Computer Security Standards Aren't Scoring In The Commercial World

By Bruce Schneier
InternetWeek
May 14, 2001

Despite numerous efforts over the years to develop comprehensive computer security standards, it's a goal that remains elusive at best.

As far back as 1985, the U.S. government attempted to establish a general method for evaluating security requirements. This resulted in the "Orange Book," the colloquial name for the U.S. Department of Defense Trusted Computer System Evaluation Criteria. The Orange Book gave computer manufacturers a way to measure the security of their systems and offered a method of classifying different levels of computer security.

The goal was to aid government procurement, but it also held the promise of benefiting the entire industry as well. That never came to pass, primarily because certification testing was expensive- controlled by only a few labs-and the resulting designations weren't well-suited to the civilian marketplace's needs.

There have been other efforts over the years to codify security, but they were unsuccessful. Now, several industries are rallying around the Common Criteria, an ISO standard (15408, version 2.1) that provides a catalog of security features such as confidentiality and authentication. Companies and industries using this document are expected to include these concepts in a more specific "protection profile," which is basically a statement of security requirements. Then, individual products can be tested against that profile.

For example, a smart card could be tested against a protection profile with such attributes as resistance to cloning, security of protocols and protection against physical reverse engineering, or a firewall could have another protection profile that includes attributes related to its security and functionality.

It's a great idea, and puts more meat on the bone than past efforts. But don't expect it to work except in a few isolated areas. The problem is that these standards can't be both general and specific. They won't tell you how to configure your CheckPoint firewall, or what security settings to run on Windows 2000. It's not a shortcoming in the standards; it's just not feasible to document an infinite number of scenarios.

Consider something truly quantitative-say, a configuration guide on the best way to secure Red Hat Linux 6.0. It could be an excellent standard, but it will probably be obsolete in a few weeks. It will certainly have to be revised for version 6.1. And it can't possibly help you configure Solaris 3.2, let alone Windows NT SP 4.0.

Some standards can be too specific, making it almost impossible to test a general system. Remember when Windows NT received the Orange Book's C2 security rating? The rating was good only for a specific configuration of Windows, one unconnected to the network and without any removable media. What about a rating for the overall security of Windows NT? Forget about it!

The bottom line is that while these standards can be very useful for certain applications, they aren't useful for gauging enterprise security in general. The Common Criteria is a great document, and companies like Visa are working hard to turn it into something that they can use for their own purposes. The credit-card company is currently using the document to specify security levels of hardware and software. But that's only a special case; no one else can take what Visa did and make use of it.

I have long quipped that given any general security standard, I could design a product that met the standard and was still insecure. Given this truism, it's no wonder that these standards don't find much utility in the commercial world. And it's no wonder why there are so many standards to choose from.

earlier essay: Foreword
later essay: In War Against Cyberspace Intruders, Knowledge Is Power
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..