From DBMS to DBaaS: Applying Common Criteria to Services (A12a)
Common Criteria has grappled with how to evaluate security-relevant technologies delivered as managed services. This talk uses an emerging DBMS Database-as-a-Service PP-Module as a case study in applying CC in the Cloud Guidance for Cloud Evaluations to services. Topics will include defining the TOE boundary, separating provider and platform responsibilities, modeling service-specific threats, and expressing reusable requirements for tenant isolation, customer-controlled keys, and audit integrity. The approach is intended to inform other service-oriented cPP efforts.