Bernd Kowalski 23.02.2004 Folie 1
Federal Office for Information Security
The Role of the BSI in the German IT-Security Market
Î Challenges in the Information Age
Î Office History, Tasks and Services
Î Information & Awareness Programme
Î Baseline Security
Î Product Certification
Î Projects with Industry on IT-Security
Bernd Kowalski
Bundesamt für Sicherheit in der Informationstechnik (BSI)
San Francisco, February 23rd 2004 Federal Office for Information Security
Challenges in the Information Age
ÎICT gets major impact on national economy.
ÎBusiness infrastructures depend on reliability of ICT.
Îe-Business and e-Government redefine relationship to business partners, customers and citizens .
ÎElectronic Funds Transfer and e-Payment
replace banknotes and other traditional payment systems.
ÎSmartcards & Biometrics push electronic passport-management.
ÎICT is essential to manage all national critical infrastructures like traffic, energy, chemical, healthcare, telco, emergency etc.
ICT changes social and commercial structures
Providing reliability and control of national ICT-infrastructures will be a question of national security and sovereignty.
Bernd Kowalski 23.02.2004 Folie 3
Challenges in the Information Age
Threats to National ICT Infrastructures
Î Security weaknesses in IT-Systems.
Î Difficulty to detect attacks and attackers.
Î Security investments jeopardize commercial success.
Î More than 80% of critical IT-infrastructures are private.
Î Difficulty of national regulations in a global competitive environment.
Î IT-infrastructures are highly interdependent, e.g.:
Î Weaknesses of customers`/citizens` systems may be used to attack industrial or governmental systems (DDoS).
Challenges in the Information Age
German Government Initiatives
Î Define Security of information systems as a part of national security.
Î Rules for the certification and approval of IT-Security systems.
Î Provide services for the security of government IT-systems.
Î Support industry and citizens to increase their IT-Security level.
Î Commit to Public Private Partnerships (PPP`s) to increase the security of critical national IT-infrastructures.
Bernd Kowalski 23.02.2004 Folie 5
Office History and Structure
ÎOffice founded by law in 1991.
ÎAssociated with the Federal Ministery of Interior.
ÎAnnual budget: € 45 Mio.
ÎEmployees: 380.
ÎLocation: Bonn.
History and Figures
„The BSI is the German Federal IT Security Authority associated with national and international partners in the field of Cryptography, Internet-Security and Certification.„
Tasks and Services
º Analysis of IT-threats and -risks.
º Improve national IT-Security in cooperation with industry.
º Security Evaluation and Certification of IT systems.
º Provide the protection of classified information.
º Operation of central security services like Keymanagement.
Bernd Kowalski 23.02.2004 Folie 7
Suppliers
Citizens, Public Sector, Industry
National IT-Infrastructure Federal Government Partners Directives Services Deliverables Initiatives
Tasks and Services
BSI as a part of the national IT-Security Environment
º Citizens (consuming IT-Security)
º Gov`t & Industry: (consuming IT-Security)
º Manufacturers & Service Prov`s: (offering IT-Security)
Tasks and Services
Services:
ºWebportal service www.bsi-für-bürger.de, information about Internet security issues
ºbaseline security standard„Grundschutz“,
for corporate IT-infrastructures with medium-level requ.
ºCritical Information Infrastructure Protection: provide means for extraordinary security events.
ºWarning & Alerting services in case of security events: Federal-CERTserving the German Federal Gov`t.
ºDevices & services toprotect classified communication in gov`t & industry.
ºCounter-eavesdroppingservices&standards
for Fed.Gov`t, incl. physical -, emission -, mobile security
Bernd Kowalski 23.02.2004 Folie 9
Î
IT-Market
ÖTotal Market: € 12 Bio.
ÖSecurity: € 1,2 Bio.
ÖGovernment: 25% each
Î
IT-penetration:
Ö52% households have a PC
Ö44% have an internet access
Ö32 Mio. people are online
IT security: Situation in Germany
Î
IT-Threats:
Öincreasing IT-dependency
Ödata privacy
Öviruses & spam
Öcomputer crime: 57.000 cases in 2002 (BKA-Federal Bureau of Criminal Investigation)
Information & Awareness Programme
BSI provides information for
different target groups:
Î citizens (general):
www.bsi-fuer-buerger.de
= Webportal + CD-ROM
Î children & teens:
(new project)
Partner Communication Channels: Öother print & online media
Ömanufacturers like Fujitsu-Siemens
ÖD21 PPP-programme
Information & Awareness Programme
Citizen Awareness Programme
Bernd Kowalski 23.02.2004 Folie 11
Î
private businesses:
IT baseline protection manual
www.bsi.bund.de/gshb
Information & Awareness Programme
Small & Medium Enterprises and Administrations
Î
public administration:
e-government manual
www.e-government-manual.de
Fun ktionalität Funk tion alitä t niedrig niedrig E-St u f en u n d Mech an i sm en s t är k e E-St u f en u n d Mech a n is m en st är k e Architektur Architektur Feinentwurf Feinentwurf Konfigurations-kontrollsystem kontrollsystem Tests Tests Quellcode QuellcodesemiformalesemiformaleEntwicklungs-Entwicklungs-methodenmethoden Tests der Tests der Mechnismen Mechnismen Sicherheits-modell modell formale formale Endwick-lungsmethoden lungsmethoden enger enger Zusam-menhang menhang zwischen zwischen Feinentwurf Feinentwurf und und Quellcode Quellcode E1 E1E2E2E3E3E4E4E5E5E6E6 mittel mittel hoch hoch Vertrauen Vertrauen Mechanismenstärke Mechanismenstärke E-Stufe E-StufeIT Baseline Protection
Introduction
º Problems and motivation:
º Objectives:
º Method:
º Result:
ºIncreasing number of IT-Security incidents with loss of business.
