It takes a lot of work to certify a trusted OS. In this video, you’ll learn about trusted operating systems and how much time and money it can take to validate this trust.
<< Previous Video: White Listing and Black Listing ApplicationsNext: Host-based Security >>
In working in very high security environments, you may hear the term trusted OS, trusted operating system. And this comes from the idea that our operating system will have been created, developed, designed, tested, and evaluated to be sure that we can trust what’s happening inside of that operating system. And it’s based on something called an Evaluation Assurance Level.
You’ll hear this most often referred to as the Common Criteria for Information Technology Security Evaluation. There’s a lot of words there, so most people just call it Common Criteria. You may see abbreviated as CC.
This is an international standard. So this is one that is a very well known. And you often see it related to government type work. Especially the US Federal Government, and perhaps other governments around the world, take advantage of this because it is a very common and universal requirement and set of standards. It’s one that many, many different manufacturers can write their products, their hardware, their firewalls, their security products to meet these common criteria requirements.
When something is tested with these common criteria requirements it’s given an Evaluation Assurance Level. The higher the Evaluation Assurance Level then the more testing and the more evaluation, and ideally, the more secure a product might be. And you’ll see these referred to as an EAL1 through an EAL7.
And where we’re talking about operating systems, and how they work, and how they’re developed, and how they’re tested, when we talk about a trusted operating system we’re usually referring to one that has any type of EAL compliant level. But the most generally accepted one for a trusted OS is that it’s at a minimum of an EAL4,
To get an idea of what manufacturers of these operating systems and security devices are going through to get their devices at an EAL4 level, I grabbed these stats. This is from the United States Government Accountability Office. This document is GAO-06-392. There’s the URL if you want to download the PDF. And it shows just how long it takes to get something to be EAL compliant, and something that has been tested and signed off as being EAL4 compliant not only from a time perspective but a dollars perspective.
You can see something for EAL2 may take anywhere from five to just under 10 months to get that certification. EAL4 goes from 10 months perhaps all the way up to 24 or 25 months. It could take years to get that particular device, software, operating system, to be EAL4 certified.
And it doesn’t come cheap. For EAL2 you’re spending anywhere from about $75,000 up to $200,000. For EAL4 it’s $150,000 up to $350,000 to get that certification completed.
Obviously, the manufacturers that are putting their devices through this type of certification, that are spending the time and spending the money, are doing it because the federal government needs very, very secure systems. And that’s why you not only see the government using these EAL certifications, you also see private organizations using them as well. Because they’ll look at the testing the government did and say, well if they spent all of that time and all of that money evaluating it at that certain level, we can also be sure that the operating systems that we’re going to use are trusted operating systems.