Unverified Commit 9183f4dd authored by Aki Braun's avatar Aki Braun
Browse files

Convert to new skeleton

parent 7751dacd
Loading
Loading
Loading
Loading
+229 −49
Original line number Diff line number Diff line
@@ -405,11 +405,12 @@ To ensure that the cybersecurity requirements address the specific threats faced
- Enterprise Integrators and Administrators (Refers to UC-5, UC-6, UC-7): This group represents professional users, integrators, and administrators with privileged rights and professional cybersecurity training. Their primary needs include securely connecting multiple endpoints to private corporate networks, managing complex VPN infrastructures, and conducting extensive traffic inspection for security purposes.
- Indirect Users: Where a VPN product (such as a VPN-enabled router) is deployed in a public space, the product design must also consider the cybersecurity needs, privacy, and safety of indirect users who are impacted by or whose traffic passes through the device


## 4.6 Use Cases

(previously ## 4.7)

### 4.6.1 Introduction to Use Cases

<mark>Editor's Note: The use cases shall be defined as a combination of the product context elements described in clauses 4.1 to 4.5, clearly indicating:

- **Title** the title of the use case, following a consistent naming/ID scheme (e.g., UC-3 Internet Connection)
@@ -427,52 +428,59 @@ This list of use cases is an informative resource to the manufacturer to simplif

See [\[i.3\]](#_ref_i.3) for formal definitions of micro, small, and medium-sized enterprises.

* **UC-1** Individual consumer
### 4.6.2 _UC-1_ Individual consumer

* Client installed on personal devices like mobile phone, portable or desktop computer
* Client communicates with exit nodes managed by manufacturer
* Securing traffic on untrusted access networks
    * User may lack advanced security knowledge
* User may lack advanced cybersecurity knowledge
* Does not connect endpoints with other endpoints directly

* **UC-2** Privacy conscious household
### 4.6.3 _UC-2_ Privacy conscious household

* All VPN infrastructure owned, rented, or managed by the user
* Client installed on router or other network level
* Obfuscating traffic and IP to avoid tracking by ISPs, data brokers
* Does not connect endpoints with other endpoints directly

* **UC-3** Journalist, activist, legal professionals
### 4.6.4 _UC-3_ Journalist, activist, legal professionals

* At high risk of surveillance
* Actively circumventing observation from competitors, hackers, opponents, and unsanctioned state actors
* Does not connect endpoints with other endpoints directly

* **UC-4** Small enterprise, small not-for-profit organization
### 4.6.5 _UC-4_ Small enterprise, small not-for-profit organization

* Limited or no full-time IT/network administration
* Seeking secure connections primarily to SaaS products
* Requires managed service for configuration and maintenance
* May connect endpoints with other endpoints directly
* Not critical for core business operations

* **UC-5** Large enterprise
### 4.6.6 _UC-5_ Large enterprise

* Full-time IT/network administration
* Connects many endpoints to private network with many hosts
* Requires managed service for configuration and maintenance
* Connects endpoints with other endpoints directly
* Critical for business operations
    * Needs to inspect traffic extensively for security
* Needs to inspect traffic extensively for cybersecurity

### 4.6.7 _UC-6_ Enterprise with independent VPN infrastructure

* **UC-6** Enterprise with independent VPN infrastructure
* All enterprise users with limited technical knowledge
* Desires partial or full time remote access to enterprise network
* Accesses one or some remote networks via enterprise gateway
* Configuration managed by administrators, pushed via gateway and/or third party solution
* Device managed by administrators, including VPN client lifecycle (install, update, etc....), via dedicated tools
    * Most of security is managed by other components (gateway for network, local EDR for endpoint security, ....)
* Most cyberssecurity is managed by other components (gateway for network, local EDR for endpoint security, ....)
* Does not see VPN as critical for core business operations

* **UC-7** Mesh Network
### 4.6.8 _UC-7_ Mesh Network

* Client installed on various devices, such as mobile phones, laptops, desktop computers, servers or network devices
* Connecting multiple endpoint traffic over untrusted access networks
    * Administrating user possesses some security knowledge
  * Administrating user possesses some cybersecurity knowledge
  * Does connect endpoints with other endpoints directly

# 5 Technical requirements for the Products
@@ -498,7 +506,7 @@ Once the present document is cited in the Official Journal of the European Union
| No known exploitable vulnerabilities            | NKEV, SSSD, SCUD, NUTI, LOGG        |
| Secure design, development, production          | SSDD                                |
| Secure by default configuration                 | ROUT, DNSL, EISO, TRAF              |
| Secure updates                                  | SCUD                                |
| Secure updates                                  | SCUD, tlbno, k4tc2                  |
| Authentication and access control mechanisms    | AUTH                                |
| Confidentiality protection                      | AUTH, ROUT, DNSL, EISO, IPV6, CRYPT |
| Integrity protection for data and configuration | CONF, DNSL                          |
@@ -1254,6 +1262,178 @@ For each risk untreated by the product itself, a corresponding mitigation has be
  * MI-DOST
  * MI-AUTH-6

