search

CC-in-the-Cloud / General

Common Criteria in the Cloud Technical Community
https://cc-in-the-cloud.github.io/
MIT License
5 stars 1 forks source link

Australian Scheme Question from review of Guidance #146

Open jgb1128 opened 2 weeks ago

jgb1128 commented 2 weeks ago

This question was received from the Australian scheme:

"Hey Josh,

We are still reviewing the document and a reviewer has this question:

I see this is testing on cloud of products. Is there further consideration of how CC applies to cloud services? E.g. a layer 4 security/firewall service offered natively that can be imported into a tenancy/VPC.

Any thoughts?

Thanks heaps!

Hin."

jgb1128 commented 2 weeks ago

Response agreed upon during June 26th call: "Hin:

If you read the first sentence of the Preface of the Guidance document we say: “The Common Criteria (CC) in the Cloud (CCitC) Technical Community has developed this guidance document to provide a complimentary approach that allows for IT product evaluations in cloud operational environments.” This does not mean that schemes cannot take this guidance document and utilize parts of it as they see fit to expand the scope of a given protection profile, for example for a technology offered as a SaaS.

Testing of products “on cloud” is required for evaluating such products in that environment. This is a given but is actually a small aspect of the guidance, see page 45.

Cloud services were initially discouraged so as to make the clear differentiation between a “product” that one could buy off the shelf and a service only available via a cloud provider. However as we moved forward in the last stages of this project, NIAP started a pilot with a vendor utilizing the MDM PP for a SaaS offering. They mapped cloud requirements to CC and that project is still going on. Materials from that mapping are publicly available on our GitHub. It is our expectation that when the pilot finishes, some inputs to the Guidance will be provided and our next version may offer more instructions around the unique nature of evaluating a cloud native service. It should be noted that the key point is that each PP must be updated to support this approach; in other words this document is essentially a tool for PP authors and not to be used in isolation. “The intended audience of this document are Protection Profile authors (e.g. iTCs and national TCs),but it may also be useful for cloud service providers, evaluators, evaluation authorities (schemes), labs, customers, and other stakeholders of these types of products.”

Finally regarding your example of a firewall, there is nothing precluding the NDiTC from adopting our guidance to the Firewall Module. In fact we have mentioned in multiple venue that iTCs should be planning to integrate CCitC into their PPs, modules and supporting documents. However at this writing the only iTC that is actively working on this is the DBMS iTC (as far as I know).

Thank you for the questions, keep them coming!

--Josh

P.S. Your feedback has triggered us to relook at our wording perhaps there are ways we can explain these concepts up front to reduce confusion."