ºLimited corporate IT-budgets and -competence, esp. in SMEs.
ºBusiness partners want to check the IT-security level of cooperating institutions by an independant method.
ºTraditional risk analysis methods are complex & not reusable.
ºSec.guidelines applicable & affordable for standard IT-infrastr.
ºDefine standard types of IT-components, threats & safeguards.
ºGive practical advice how to implement these safeguards.
ºModular concept: threat & safeguard catalogue per component.
Bernd Kowalski 23.02.2004 Folie 13
IT Baseline Protection
Tools
º General Guideline º Handbook º Software Toolkit º Web TutorialºOverview and awareness program for CEOs.
ºAvailable in CD, Online and printed format.
ºMenu-based planning tool.
ºGets you to your individual security soluition.
ºProvides an overview on baseline protection.
ºIntroduces the concept of the SW-Toolkit.
ºAvailable on the Web. www.bsi.bund.de/gshb
º Evaluation of security features of IT-Products.
º Improve both security and quality of IT-infrastructures.
º Independant and trustworthy product evaluation and certification.
º Consideration of national security requirements.
º Strategic support for national IT-Security industry.
Product Certification
Objectives
Legal Framework
º BSI is the national authority for the German certification scheme.
º No general legal obligation to purchase certified products.
Bernd Kowalski 23.02.2004 Folie 15
Product Certification
Why should manufactures apply for a certificate ?
º Improve product quality and security.
º Use public product certificate for product marketing.
º Government requirements in certain areas:
German Signature Law, EU- and NATO-Directives etc.
Why should Buyers request for a certified product ?
º Product has been evaluated by an independant, accredited body.
º Manufacturer is responsible for evaluation expenses not the buyer.
º Certificate may help to provide evidence for resistance against certain threats.
Certification Criteria
1985: US-Orange BookIT-Security acquisition requirements from the US DoD for special systems. 1989: The BSI Greenbook for Germany. 1991: European Information Technology
Security Evaluation Criteria (ITSEC).
1999: Common Criteria (CC) V2.1 -the first agreed international certification standard
published under ISO/IEC 15408
Kriterien für die Bewertung der Sicherheit von Systemen der Informationstechnik (ITSEC)
Juni 1991
Common Criteria for Information Technology
Security Evaluation
Part I: Introduction and general model May 1998 Version 2.0 CCIB-98-026
History
Bernd Kowalski 23.02.2004 Folie 17
The Common Criteria Community
Certificate producing
and accepting nations Certificate accepting nations
Canada United Kingdom USA Germany France Australia/ Newsealand Austria Sweden Spain Norway Netherlands Italy Israel Greece Finland Hungary DSD BSI DCSSI CESG CSE NIAP
CCRA = Common Criteria - Recognition Arrangement
Product Certification
Turkey
Manufacturer:
Evaluation Facility:
ºrequests for a certificate
ºprovides complete product documentation
Contributors in the Certification procedure
Product Certification
ºdesign evaluation, penetration tests
ºaudits in development and production
ºevaluation report to certification body
Certification body: ºdevelop certif. criteria together with CCRA-partners
Bernd Kowalski 23.02.2004 Folie 19
Product Certificates recently issued by the BSI:
º Infineon Smartcard-Controller (Smart Card IC SLE66CX322P)
º Gemplus Smart Card Betriebssystem(GemXpressoPro E64PK)
º SuSE Betriebssystem (Linux)
º IBM Betriebssysteme, Directory-Server, Tivoli
º Microsoft Firewall
º GeNUA Firewall
º Utimaco PC-Sicherheitsprodukte
º Renesas (Hitachi) Smartcard-Controller (AE43C Version 01)
º Philips Smartcard-Controller (P16WX064V0C)
º G + D Tachosmart Card (STARCOS 2.4 Tach.Card Applic.)
Product Certification
European Projects with obligations to apply CC-Certification:
EU Commission:
NATO:
UN:
Multilateral Defense: º several projects
º several activities
º Digital Tachograph: legally binding Directive
º Principles on Critical Infrastructure Protection D: º Several governmental projects,
German Digital Signature Law
Bernd Kowalski 23.02.2004 Folie 21
US-Government Obligations to use CC-Certification:
„By July 2002 - the acquisition of all COTS IA and IA-enabled IT products to be used on systems specified, shall be limited only to those which have been evaluated and
validated [acc to CC, NIST/NSA/NIAPorFIPSprogram].“
Legend:
COTS: Commercial of the shelf IA: Information Assurance
NST/ISSP: National Security Telco and Info Systems Security Policy FACT SHEET
NSTISSP No. 11
National Information Assurance Acquisition Policy
The US-Directive #11 might have a significant future impact on the global IT market.
Product Certification
CCRA
Projects with Industry on IT-Security
Selected Projects from the National PPP-Programme
ÎIVBB voice & data network for the federal government.
ÎRoot Certification Authority (CA) for German Governments.
ÎEuropean Bridge CA for secure communication between Government and Industry.
ÎFederal CERT Community with Large and Medium Enterprises.
Bernd Kowalski 23.02.2004 Folie 23 Bernd Kowalski Bundesamt für Sicherheit in der Informationstechnik Godesberger Allee 185-189 53175 Bonn Phone: +49 0 228 9582-700 Fax: +49 0 228 9582-455 [email protected] www.bsi.de
