Silver Linings: Cloud Seeding for Common Criteria (A20c)
While CC evaluations traditionally focused on on-premises topologies, the increasing adoption of cloud infrastructure necessitates the assessment of product security in these environments. The CC in the Cloud Working Group is aims to provide guidance for the extension of CC certifications to cover products operating on public or hybrid cloud platforms. In this talk the author will explore the distinctive characteristics and security considerations associated with deploying products on public cloud environments. Key areas include shared responsibility models, key management, virtualization, multi-tenant architectures, the hypervisor/operating system layer, and their incorporation into Common Criteria Evaluation Methodology.
Additionally, he will discuss how CC Schemes may formalize remote testing using cloud infrastructure as well as other related scheme policies. This will include insights on how CC labs can establish their own cloud testing environments and the essential features and controls required to ensure accurate and independent test results.
Finally, he will provide an overview of common cloud topologies, specifically focusing on compute, network, and storage resources. An examination of the interaction of these elements with considerations for Target of Evaluation (TOE) identification, configuration guidance, and equivalency will be included.