What is the Common Criteria?

The Common Criteria for Information Technology Security Evaluation (CC) is an international standard (ISO/IEC 15408) for computer security certification.

Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements through the use of Protection Profiles, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.

In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use.

The Participants in this Arrangement share the following objectives:

  1. to ensure that evaluations of Information Technology (IT) products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles;
  2. to improve the availability of evaluated, security-enhanced IT products and protection profiles; to eliminate the burden of duplicating evaluations of IT products and protection profiles;
  3. to continuously improve the efficiency and cost-effectiveness of the evaluation and certification/validation process for IT products and protection profiles.

The CC is the driving force for the widest available mutual recognition of secure IT products.

Common Criteria is used as the basis for a Government driven certification scheme and typically evaluations are conducted for the use of Federal Government agencies and critical infrastructure.

application.png

CloudMask Common Criteria Certification

Industry Regulations

The Communications Security Establishment (CSE), is the Canadian government's national cryptologic agency. It is responsible for foreign signals intelligence (SIGINT) and protecting Canadian government electronic information and communication networks. CSE certified CloudMask Engine; a software application that enables users to protect their sensitive data while leveraging public and/or private cloud applications. CloudMask works transparently by intercepting application data before it is transmitted to the cloud and replaces it with a random token representing the data in a process called tokenization. The tokenized data, referred to as a “mask”, is transmitted to the cloud application and is meaningless unless viewed by an authorized CloudMask user. This technique called Dynamic Data Masking (DDM).  

This evaluation was carried out in accordance with the rules of the Canadian Common Criteria Evaluation and Certification Scheme (CCS). The scope of the evaluation is defined by the security target, which identifies assumptions made during the evaluation, the intended environment for CloudMask Engine, and the security functional/assurance requirements.

Communications Security Establishment, as the CCS Certification Body, declares that the CloudMask Engine evaluation meets all the conditions of the Arrangement on the Recognition of Common Criteria Certificates.

See the Potential with End-to-End Encryption for Google