with a view to improving the process fips 140 testing & … · process model (bpm). •...

Kelvin Desplanque (Cisco Systems)19 May, 2016ICMC 2016 – Certifications Programs Track – C12a

Creating a Model of the FIPS 140 Testing & Validation Process with a View to Improving the Process

2© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Who Am I?

Kelvin DesplanqueTechnical Marketing Engineer (TME)Cisco Canada, LtdOttawa


What’s my background?

• Bachelor’s Degrees in Physics and Engineering

• Bachelor’s Degree in Education

• Too many years writing software

• Too few years tormenting software developers(but Cisco is letting me make up for that lapse … thank you)


Why do I feel qualified to talk about modeling?This goes back to my heritage.


William ShakespeareAs You Like It, Act II, Scene VII

All the world’s a stage,And all the men and women merely players;They have their exits and their entrances,And one man in his time plays many parts …


So what is this presentation all about?

• A better way of doing things.

• By “better”, what I really mean to say is:➢ Quicker;➢ More efficiently;➢ Less costly;➢ Simpler; and➢ More easily repeatable and reproducible.

• … aren’t these the things that any good engineer should be doing?


What would I like to make ‘better’?

• The FIPS 140 validation process.

• I’m serious …

• Really … I am serious about this.

• Am I biting off more than I can chew?

• Probably ….

• … but if I don’t try I will never know if I can pull it off …

• If doesn’t produce results … then it will be a learning experience.


Have you ever wondered about …

From either a lab or vendor perspective have you have wondered about something similar to any of the following:• Why didn’t my evaluation for module ACME-2 get reviewed at the CMVP by

the same person that did ACME-1? They’re practically the same thing.

• If I had started algorithm testing with the development team even before they finalized the module’s code, even with sample vectors, they might have caught their implementation error that much sooner.

• Why did I forget about that elliptic curve expiring next year (in the transitions document) and not remember to warn the dev team to not include it?


How do I plan on improving it?

• How do I propose to make these improvements?➢ 1st – Study the FIPS 140 validation process end-to-end and identify …

o the critical sub-processes which make-up the process.o the different activities involved in the process.o the various roles and rules required to make this process achievable.o the various communications between different entities in the process.o the relationships between various entities in this process.o any additional resources required for the process to work successfully.

➢ 2nd – Creating a working representation of the process, a model, which can be studied in greater detail and possibly manipulated in an attempt to improve it.


How could modeling the process help?

• Identifying gaps and/or weaknesses in the current process.

• Manipulation of the model to investigate ways of improving the process.

• Getting a closer look at the sub-processes.

• Play with the various identifiable entities in the main process in the sub-processes.

• Ultimately create a new model which has all the improvements which are desired.


So which modeling method is best suited?

• 1st lets investigate the different candidates for this job.

• Where better to start looking than the internet which revealed the following candidate modeling techniques:

• For reasons (all of my own), a single candidate was selected to move forward with.

• Business process modeling notation (BPMN)• UML diagrams• Flowchart technique• Data flow diagrams• Role activity diagrams• Role interaction diagrams

• Gantt charts• Integrated definition for function modeling• Colored petri-nets• Object oriented methods• Workflow technique• Simulation model


So what makes BPMN so useful?

• View systems from multiple perspectives

• Discover causes and effects using model traceability

• Improve system understanding through visual analysis

• Discover errors earlier and reducing system defects

• Explore alternatives earlier in the system lifecycle

• Improve impact analysis, identify potential consequences of a change, or estimating modifications to implement a change

• Simulating system solutions without code generation


Now that I have selected BPMN, what next?

• 1st thing to do is find a tool that works well for me and that won’t cost me an arm and a leg.

• Back to the internet again for this searchhttps://en.wikipedia.org/wiki/Comparison_of_Business_Process_Modeling_Notation_tools

• Dizzying selection of tools to chose from.

• Ultimately the winner is Bonitasoft - http://www.bonitasoft.com/

https://en.wikipedia.org/wiki/Comparison_of_Business_Process_Modeling_Notation_tools

https://en.wikipedia.org/wiki/Comparison_of_Business_Process_Modeling_Notation_tools

http://www.bonitasoft.com/


So why did I select Bonitasoft?

• It adheres to the latest BPMN standard – BPMN 2.0

• Has a visual modelling studio, a workflow engine and a BPM engine

• Imports and exports well with other BPM tools.

• It’s been around since 2001 and has had glowing reviews.

• The community version is quite powerful and it’s completely free.


So what really is BPM (Part 1)?

• BPM – Business Process Modeling

• BPM is defined as a mechanism for describing and communicating the current or intended future state of a business process.

• BPM is a means of representing the steps, participants and decision logic in business processes.

• BPM is a method for improving organizational efficiency and quality.

• BPM aims to improve business performance by optimizing the efficiency of connecting activities in the provision of a product or service.


So what really is BPM (Part 2)?