## C.X Mapping of risks to requirements

**Table 1: Mapping of risks to requirements**<

_Editor's note: this table must be updated before the draft can be considered Final_

| Threat | Requirements                                                |
|--------|-------------------------------------------------------------|
| UEVU   | SSDD, NUTI, LOGG                                            |
| KEVU   | NKEV, SSDD, SCUD, NUTI, LOGG, VULH                          |
| UEAC   | AUTH, DMIN                                                  |
| RDOS   | AVAI                                                        |
| MITM   | CRYPT, LOGG                                                 |
| LEAK   | ROUT, CONF, DNSL, IPv6, CRYPT                               |
| PLNS   | EISO, CRYPT, AUTH, ROUT, DNSL                               |
| PLNM   | CRYPT, AUTH, ROUT, DNSL                                     |
| UNAA   | AUTH, LOGG                                                  |
| LDEL   | LOGG                                                        |
| CNFS   | CONF, TRAF, IPv6, CDST, LOGG                                |
| CNFM   | CONF, TRAF, IPv6, CDST, LOGG                                |
| META   | TODO                                                        |
| RCOM   | TODO                                                        |
| USED   | AUTH, CDST, SCDL, SDRF                                      |
| CPER   | AUTH, DMIN, CRYPT, AUTH, ROUT, DNSL, CDST, SCDL, SDRF, LOGG |

# Annex D: Accounting of requirements for each use case

<mark>Editor's note: this has been temporarily abandoned until the editor can be confident that applicability is stable, at which time it will be updated or removed depending on document needs.</mark>

## D.1 _UC-1_ Individual consumer

* REQ-AC-6edxh (MI-SSCA)
* REQ-AC-451ul (MI-SCFS)
* REQ-KEV-kosxm (MI-KEVT)
* REQ-SU-tlbno (MI-KEVD) or REQ-SU-k4tc2 (MI-KEVA)

## D.2 _UC-2_ Privacy conscious household

* REQ-AC-6edxh (MI-SSCA)
* REQ-AC-451ul (MI-SCFS)
* REQ-KEV-kosxm (MI-KEVT)
* REQ-SBD-fn6sz (MI-CONF-5)
* REQ-SU-tlbno (MI-KEVD)

## D.3 _UC-3_ Journalist, activist, legal professionals

* REQ-AC-6edxh (MI-SSCA)
* REQ-SSD-jli0m (MI-FZ95) or REQ-SSD-yxi4i (MI-BTIN) or REQ-SSD-dg2ix (MI-IMSL)
* REQ-AC-451ul (MI-SCFS)
* REQ-KEV-kosxm (MI-KEVT)
* REQ-SBD-fn6sz (MI-CONF-5)
* REQ-SU-tlbno (MI-KEVD)

## D.4 _UC-4_ Small enterprise, small not-for-profit organization

* REQ-AC-6edxh (MI-SSCA)
* REQ-SSD-jli0m (MI-FZ95) or REQ-SSD-yxi4i (MI-BTIN) or REQ-SSD-dg2ix (MI-IMSL)
* REQ-AC-451ul (MI-SCFS)
* REQ-KEV-kosxm (MI-KEVT)
* REQ-SBD-fn6sz (MI-CONF-5)
* REQ-SU-tlbno (MI-KEVD)

## D.5 _UC-5_ Large enterprise

* REQ-AC-6edxh (MI-SSCA)
* REQ-SSD-jli0m (MI-FZ95) or REQ-SSD-yxi4i (MI-BTIN) or REQ-SSD-dg2ix (MI-IMSL)
* REQ-AC-451ul (MI-SCFS)
* REQ-KEV-kosxm (MI-KEVT)
* REQ-SBD-fn6sz (MI-CONF-5)
* REQ-SU-tlbno (MI-KEVD)

## D.6 _UC-6_ Enterprise with independent VPN infrastructure

* REQ-AC-6edxh (MI-SSCA)
* REQ-SSD-jli0m (MI-FZ95) or REQ-SSD-yxi4i (MI-BTIN) or REQ-SSD-dg2ix (MI-IMSL)
* REQ-AC-451ul (MI-SCFS)
* REQ-KEV-kosxm (MI-KEVT)

## D.7 _UC-7_ Mesh Network

* REQ-AC-6edxh (MI-SSCA)
* REQ-SSD-jli0m (MI-FZ95) or REQ-SSD-yxi4i (MI-BTIN) or REQ-SSD-dg2ix (MI-IMSL)
* REQ-AC-451ul (MI-SCFS)
* REQ-KEV-kosxm (MI-KEVT)
* REQ-SBD-fn6sz (MI-CONF-5)
* REQ-SU-tlbno (MI-KEVD)

