Cloud Security Framework System and subsystem product certification is used to evaluate the security claims made for a system and its components.
Although there have been several evaluation frameworks available for use over the years, such as the Trusted Computer System Evaluation Criteria (TCSEC) developed by the United States Department of Defense, the Common Criteria (CC), discussed next, is the one that is internationally accepted and used most often
The CC is an international set of guidelines and specifications (ISO/IEC 15408) developed for evaluating information security products, with the view to ensuring they meet an agreed-upon security standard for government entities and agencies.
Officially, the CC is known as the “Common Criteria for Information Technology Security Evaluation.” Until 2005, it was known as “The Trusted Computer System Evaluation Criteria.” The CC is updated periodically. Distinctly, the CC has two key components:
- Protection profiles: Define a standard set of security requirements for a specific type of product, such as a firewall, IDS, or unified threat management (UTM).
- The evaluation assurance levels (EALs): Define how thoroughly the product is tested. EALs are rated using a sliding scale from 1–7, with 1 being the lowest-level evaluation and 7 being the highest.
- The higher the level of evaluation, the more quality assurance (QA) tests the product would have undergone.
The seven The evaluation assurance levels (EALs) are as follows
- EAL1: Functionally tested
- EAL2: Structurally tested
- EAL3: Methodically tested and checked
- EAL4: Methodically designed, tested and reviewed
- EAL5: Sem-iformally designed and tested
- EAL6: Sem-iformally verified design and tested
- EAL7: Formally verified design and tested
CC Evaluation Process
The goal of CC certification is to ensure customers that the products they are buying have been evaluated and that a vendor-neutral third party has verified the vendor’s claims. To submit a product for evaluation, follow these steps:
The vendor must complete a Security Target (ST) description that provides an overview of the product’s security features.
A certified laboratory then tests the product to evaluate how well it meets the specifications defined in the protection profile.
A successful evaluation leads to an official certification of the product. Note that CC looks at certifying a product only and does not include administrative or business processes.
Not include administrative or business processes.
Cloud Security Framework FIPS 140-2
To maintain ongoing confidentiality and integrity of relevant information and data, you can use encryption and cryptography as a primary choice, specifically in various cloud computing deployment service types.
Federal Information Processing Standard (FIPS)26 140 Publication Series was issued by NIST to coordinate the requirements and standards for cryptography modules covering both hardware and software components for cloud and traditional computing environments.
The FIPS 140-2 standard provides four distinct levels of security intended to cover a range of potential applications and environments with an emphasis on secure design and implementation of a cryptographic module.
- Relevant specifications include these:
- Cryptographic module specification
- Cryptographic module ports
- Interfaces, roles, and services
- Physical security
- Operational environment
- Cryptographic key management
- Design assurance
- Controls and mitigating techniques against attacks
Cloud Security Framework FIPS 140-2 Goal
The primary goal for the FIPS 140-2 standard is to accredit and distinguish secure and well-architected cryptographic modules produced by private sector vendors who seek to or are in the process of having their solutions and services certified for use in U.S. government departments and regulated industries
That collect, store, transfer, or share data that is deemed to be sensitive but not classified (that is, top-secret).
Finally, when assessing the level of controls, FIPS is measured using a Level 1 to Level 4 rating. Despite the ratings and their associated requirements.
FIPS does not state what level of certification is required by specific systems, applications, or data types.
Cloud Security Framework FIPS Security Levels
The breakdown of the levels follows:
Cloud Security Framework Level 1
The lowest level of security. To meet Level 1 requirements, basic cryptographic module requirements are specified for at least one approved security function or approved algorithm.
Encryption of a PC board presents an example of a Level 1 rating.
Cloud Security Framework Level 2
Enhances the required physical security mechanisms listed within Level 1 and requires that capabilities exist to illustrate evidence of tampering, including locks that are tamper-proof on the perimeter and internal covers to prevent unauthorized physical access to encryption keys.
Cloud Security Framework Level 3
Looks to develop the basis of Level 1 and Level 2 to include preventing the intruder from gaining access to information and data held within the cryptographic module.
Additionally, physical security controls required at Level 3 should move toward detecting access attempts and responding appropriately to protect the cryptographic module.
Cloud Security Framework Level 4
Represents the highest rating. Security Level 4 provides the highest level of security, with mechanisms providing complete protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access.
Upon detection, immediate zeroization of all plaintext critical security parameters (also known as CSPs but not to be confused with cloud service providers). 27 Security Level 4 undergoes rigid testing to ensure its adequacy, completeness, and effectiveness.
All testing is performed by accredited third-party laboratories and is subject to strict guidelines and quality standards.
Upon completion of testing, all ratings are provided, along with an overall rating on the vendor’s independent validation certificate.
From a cloud computing perspective, these requirements form a necessary and required baseline for all U.S. government agencies that may be looking to utilize or avail of cloud-based services. Outside of the United States,
FIPS does not typically act as a driver or a requirement; however, other governments and enterprises tend to recognize the FIPS validation as an enabler or differentiator over other technologies that have not undergone independent assessments or certification.