Given the veil of secrecy obscuring the reporting of IT security incidents, it is often difficult for security vendors to provide tangible metrics as to the effectiveness of their products, and they are left with the "just-in-case" sales pitch.
The proliferation of malicious attacks, email worms and viruses, has certainly made the security sales job easier. However, enterprise customers are left struggling to find reliable third parties who can give an honest appraisal of different packages.
While an international effort to consolidate different IT security infrastructure assessment criteria was initiated in the early nineties, the events of September 11 2001, and subsequent focus on the apparent susceptibility of key data deposits, has revived the push a broadly recognised system of IT security infrastructure assessment.
A number of separate IT security assessment processes have been in operation since the mid-eighties on either side of the Atlantic. The Trusted Computer Security Evaluation Criteria (TCSEC) was created by the US Department of Defense in 1983 and was often referred to as the "Orange Book". Over the waves the Information Technology Security Evaluation Criteria (ITSEC) was established in Europe as an amalgamation of several national criteria was also established in the eighties. Meanwhile Canada launched its own criteria in the form of the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC).
In the eighties Australia adopted the European ITSEC, and assessments were carried out by the Defence Signals Directorate (DSD). This criteria was revisited throughout the eighties, and in 1993 attempts to update both European and American systems came together at a meeting of international IT security and assessment agencies in Brussels, Belgium.
The Common Criteria for Information Technology Security (also known as Common Criteria or simply CC) was designed to both amalgamate and improve upon the pre-existing criteria. Although work on the criteria began as soon as the agreement was reached in Brussels, version 1.0 of the Common Criteria was not released until January 1996, with the final version not appearing until May 1998, when it was subsequently submitted to the International Standards Organisation (ISO).
Whereas the ITSEC criteria rated products from E0 through to E6 - where E6 was the highest rating that could be achieved, the Common Criteria rates products from EAL1 through to EAL7, awarding higher ratings to products which provide stronger protection.
Although it has been established for nearly four years, the higher ratings are still largely untried. As few products make it past the initial ratings, and in many cases an assessment process has yet to be formalised.
Peter Croft, executive general manager of Tenix Datagate, says the company's Veto product suite have already received an E6 classification via the ITSEC ratings. However he expects to wait at least 10 months before receiving a classification under the Common Criteria, simply because the EAL7 rating the product is being assessed for is as yet untried.
"It is not cheep or easy to achieve an EAL7, but we should be the first company to get such a high rating, so it will take a while for our competitors to catch up," Croft said. "Anything software based will not make it this high, if it can be configured it can be misconfigured and vulnerabilities can be introduced, to get this kind of rating a product has to be water-tight."
Since its launch the Common Criteria has gradually gained recognition and acceptance in private and government sectors throughout the world, as government bodies in different countries gain the relevant skills and certification to assess the criteria.
Such bodies include the French Direction Centrale de la Sécurité des Systèmes d'Information, the Bundesamt fur Sicherheit in der Informationstechnik in Germany, the Canadian Communications Security Establishment, the National Institute of Standards and Technology and National Information Assurance Partnership in the US, as well as Australia's own Defence Signals Directorate.
And although the assessment process remains lengthy, Croft believes it will become streamlined as the different national bodies become more comfortable with the Common Criteria.
"Because we are the first company with a product to be assessed to the EAI7 level, so in many ways the groups in charge of assessing the product are also breaking new ground," Croft said. "However, there is an increasing recognition out there that security has to be standards-based - that's what's important."
