Graduate School and Research Center in Digital Sciences

Bringing common criteria certification to web services

Kaluvuri, Samuel Paul; Bezzi, Michele; Roudier, Yves

SPE 2013, IEEE International Workshop on Security and Privacy Engineering, Assurance, and Certification, June 27th-July 2nd, 2013, Santa Clara, CA, USA

Solutions based on service-oriented architecture are gaining popularity. However a wider adoption, especially for business critical functions, is hampered by the trust deficit that exists between consumers and providers, as consumers are shielded from the service architectures and the operation of the service itself. Security certification can be used as a means to bridge this trust deficit. Common Criteria for Information Technology Evaluation (CC) is a widely recognized and used security certification scheme. However, the CC scheme was tailored to provide assurance for traditional software provisioning models and hence cannot be applied to SOA solutions as is. In this paper, we present the limitations of the CC scheme when applied in SOA, the challenges that must be overcome for its adoption and possible directions through which some of those challenges can be met. In particular, we point out that CC scheme should be extended to allow for dynamic evaluation of deployed systems (which includes the operational environment) and for handling assurance of composite services.

Document Doi Bibtex

Title:Bringing common criteria certification to web services
Keywords:Security Assurance; Security Ceritifcation; Web Services; Common Criteria
Type:Conference
Language:English
City:Santa Clara
Country:UNITED STATES
Date:
Department:Digital Security
Eurecom ref:4092
Copyright: © 2013 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Bibtex: @inproceedings{EURECOM+4092, doi = {http://dx.doi.org/10.1109/SERVICES.2013.17}, year = {2013}, title = {{B}ringing common criteria certification to web services}, author = {{K}aluvuri, {S}amuel {P}aul and {B}ezzi, {M}ichele and {R}oudier, {Y}ves}, booktitle = {{SPE} 2013, {IEEE} {I}nternational {W}orkshop on {S}ecurity and {P}rivacy {E}ngineering, {A}ssurance, and {C}ertification, {J}une 27th-{J}uly 2nd, 2013, {S}anta {C}lara, {CA}, {USA}}, address = {{S}anta {C}lara, {UNITED} {STATES}}, month = {06}, url = {http://www.eurecom.fr/publication/4092} }
See also: