacy is not just about risk aversion, it’s about attracting opportunity.”

This presentation is about a commitment to a practical means of rising to these challenges.

3

AIM

Present work done on a formal, standards-based approach for dealing with Privacy Considerations in technology

Raise awareness and open a dialogue

4

Outline

History Goals, Motivation and Challenges

Highlight key messages

What are the Common Criteria and why the Privacy community should care Describe evaluation and certification process

Conclude with what this means

Open Discussion

5

History

Situation: Development and Use of Privacy Enhancing Technologies have not lived up to the promising scenario of the mid-1990’s.

IPC wanted to boost the development and use of Privacy Enhancing Technologies

6

More History

Formed an international team to take on the challenge of developing testing criteria for PET’s Value: level playing field for developers, common

understanding for organisations deploying PETs Part of a project named and created by John Borking (father

of PETs)

IPC/CSE and EWA-Canada conducted a joint study to adapt the CC for Privacy

7

Our Goals

Build an internationally accepted framework that will:

1. Provide engineering standards and guidance to technology developers and consumers on how to formally specify and build privacy requirements and functionality into new products

2. Allow products to be independently evaluated and Certified as Privacy Enhancing Technologies if they meet these requirements

Motivation

9

10

eBUSINESS

SYSTEM

OPERATIONS

11

ASSURANCE for e-BUSINESS

eBUSINESS

SYSTEM

OPERATIONS

RiskManagement

Decisions

OPS

Metrics

Process

Metrics

ACTIVESECURITY

CYCLE

12


eBUSINESS

SYSTEM

OPERATIONS

RiskManagement

Decisions

Changing Threats

New Exposures

OPS

Metrics

Process

Metrics

Real World

VolatilityE-Business environment

ACTIVESECURITY

CYCLE

13


eBUSINESS

SYSTEM

OPERATIONS

RiskManagement

Decisions

OPS

Metrics

Process

Metrics

ACTIVESECURITY

CYCLE

Major SystemChanges

DevelopmentalCertification & Accreditation

Visible Maps / Status

Minor SystemAdjustments

On-GoingAccreditation

Configuration Management Tools

Changing Threats

New Exposures

Real World


14


eBUSINESS

SYSTEM

OPERATIONS

RiskManagement

Decisions

New Exposures

OPS

Metrics

Process

Metrics

Real World


ACTIVESECURITY

CYCLE

Major SystemChanges






Throughput / Availability

Performance Monitoring & Network Management

Alarms, Incidents / Trends

Intrusion Detection Systems, Firewalls

Current Vulnerabilities

Security Posture Assessment Tools

Changing Threats

15


eBUSINESS

SYSTEM

OPERATIONS

RiskManagement

Decisions

New Exposures

OPS

Metrics

Process

Metrics

Real World


ACTIVESECURITY

CYCLE

Major SystemChanges












Changing Threats

Business ContinuityPlan

Business Impact Analysis

Recovery Plan



Recovery Plan

16


Major SystemChanges


eBUSINESS

IT SYSTEM

OPERATIONS







RiskManagement

Decisions





OPS

Metrics

Process

Metrics

Capability Maturity

Capability Maturity

Technology

People

Process

Process Improvement (PI)

Capability Maturity

Capability Maturity

Technology

People

Process




Recovery Plan



Recovery Plan

ACTIVESECURITY

CYCLE

Changing Threats

New Exposures

Real World


17


Major SystemChanges


eBUSINESS

IT SYSTEM

OPERATIONS







RiskManagement

Decisions





OPS

Metrics

Process

Metrics

Capability Maturity

Capability Maturity

Technology

People

Process


Capability Maturity

Capability Maturity

Technology

People

Process




Recovery Plan



Recovery Plan

ACTIVESECURITY

CYCLE

Changing Threats

New Exposures

Real World


PRIVACY C

ONCERNS

18

Motivation

1. Internationally accepted engineering standards and methodologies for privacy do not yet exist

2. Huge opportunity for Canadian leadership and contribution to the global privacy community

3. Clear demand! Address both public and private concerns

19

More Motivation

4. Need to differentiate products based on privacy characteristics

(….finding the opportunity part)

4. Create a formal system to prove or disprove vendor claims to reduce snake oil and partial solutions

20

4 Challenges

1. How to formally and measurably deal with Privacy Considerations for IT with credible due diligence/care regarding requirements defined in legislation, regulation, codes of ethics and best practices?

“Demonstrably” means: Claims are precise and confirmed through independent

analysis via credible third party Privacy enhancing functionality has been

independently evaluated, tested and documented Technologies that meet specified measurable

requirements are Certified by national authorities

21

4 Challenges (Con’t)

2. Need to create a comprehensive framework that can be used by developers to build privacy functionality into their products

3. Framework must provide confidence to people buying and using technologies that vendor privacy claims are real

4. How can we leverage international approaches for certification of IT security standards and enhance these for emerging privacy considerations?

22

Key Messages

We are working on a globally recognized, standards-based system to encourage formal specification and independent evaluation of IT for privacy considerations

Objective is to foster increased trust and confidence that responsible vendor privacy claims are demonstrably and provably real

23

Key Messages (2)

The new standard will be an extension of the ISO 15408 Common Criteria for IT Security Evaluation

It will recognize the distinct and complimentary nature of IT Security, Privacy and Assurance requirements

Successful evaluations will lead to certification by national authorities and these certifications will be mutually recognized in at least 16 countries world-wide

24

Leadership and Contribution

The work is being done under the leadership of the IPC (Mike Gurski) in conjunction with CSE, EWA-Canada and IBM. Sister agencies to CSE in the U.S. and other countries, as

well as product vendors and government departments are interested in this work.