• BPM is a set of activities for representing business processes in a formal way enabling analysis and further improvement of these processes.

• BPM is a combination of various process related steps such as Process Mapping, Process Discovery, Process Simulation, Process Analysis and Process Improvement.

• BPM has emerged rapidly throughout the last two to three decades, and has replaced previous organizational efficiency practices such as the Time and Motion Study (TMS) or Total Quality Management (TQM).


Some BPM Features (Part 1)

• BPM is commonly a diagram representing a sequence of activities. It typically shows events, actions and links or connection points, in the sequence from end to end.

• It mainly focuses on processes, actions and activities, etc.

• A Business Process Model includes both IT processes and people processes.

• Business Process Modelling is cross-functional, usually combining the work and documentation of more than one department in the organization.


Some BPM Features (Part 2)

• Resources feature within BPM in terms of how they are processed.

• People (teams, departments, etc.) feature in BPM in terms of what they do, to what, and usually when and for what reasons, especially when different possibilities or options exist, as in a flow diagram.

• BPM may also include activities of external organization's processes and systems that feed into the primary process.

• In large organization's operations Business Process Models tend to be analyzed and represented in more detail than in small organizations, due to scale and complexity.


So what precisely again is BPMN?

• Business Process Model and Notation (BPMN) is a graphical representation for specifying business processes in a business process model (BPM).

• Business Process Management Initiative (BPMI) developed BPMN, which has been maintained by the Object Management Group since the two organizations merged in 2005. Version 2.0 of BPMN was released in January 2011, at which point the name was adapted to Business Process Model and Notation as execution semantics were also introduced alongside the notational and diagramming elements.


So what are the basic elements in BPMN?

• Flow objects – Events, activities, gateways

• Connecting objects – Sequence flow, message flow, association

• Swim lanes – Pool, lane

• Artifacts – Data object, group, annotation


BPMN – Flow Objects

• Event – Represented with a circle and denotes something that happens (compared with an activity, which is something that is done).

• Activity – Represented with a rounded-corner rectangle and describes the kind of work which must be done.

• Gateway – Represented with a diamond shape and determines forking and merging of paths, depending on the conditions expressed.


BPMN – Connecting Objects

• Sequence Flow – Is represented with a solid line and arrowhead, and shows in which order the activities are performed.

• Message Flow – Is represented with a dashed line, an open circle at the start, and an open arrowhead at the end. It tells us what messages flow across organizational boundaries (i.e., between pools). A message flow can never be used to connect activities or events within the same pool.

• Association – is represented with a dotted line. It is used to associate an Artifact or text to a Flow Object, and can indicate some directionality using an open arrowhead .


BPMN – Swim lanes

Swim lanes are a visual mechanism of organizing and categorizing activities, based on cross functional flowcharting, and in BPMN consist of two types:

• Pool – Represents major participants in a process, typically separating different organizations. A pool contains one or more lanes (like a real swimming pool).

• Lane – Used to organize and categories activities within a pool according to function or role, and depicted as a rectangle stretching the width or height of the pool. A lane contains the flow objects, connecting objects and artifacts.


BPMN – Artifacts

• Data Object – Show the reader which data is required or produced in an activity.

• Group – Represented with a rounded-corner rectangle and dashed lines. The group is used to group different activities but does not affect the flow in the diagram.

• Annotation – Used to give the reader of the model/diagram an understandable impression


BPMN 2.0 – All the notation


BPMN 2.0 – Event notation


BPMN 2.0 – A Simple ExampleEvent (End)

Activity (Task)

Gateway

Connection(Sequence Flow)

Connection(Message Flow)

Swim lane

Pool


BPMN – Some FIPS 140 samples

• Flow objectso Event – Start of module evaluation.o Activity – Running algorithm tests.o Gateway – Algorithm responses from engineers (FAIL or ACCEPT).

• Connecting objectso Sequence flow – Moving from writing SP to sending it to lab.o Message flow – CMVP transmits evaluation comments to FIPS test lab.o Association – Component Engineering associated to BOM.


BPMN – Let’s provide some FIPs samples

• Swim laneso Pool – Vendor, test lab, CMVPo Lane – FIPS TME, project manager, contract admin (in vendor pool)

• Artifactso Data object – Module bill of materials, module EMI/EMC testso Group – Set of required documentation (SP, VE, FSM, etc.)o Annotation – “EMI/EMC tests requested from H/W test group”


Next steps?

• Continue using BPMN tool to refine themodeling of the FIPS validation process.

• Greater level greater of detail in process and sub-process diagrams.

• Identify areas or weakness of malformed workflow in the model.

• Create some ‘what-if’ scenarios and tweak some parts of different variants of the model to see if process improvements may be realistically acheived.

• Share findings with lab(s) and CMVP to see if joint efforts can be undertaken to improve the overall validation process.

with a view to improving the process fips 140 testing & … · process model (bpm). •...

Documents