## D.8 All use cases and requirements

|               **Requirements** | **UC-1** | **UC-2** | **UC-3** | **UC-4** | **UC-5** | **UC-6** | **UC-7** |
|-------------------------------:|:--------:|:--------:|:--------:|:--------:|:--------:|:--------:|:--------:|
|     **REQ-AC-6edxh (MI-SSCA)** |    x     |    x     |    x     |    x     |    x     |    x     |    x     |
|    **REQ-SSD-jli0m (MI-FZ95)** |          |          |    x¹    |    x¹    |    x¹    |    x¹    |    x¹    |
|    **REQ-SSD-yxi4i (MI-BTIN)** |          |          |    x¹    |    x¹    |    x¹    |    x¹    |    x¹    |
|    **REQ-SSD-dg2ix (MI-IMSL)** |          |          |    x¹    |    x¹    |    x¹    |    x¹    |    x¹    |
|     **REQ-AC-451ul (MI-SCFS)** |    x     |    x     |    x     |    x     |    x     |    x     |    x     |
|    **REQ-KEV-kosxm (MI-KEVT)** |    x     |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-SBD-fn6sz (MI-CONF-5)** |          |    x     |    x     |    x     |    x     |          |    x     |
|     **REQ-SU-tlbno (MI-KEVD)** |    x²    |    x     |    x     |    x     |    x     |          |    x     |
|     **REQ-SU-k4tc2 (MI-KEVA)** |    x²    |    x     |    x     |          |          |          |    x     |
|     **REQ-SU-s4uff (MI-KEVE)** |          |          |          |          |    x     |    x     |          |
|     **REQ-SU-tnuyx (MI-SUVP)** |    x³    |          |          |          |          |          |          |
|     **REQ-SU-dbge9 (MI-SUAP)** |    x³    |    x⁴    |    x⁴    |    x⁴    |    x⁴    |    x⁴    |    x⁴    |
|     **REQ-SU-0xb10 (MI-SUDC)** |          |          |          |          |          |    x     |          |
|     **REQ-SU-we54t (MI-SUOE)** |    x³    |          |          |          |          |          |          |
|     **REQ-SU-x3puy (MI-SUAO)** |    x³    |    x⁴    |    x⁴    |    x⁴    |    x⁴    |    x⁴    |    x⁴    |
|     **REQ-SU-bpenf (MI-SUCS)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|     **REQ-SU-7onio (MI-SUAU)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|     **REQ-SU-jos5i (MI-SUVH)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|     **REQ-SU-dt18f (MI-SURP)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|     **REQ-SU-v6czw (MI-SURC)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|     **REQ-SU-x13yg (MI-SUSR)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|     **REQ-SU-qvt3z (MI-SUMV)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|     **REQ-SU-r9hsq (MI-SUED)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-AAC-e5qbr (MI-AUTH-1)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-AAC-x14c6 (MI-AUTH-2)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-AAC-q4p4w (MI-AUTH-3)** |          |    x     |    x     |    x     |    x     |          |    x     |
|  **REQ-AAC-w4asr (MI-AUTH-4)** |          |          |    x     |    x     |    x     |          |    x     |
|  **REQ-AAC-luq79 (MI-AUTH-5)** |          |    x     |    x     |    x     |    x     |          |    x     |
|  **REQ-AAC-v4ifa (MI-AUTH-6)** |    x     |    x     |    x     |    x     |    x     |          |    x     |
|  **REQ-AAC-jl2ol (MI-AUTH-7)** |          |          |          |          |          |          |    x     |
|   **REQ-IM-o22x0 (MI-TRAF-5)** |          |          |          |          |          |          |    x     |
|   **REQ-SU-aa0ts (MI-ROUT-1)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|   **REQ-SU-2dd9c (MI-ROUT-2)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|   **REQ-SU-0lugk (MI-ROUT-3)** |    x     |    x     |    x     |    x     |          |          |          |
|  **REQ-CON-gfouo (MI-ROUT-4)** |          |          |          |          |          |          |    x     |
|  **REQ-CON-ztna2 (MI-DNSL-1)** |          |    x     |    x     |    x     |    x     |          |    x     |
|  **REQ-CON-qzutf (MI-DNSL-2)** |          |    x     |    x     |    x     |    x     |          |    x     |
|  **REQ-CON-uz884 (MI-DNSL-3)** |          |          |    x     |    x     |    x     |          |    x     |
|  **REQ-CON-r3w66 (MI-DNSL-5)** |          |          |    x     |    x     |    x     |          |    x     |
