As the threat of data breach will always be with us, securing data at rest (DAR) should remain a top priority. Therefore, secure DAR storage solutions must include methods to encrypt and secure your data. When searching for solutions to secure DAR, you will likely run across the term Common Criteria. So, what is Common Criteria? How did it come about? Who uses it? What is the value of Common Criteria? How does it relate to TCG Opal and FIPS?
In many respects, the Common Criteria is associated with the concept of commercial off-the-shelf (COTS) products. The U.S. government’s Federal Acquisition Regulation (FAR) defines COTS as items available in the commercial marketplace that can be bought and used under government contract. The COTS initiative began over 30 years ago to prefer commercially available products (vs. highly customized and expensive) in government contracts.
Common Criteria (CC) is more formally known as the Common Criteria for Information Technology Security Evaluation, an international standard (ISO/IEC 15408) for computer and IT product security certification that was developed by the governments of Canada, France, Germany, the Netherlands, the UK, and the U.S.
CC provides a framework for specifying security functional requirements (SFRs) and security assurance requirements (SARs). Vendors can use the CC as the basis to implement and make claims about the security attributes of their products. Testing laboratories will evaluate these products to determine if they meet vendor claims. In other words, the Common Criteria assures you that the computer/IT security product will perform as specified—in a manner appropriate to the target environment.
In the U.S., the National Information Assurance Partnership (NIAP) is responsible for the implementation of the of the Common Criteria. NIAP also maintains a list of certified products, including storage devices, operating systems, access control systems, databases, and key management systems.
In the case of securing DAR, adhering to the CC standard provides assurance that security features such as authentication acquisition (AA) and the device’s encryption engine (EE) have been properly implemented. The crux of the Common Criteria’s value is that it results in products that are tested to security profiles that meet government requirements.
We’ve recently written about TCG Opal, which is a standard for developing security solutions, as well as FIPS, which is a NIST security certification. Note that FIPS provides a higher level of data security assurance than TCG Opal.
TCG Opal, FIPS, and Common Criteria security levels vs cost of total solution
TCG Opal, FIPS, and the Common Criteria are each sufficient unto themselves. We might think of this as a classic good, better, best scenario. Not every data security solution demands the most robust solution. While all of us, required or not, should take care to encrypt and protect our data, not all solutions require high, CC-level security. Remember, a FIPS-validated SED provides more assurance than a TCG Opal SED, which is certainly more secure than an unencrypted SSD.
It’s the responsibility of government programs and other organizations to consider the sensitivity of their data and their positioning with respect to any cost-security tradeoffs. Having said this, those users whose data is mission critical, safety-critical, and/or classified as “Top Secret” should really be looking at a DAR solution that meets Common Criteria.