ISO Regulations and Roadblocks
The ISO/IEC 15408 regulations requiring Common Criteria testing can hinder security, says Robert Schadey, CISO and director of infrastructure services at 1901 Group, an IT services management provider.
"The Common Criteria guidelines and specifications developed for evaluating the security within a product ensure that security standards are agreed upon and [testing is] in place," Schadey says. For the most part, Common Criteria validates the claims of vendors' security features with an assessment of potential threats, he says.
"However, the overall length of time for testing and costs has caused a roadblock for most of the industry," Schadey says. "Our focus has shifted to providing a services-based approach for our federal customers. Services are delivered via dynamic hosting environments whereby the infrastructure layer may not be under a customer's control."
This can make it difficult to ensure that the intent of the Common Criteria security measures are in place without analyzing each vendors' cloud implementation against Common Criteria security functional requirements (SFRs) and identifying the security gaps to determine if the cloud provider is acceptable, Schadey says.
"The loss of control at the infrastructure layer can cause security problems," he says. "The other issue that hinders security is the timeframe it takes to test the products and have them available for selection off the Common Criteria Products List."
Sign up for Computerworld eNewsletters.