|  **REQ-CON-co80e (MI-DNSL-6)** |          |          |    x     |    x     |    x     |          |    x     |
|  **REQ-CON-idk9l (MI-DNSL-7)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-CON-2mkzh (MI-IPV6-1)** |    x     |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-CON-2y7ps (MI-IPV6-2)** |    x     |    x     |    x     |    x     |    x     |    x     |    x     |
| **REQ-CON-akkis (MI-CRYPT-1)** |          |          |    x     |    x     |    x     |          |    x     |
|    **REQ-CON-7jalr (MI-CDST)** |    x     |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-INT-8gxl5 (MI-CONF-1)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-INT-yt1os (MI-CONF-2)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-INT-i6xi3 (MI-CONF-3)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-INT-pwii3 (MI-NUTI-2)** |          |          |    x     |    x     |    x     |          |    x     |
|   **REQ-DM-6lw3t (MI-NPER-1)** |          |    x     |    x     |    x     |    x     |          |    x     |
|   **REQ-DM-0ky3f (MI-NPER-2)** |          |          |    x     |          |          |          |          |
|   **REQ-DM-s8bn5 (MI-NPER-3)** |          |          |    x     |          |          |          |          |
|   **REQ-DM-yxgjx (MI-NPER-4)** |          |          |    x     |          |          |          |          |
|     **REQ-AP-j0ee3 (MI-FDRP)** |          |    x     |    x     |    x     |    x     |          |          |
|     **REQ-AP-bz9jd (MI-LMEM)** |          |    x     |    x     |    x     |    x     |          |          |
|   **REQ-AP-u3z7t (MI-DOST-1)** |          |    x     |    x     |    x     |    x     |          |    x     |
|   **REQ-AP-aowjb (MI-DOST-2)** |          |    x     |    x     |    x     |    x     |          |    x     |
|   **REQ-AP-56l1z (MI-DOST-3)** |          |    x     |    x     |    x     |    x     |          |    x     |
|     **REQ-IM-2wv8t (MI-EISO)** |          |          |          |          |          |          |    x     |
|  **REQ-MAS-74ktm (MI-CONF-4)** |          |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-EMM-ynfn7 (MI-NUTI-1)** |          |          |    x     |    x⁵    |    x     |          |    x     |
|   **REQ-IM-mho3g (MI-TRAF-2)** |          |    x     |          |    x⁵    |          |    x     |    x     |
|   **REQ-IM-hxmi9 (MI-TRAF-3)** |          |    x     |          |    x⁵    |          |          |    x     |
|   **REQ-IM-t4uam (MI-TRAF-4)** |          |    x     |          |    x⁵    |          |    x     |    x     |
|  **REQ-LOG-k93qd (MI-LOGG-X)** |          |          |    x     |          |          |          |          |
|  **REQ-LOG-syyvl (MI-LOGG-1)** |    x     |    x     |    x     |    x     |    x     |    x     |    x     |
|  **REQ-LOG-zmmxx (MI-LOGG-2)** |          |          |    x     |    x     |    x     |          |    x     |
|  **REQ-LOG-jg2hq (MI-LOGG-3)** |          |    x     |    x     |    x     |    x     |          |    x     |
|    **REQ-DRT-3w50j (MI-RSET)** |          |          |    x⁶    |    x⁶    |    x⁶    |    x⁶    |    x⁶    |
|    **REQ-DRT-62w11 (MI-INST)** |          |          |    x⁶    |    x⁶    |    x⁶    |    x⁶    |    x⁶    |
|    **REQ-DRT-319xo (MI-DELE)** |          |          |    x⁶    |    x⁶    |    x⁶    |    x⁶    |    x⁶    |
|    **REQ-DRT-raygj (MI-SDRF)** |          |          |    x     |    x     |    x     |    x     |    x     |
|    **REQ-DRT-n485d (MI-SDTR)** |          |          |    x     |    x     |    x     |    x     |    x     |

¹ REQ-SSD-jli0m or REQ-SSD-yxi4i or REQ-SSD-dg2ix apply
² REQ-SU-tlbno or REQ-SU-k4tc2 apply  
³ REQ-SU-tnuyx or REQ-SU-dbge9 or REQ-SU-we54t or REQ-SU-x3puy apply  
⁴ REQ-SU-dbge9 or REQ-SU-x3puy apply
⁵ REQ-EMM-ynfn7 or (REQ-IM-mho3g and REQ-IM-hxmi9 and REQ-IM-t4uam) apply
⁶ REQ-DRT-3w50j or REQ-DRT-62w11 or REQ-DRT-319xo apply

# Annex G: Guidelines on the implementation of the present document (informative):

_This Annex is optional and may be referred to from the Introduction of the document to provide more information on how to implement the standard._
+1336 −1307

File changed.

Preview size limit exceeded, changes collapsed.

+2153 −10

File changed.

Preview size limit exceeded, changes collapsed.