Commit 8f61fb01 authored by Valerie Aurora (Bow Shock)'s avatar Valerie Aurora (Bow Shock)
Browse files

Encode use cases, add back missing use cases, add reference

parent 07683458

EN-304-626.md

+68 −21
Original line number Diff line number Diff line
@@ -234,7 +234,10 @@ References are either specific (identified by date of publication and/or edition 


The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.



* <a name="_ref_i.1">[i.1]</a>    BSI CC-PP-0067 v2.0: Operating System Protection Profile

* <a name="_ref_i.1">[i.1]</a>    BSI CC-PP-0067 "Operating System Protection Profile".



* <a name="_ref_i.number">[i.number]</a>    ETSI TS 103 732 "Consumer Mobile Device Protection Profile".



* <a name="_ref_i.number">[i.number]</a>    &lt;Standard Organization acronym> &lt;document number> (&lt;version number>): "&lt;Title>".



> FIXME some of these could be normative references
@@ -497,7 +500,7 @@ Note: "account" refers to a user in the operating systems sense: a unique system 


**[PHYS]:** Manufacturers of operating systems may implement protective measures, such as preventing peripheral device driver loading or relying on hardware capabilities such as tamper-evident mechanisms, to mitigate physical access based threats to the device.



* PHYS-0: only used in environments with authorized users **[

* PHYS-0: only used in environments with authorized users

* PHYS-1: may be incidentally exposed to untrusted users

* PHYS-2: used primarily by untrusted users, e.g. the general public
@@ -547,7 +550,7 @@ Note: "account" refers to a user in the operating systems sense: a unique system 


* FNET-0: forseeable use is limited to trusted and private networks.

* FNET-1: forseeable use includes untrusted local networks but not the open internet.

* FNET-1: forseeable use includes being connected directly to the open internet.

* FNET-2: forseeable use includes being connected directly to the open internet.



#### 4.5.1.11 Configurability
@@ -560,25 +563,69 @@ Note: "account" refers to a user in the operating systems sense: a unique system 
### 4.5.1 Mapping of use cases to risk factors and security levels



| Use Case | NUSR | CUSR | DATA | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|--|--|--|--|--|--|--|--|--|--|--|--|--|

|UC-IoT-1|--|--|--|--|--|--|--|--|--|--|--|

|UC-IoT-2|--|--|--|--|--|--|--|--|--|--|--|

|UC-IoT-3|--|--|--|--|--|--|--|--|--|--|--|

|UC-OT-1|--|--|--|--|--|--|--|--|--|--|--|

|UC-OT-2|--|--|--|--|--|--|--|--|--|--|--|

|UC-MOB-1|--|--|--|--|--|--|--|--|--|--|--|

|UC-WE-1|--|--|--|--|--|--|--|--|--|--|--|

|UC-PC-1|--|--|--|--|--|--|--|--|--|--|--|

|UC-PC-2|--|--|--|--|--|--|--|--|--|--|--|

|----------|------|------|------|------|------|------|------|------|------|------|------|---------|

|UC-IoT-1  |    0 |    0 |    0 |    1 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |       1 |

|UC-IoT-2  |    0 |    0 |    1 |    1 |    0 |    0 |    0 |    0 |    1 |    0 |    1 |       4 |

|UC-IoT-3  |    0 |    0 |    1 |    1 |    0 |    1 |    0 |    0 |    1 |    0 |    1 |       5 |

|UC-OT-1   |    0 |    0 |    1 |    1 |    0 |    0 |    0 |    0 |    2 |    2 |    2 |       8 |

|UC-OT-2   |    0 |    0 |    0 |    2 |    0 |    0 |    0 |    0 |    1 |    2 |    1 |       6 |

|UC-MOB-1  |    1 |    0 |    2 |    1 |    2 |    0 |    1 |    2 |    2 |    2 |    2 |      15 |

|UC-WE-1   |    1 |    0 |    1 |    1 |    2 |    0 |    0 |    0 |    1 |    1 |    0 |       7 |

|UC-PC-1   |    1 |    0 |    0 |    1 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |       1 |

|UC-PC-2   |    1 |    0 |    2 |    1 |    1 |    2 |    2 |    2 |    2 |    1 |    2 |      16 |

|UC-PC-3   |    2 |    2 |    2 |    0 |    0 |    1 |    1 |    1 |    2 |    0 |    1 |      12 |



Val: Phone should be significantly riskier than a personal laptop but comes out less risky, suggests that the available risk levels may need to be changed. The goes-everywhere, always-on, super loaded with personally identifiable data, filled with data stealing apps part isn't fully reflected. I would expand FNET, PHYS, LOSS, DATA perhaps? Also maybe add the lower admin/user sophistication?



Remaining use cases to code:



1. Stateless multi-user terminal

   * Multi-user system

   * Handles different workloads of different users

   * No local data or session storage

   * Highly network dependent (likely company network with firewall)

1. Enterprise work station (stationary)

   * Effectively single user (unless shared, but then more likely to be a "stateless terminal"?)

   * Connected to enterprise network with firewall

   * Web browsing and office applications

   * Managed by the enterprise's IT department

   * Transmits and stores business-critical data

   * System failure can cause monetary loss (if no proper BCM)

   * Always stationary (and supervised), access to hardware interfaces unlikely

1. Personal server

   * Usually single account, may give accounts to small trusted circle

   * Not exposed to the public

   * Behind a firewall

   * Access from anywhere via the internet possible (depending on services running)

   * Semi-professional semi-automated management by one or a few people

   * Always stationary, access to hardware interfaces unlikely

1. Enterprise laptop

   * Single account, single user

   * Connected to enterprise network with firewall, potentially via VPN

   * Web browsing and office applications

   * Managed by the enterprise's IT dep. (perhaps with Mobile Device Management)

   * Transmits and stores business-critical data

   * System failure can cause monetary loss (if no proper BCM)

1. Enterprise multi-user server, internal access only

   * Multiple accounts each with a trusted user

   * Users may install software into personal directories

   * Behind professionally managed firewall

   * Automated management and monitoring by IT professionals

   * Processes sensitive data

1. Firewalls

1. Corporate server providing services on public internet

   * Multiple accounts for isolation of services

   * Automated management and monitoring by IT professionals

   * Processes sensitive data

1. Corporate server hosting many public users

   * Many accounts, many users, no mutual trust

   * Automated management and monitoring by IT professionals

   * Processes sensitive data



> FIXME more use cases?



**Discussion**



MOVE TO STANDARDS ETSI 103 732 phones



The apps in the app store are NOT covered but the default source/method of installing apps informs risk and may be covered in some aspects



Carl-Daniel:

Separate question for the application delivery mechanism:

1. App is not preinstalled, but by default gets installed during initial configuration by the user if the user always picks the preselected option -> IMHO part of the device, forcing installation later should not be an allowed trick to make the scope smaller.