Cloud and Common Criteria: NWI ISO Proposal (A22c)
The Common Criteria has been a framework for product evaluation of security functions since its inception in the late 1990s. As DevOps became the trend for development of agile cloud services going forward into the 2000s, the CC remained the gold standard for product evaluation but did not address how customer’s deployment approaches had changed from the traditional on-premises waterfall development model. With this in mind, is CC useful and can it be applied to cloud service deployments of traditional on-premises products and to new cloud services developed specifically for the cloud? CC is preferred in some international cloud certification schemes today but perhaps there are better approaches to CC evaluations that could add assurance in the cloud, and related international and national standards that could provide value in extending CC to the cloud. This year Brickman has spearheaded a technical working group under the auspices of the Common Criteria Users Forum that began thinking about this topic. In addition the idea was recently submitted and accepted by ISO SC27, WG3 as a Preliminary Work Item. In this talk, the author will explore options and approaches that the community could consider which would allow for CC to be evaluated in the cloud.