AnsweredAssumed Answered

Alfresco Common Criteria (CC) evaluation

Question asked by sanjaymodha on Aug 3, 2012
Latest reply on Aug 3, 2012 by mrogers
Hi,

We would like to know more information about Alfresco in terms of Common Criteria (CC) evaluation in order to select Alfresco as a preferred choice for our project.

Please read below paragraphs for CC and EAL.

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.

The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard. To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones.The EAL number assigned to a certified system indicates that the system completed all requirements for that level.

Although every product and system must fulfill the same assurance requirements to achieve a particular level, they do not have to fulfill the same functional requirements. The functional features for each certified product are established in the Security Target document tailored for that product's evaluation. Therefore, a product with a higher EAL is not necessarily "more secure" in a particular application than one with a lower EAL, since they may have very different lists of functional features in their Security Targets. A product's fitness for a particular security application depends on how well the features listed in the product's Security Target fulfill the application's security requirements. If the Security Targets for two products both contain the necessary security features, then the higher EAL should indicate the more trustworthy product for that application.

Questions:

1. What is a the CC evaluation position of Alfresco –We need some assurance on the security enforcing aspects (i.e. access control to documents in the repository, selective replication etc.).

2. What is the Assurance level of Alfresco from EAL1 to EAL7 ?

I couldn’t find any reference to CC certification on the Alfresco website.

Please reply at the earliest.

Regards,
Sanjay

Outcomes