Intention is to bring the completed work to the EU and other nations

25

Executive Support from Canada’s Privacy Commissioners

This approach has been formally and unanimously endorsed by all of the provincial Privacy Commissioners in June 2002, with the concurrence of the Federal Privacy Commissioner, who recognize the value of this leadership opportunity.

26

Why?

One of the reasons is to create a mechanism that allows organizations to exercise appropriate due diligence and due care with respect to privacy and be robust enough to meet their formal compliance obligations and legislative requirements

The privacy-extended Common Criteria will be fully traceable to mature privacy legislation, models and codes

What are the Common Criteria and Why Should We Care?

28

Common Criteria ISO 15408

International ISO IT Security standard for formally specifying IT Security Requirements and how these are to be independently evaluated and tested so products may be formally certified as being trustworthy

3-Part Standard, plus evaluation methodology

29

What is an Evaluation?

Independent Verification and Validation (IV&V) by a and accredited and competent Trusted Third Party

Provides a basis for international Certification against specific formal standards (i.e. CC) by national authorities

30

Evaluation Process

Assurance Techniques

IndependentEvaluations

Assurance

Produce provide formal evidence of

PrivacyRequirements

that

are

Properly Managed

Privacy Rights

to protect

InformationAsset Owners Confidence

require

giving

31

CC Evaluations Involve:

ANALYSIS Product Documentation Product Design (Security & Privacy Focus) Development Processes & Procedures Operation & Administration Guidance and Procedures Vulnerability Assessments

TESTING Independent & Witnessed Fully Documented & Repeatable

REPORTS Lead to International Certification

32

Scope

Interviews Full Documentation Review Independent Testing Witness of Developer Testing Observation Reports When Required Deliverables:

Security/Privacy Target or Protection Profile Evaluation Technical Report Certification Report (published by CSE, and recognized by

NSA and other Certification Bodies)

33

Why should we care?

The CC are a flexible standard with a proven methodology already recognized in 16 countries that can be extended to include all privacy requirements

We need to deal with the complimentary distinctions between privacy and security in a single, holistic standard

Need for credibility

Developers need formal standards

34

Decoding CC Terminology

Security Target (ST) or Protection Profile (PP) Requirements Specification in CC Terms Covers Privacy and Security “Functional Requirements” and

“Assurance Requirements” Things like: Environment, Threats, Security Objectives &

Assumptions etc.

TOE = Target of Evaluation = IT product or system

35

CC Terminology (Con’t)

Assurance Classes Configuration Management Delivery & Operation Development (including design) Guidance Documentation (User & Administrator) Life Cycle Support (at higher levels) Tests Vulnerability Assessment

Functional Classes Many Types (product dependent & defined in ST)

36

What Do CC Evaluations Give Us?

Confidence & Trust in privacy and security characteristics of products and the processes used to develop and support them (full product life cycle)

Build official assurance arguments Prove technologies are indeed privacy enhancing as

claimed formal, independently verifiable and repeatable

methods Provide basis for international certification Provide Certification Report Differentiate products Formally support demonstrable due diligence/care

37

How the Process Works

1. Privacy (and security) requirements for a technology and associated claims are precisely specified using the CC

2. Technology is built, documented and tested to these requirements

3. Technology is submitted to nationally accredited labs for evaluation against the standards

4. Evaluation is conducted under the oversight of national authority

38

Process (Continued)

5. Once vendor claims are proven, national authority confers certification and publishes a Certification Report

6. Results are internationally recognized under a Mutual Recognition Arrangement

39

How does the CC Currently Deal with Privacy?

Security and Assurance Requirements are Enablers for Privacy Enhancing Technologies

Currently CC are Insufficient for Privacy

Limited to only 4 Basic Areas Privacy FPR_ANO Anonymity FPR_PSE Pseudonymity FPR_UNL Unlinkability FPR_UNO Unobservability

Clearly these are insufficient to meet all of the privacy requirements

40

Requirements for Privacy Extensions

Different legislative requirements Canada is great place to start International

Regulatory requirements for different sectors e.g. healthcare, financial, telcos etc.

Build on accepted standard Fair Information Practice Statements

Leverage Mature Privacy Models

41

Proposed Extensions (1/2)

Accountability Identifying purposes Inform (prior to consent) Consent Collection Limiting linkability Limiting collection

42

Proposed Extensions (2)

Limiting Use, Disclosure, retention Accuracy Safeguards Openness Individual Access Challenging Compliance

43

When?

Formal Privacy Functional Requirements for 2 of the Fair Information Practice Statements have already been done in a proof of concept demonstration, and results have been vetted by world-renowned privacy experts

Remaining FIPS and associated evaluation methodology can be done within 6-9 months Initial standard will then be fully ready for use

44

What this Means

We are creating a robust and technically sound standard to allow and encourage technology developers to specify, build, document and test their solutions against formal requirements that are being vetted by world-leading privacy experts

Certification of Privacy Enhancing Technologies will require independent verification by accredited labs under national level oversight for credibility

45

Way Ahead

1. Finish the Development of the FPR Class of CC Part 2 Privacy Functional Requirements

Continue Process for remaining 9 FIPS

2. Define useful packages and comprehensive Protection Profiles and Privacy Targets

3. Develop Example/Sample Privacy Policy Statements

4. Evaluate and certify products

5. Go Global!

Questions?

Paul Zatychec

[email protected]

(613) 230.6067 ext 1227

Testing and Evaluation of Privacy Enhancing Technologies using the Common Criteria Paul Zatychec Director EWA-Canada Ltd.

Documents