Is C2 the appropriate standard for computer security? (The sidebar "C2 Security: Some Background,", explains the C2 standard.) Most software vendors aspire to C2 security: Microsoft with Windows NT and Novell with NetWare 4.x are squabbling over which company's network operating systems have the best C2 implementation and certification. (For details about the Microsoft/Novell C2 debate, see http://www.microsoft.com/ntserver/c2bltn.htm.) Many MIS managers and people less involved with computer security believe that C2 somehow guarantees a system's security. But does it?

The National Computer Security Center (NCSC) developed the Trusted Computer Standards Evaluation Criteria (TCSEC) to meet three objectives: to give users a yardstick for assessing how much they can trust computer systems for the secure processing of classified or other sensitive information; to guide manufacturers in what to build into their new, widely available trusted commercial products to satisfy trust requirements for sensitive applications; and to provide a basis for specifying security requirements for software and hardware acquisitions.

Although these objectives are admirable, the client/server computing world was embryonic when the founding fathers of the Orange Book, Trusted Computer Standards Evaluation Criteria, created the standard. Microsoft and Novell were not yet billion dollar companies, and no one thought that one day a computer would be on every desktop. In 1997, C2 is a dated, military-based specification that does not work well in the corporate computing environment. C2 doesn't address critical developments in high-level computer security, and it is cumbersome to implement in networked systems.

Some of the many new strategic items that the C2 specification does not address are

  • Distribution of access control components
  • Delegation of authority
  • International issues, such as reciprocity and national laws
  • Public key systems
  • Digital signature
  • Key management
  • Cryptography
  • Cryptographic protocols
  • Key escrow
  • Network security architecture
  • Distributed/application system security
  • Local network security
  • Application systems security
  • Email security
  • WAN security
  • End-to-end encryption
  • Relational database security
  • Integrity and confidentiality
  • Database issues such as polyinstantiation, inference, and aggregation

The Orange Book C2 specification is for standalone, nondistributed computing environments and non-networked devices. But today's computers connect to networks, the Internet, and corporate intranets, and you have to certify the security of each component of the network. A system loses its C2 status when you attach a non-C2 peripheral. NCSC has developed other books that interpret the Orange Book standards for those components, but the interpretation isn't easy: Neither NT nor NetWare had Red Book (network) certification as of early 1997.

You still cannot buy a commercially successful, highly trusted system even though the NCSC published the Orange Book in the early 1980s. The amount of C2-certified hardware and software for building a C2-compliant network infrastructure is limited, and the components are more expensive than off-the-shelf equipment. Software products such as Centri TNT from Global let you configure an NT network to have a secure TCP/IP suite for data integrity and to meet the C2 requirements.

Few tools are available for corporate computing environments to properly configure C2 in a large setting and alert you if any non-C2 device is attached to the network. The lack of tools is especially troublesome because you must perform all C2 configurations precisely according to the Trusted Facilities Manual for the specific operating system, which for NT is the Security Administrator's Guide.

C2 is a standard to learn from, not to live by

C2 certification is version-specific. Therefore, even though NT 3.5 with Service Pack 3 (SP3) is C2-certified, if you install SP4 or any other operating system fix or upgrade, the system is no longer C2-compliant. You cannot upgrade software until NCSC has certified that patch or upgrade.

In addition, C2 offers no standard format for reporting audits and logs of what has occurred on the system. C2 simply states that a secure system needs to include auditing, object reuse control, individual user control, and access control. Therefore, each vendor of C2-compliant products can create different types of formats for its logs.

NCSC designed C2 for military systems, and few organizations outside the government have ever taken the TCSEC seriously enough to adopt them. I am hard-pressed to find one Fortune 500 company that has implemented C2. And even within the government sector, C2 is not a requirement for all environments.

Some say that even with its limitations, C2 security is better than security without C2. I disagree. C2 in today's client/server environment is like the Maginot Line--illusory computer security at best. You have to acknowledge when a standard has become ineffectual. The original benefit of the C2 standard was to give systems architects and security auditors a common framework on which to design secure systems. But because the TCSEC criteria are antiquated, the framework is a weak base for a secure computing infrastructure. When a standard is as dated as TCSEC is, you will do better to start from scratch, rather than deal with an obsolete system.

So what is the best course of action for meaningful security implementation in 1997? Unfortunately, individuals and organizations that prefer standards-based solutions will be disappointed to find that no security standard is readily available today to meet the needs of most organizations. To start, you can learn contemporary security concepts. You can find a few hundred books on security in the National Computer Security Association's Information Security Catalog. The catalog covers all current security topics--cryptography, network and general security, viruses, firewalls, and Internet security (the sidebar, "Additional Reading About C2 Security," page 158, suggests a few books to start with).

Professional organizations such as the National Computer Security Association (http://www.ncsa.com), the Computer Security Institute (http://www.gocsi.com), and the MIS Training Institute (http://www.misti.com) also provide an excellent way to network with security professionals. You can learn effective security methods by attending the organizations' seminars and reading their journals. Infosecurity News (http://www.infosecnews.com) offers a wide array of tools, techniques, and product information. The annual Infosecurity News Buyers Guide is essential for researching security-based products. Interestingly, most of the products in the 1997 Infosecurity News Buyers Guide do not feature C2. Security product vendors offer valuable experience and advice to organizations about reviewing and implementing security. Consulting companies can advise you about internal policies that do not depend on a particular hardware or software vendor or solution.

C2 had its time and place, but for most of Windows NT Magazine's readers, that time and place has long since passed. C2 is a standard to learn from, not to live by. Security is far too important to place in the hands of an archaic standard.