navigating the forest of security certifications
DESCRIPTION
Patrick Warley, global head of research & development at Integral Memory, delivers his insights into the level of quality reassurance provided by the many security certification offerings now 'out there'. Extract from Computing Security magazine (April/May 2015).TRANSCRIPT
In these times of heightened threats to yourcompany's data, the need to verify thequality of your protection measures has
never been more important. Whether youchoose hardware or software to defend yourbusiness against security breaches, judgingthe robustness of the product is beset by aconfusing 'forest' of certifications which areissued by an array of organisationsworldwide. So where does today's CIO orsecurity manager begin to make sense of thisdense thicket of certificates?
As the inventor and developer of the Integral'Crypto' range of hardware encrypted SSD andUSB flash memory drives, it is my role tonavigate the many certifications from FIPS toCAPS, Opal and beyond. As a professionalcryptographer, I find it a full-time challenge tokeep abreast of the sheer number of securitystandards and groups at national governmentlevel worldwide - multiplied by federal bodiesin the US and the EU.
In this article, I hope to provide the end userwith some clarification by explaining thevarious certifications and providing somecontext as to the quality reassurance theyprovide. It would be impossible to cover allissuing bodies, so I have chosen the keycertificates used by leading vendors.
Armed with an understanding of theseterms, you will be able to make sense ofwhat a security product states on the sideof its box.
FIPS (FEDERAL INFORMATIONPROCESSING STANDARDS)So let's start with FIPS. This standard iscontrolled by NIST (National Institute ofStandards and Technology). This is a jointcertification between the United States andCanada, but recognised around the world.
It is categorised accordingly: FIPS 197 certification looks at the hardwareencryption algorithms used to protect thedata. Most FIPS certified product will usemore than one encrypted algorithm. FIPSvalidation assures users that a giventechnology has passed CAVP (CryptographicAlgorithm Validation Program) or CMVP(Cryptographic Module Validation Program).Products are tested by a certified laboratory.
FIPS 140-22 certification is broken down into4 levels:Level 1: The basic security requirements arespecified for a cryptographic module and atleast one approved algorithm or approvedsecurity function will be used. No specificphysical security mechanisms are required.
Level 2: Security Level 2 improves upon thephysical security by requiring features thatflag up evidence of tampering, includingtamper-evident coatings or seals that must bebroken to attain physical access to thecryptographic keys, critical securityparameters and components.
Level 3: In addition to the tamper-evident
physical security, Level 3 attempts to preventthe intruder from gaining access to CSPs(Cryptographic Service Processes) held withinthe cryptographic module. Physical securitymechanisms are required at Security Level 3and may include the use of strongenclosures, tamper detection and responsecircuitry that 'zeroizes' all cryptographic keys,if the device is attacked.
Level 4: Security Level 4 currently providesthe highest level of security within the FIPS140-2 standard. At this level, the physicalsecurity mechanisms provide a complete ringof protection around the cryptographicmodule, with the intent of detecting andresponding to all unauthorised attempts atphysical access. Security Level 4 also protectsthe cryptographic module against securitythreats due to adverse environmentalconditions.
CC (COMMON CRITERIA)Common Criteria is a globally recognisedcertification where venders can make claimsabout the security qualities of their products.The claims are tested (similar to FIPS) by acertified laboratory against a set ofrequirements contained in protection profilesand the laboratory tests a vendor's productagainst these criteria.
Essentially, Common Criteria provides aguarantee that the specification andimplementation of a security product hasbeen tested in a standard way and at a level
certification insights
computing security www.computingsecurity.co.uk18
PATRICK WARLEY, GLOBAL HEAD OF RESEARCH &DEVELOPMENT INTEGRAL MEMORY, DELIVERS HISINSIGHTS INTO THE LEVEL OF QUALITYREASSURANCE PROVIDED BY THE MANY SECURITYCERTIFICATION OFFERINGS NOW 'OUT THERE'
@CSMagAndAwards
NAVIGATING THE FOREST OF SECURITY CERTIFICATIONS
19www.computingsecurity.co.uk computing security
certification insights
in keeping with its intended use. CC is usedas the foundation of many governmentcertification schemes.
CESG (COMMUNICATIONS-ELECTRONICS SECURITY GROUP)CESG is the UK Government controlling bodythat runs the CAPS and CPA securityvalidation schemes.
CAPS (CESG Assisted Products Scheme) is astandard under which companies candevelop sound and cryptographically strongproducts for use by the UK Government andits agencies and other companies that dowork on the behalf of the UK governmentthat are required to protect data at a level ofSECRET and above.
CAPS evaluations are akin to a partnershipbetween CESG and the vendors whomanufacture the Cryptographic product.Once a product is approved, it is given anapproval letter, stating what its level ofprotection is, and then included in a list ofapproved products listed on the CESG Site.
CPA (COMMERCIAL PRODUCTASSURANCE)The CPA scheme evaluates commercial off-the-shelf (COTS) products and theirdevelopers against published security anddevelopment standards. The CPA productsare more targeted at the commercial sectorand UK government agencies that do notneed data protection rules that are asstringent as CAPS. The CPA programme is amerger of several different schemes thatwere also under the CESG, such as the CESGClaims Tested Mark (CCTM).
To gain a CPA Certification, the vendor willneed to team up with a certified laboratorythat can complete the foundation gradecertification. The CPA programme is open toany vendor within the UK. Products aretested against CPA security characteristics.These security characteristics define theproperties CESG expects a good product tofeature, using policy, guidance and CESG
understanding of technology and the threat.
CPA security characteristic's documentationcan be found on the CESG website, but I havelisted some of the things that are covered fordifferent products: Data at Rest, DataSanitisation, Endpoint Lockdown & control,Email Encryption, Firewalls, Remote Desktop,Secure Real-time Communications Client,Secure Voice Over IP, Virtualisation and VPNs.
TCG (TRUSTED COMPUTER GROUP)AND OPAL The Opal Storage Specification is a standarddeveloped by the Trusted Computer Groupthat defines a set of parameters for self-encrypting drives (SED).
TCG specifications of self-encrypting drivesenable integrated encryption and control ofthe entry of the protected hardware withinthe drive. It also provides a solution for fulldisk encryption, protecting data when thelaptop or drive is lost or stolen. TCG's Opalstandards provide multi-vendorinteroperability between hardware andsoftware device vendors that comply withthe standard.
THE FUTUREThe future of certification must be one ofstandardisation between the many issuingbodies. Some tentative steps have beenmade in this direction. Elements of ISOcharacteristics feature in some existingstandards - which is an encouraging start.However, an international call is needed at aglobal leadership level, as the battle againstdata theft intensifies.
For a more in-depth look at eachcertification body, please visit the suggestedwebsites:http://www.nist.gov/ https://www.niap-cccevs.org/ http://www.cesg.gov.uk/servicecatalogue/Product-AAssurance/CAPS/Pages/CAPS.aspxhttp://www.cesg.gov.uk/servicecatalogue/Product-AAssurance/CPA/Pages/CPA.aspx http://www.trustedcomputinggroup.org/
@CSMagAndAwards
Patrick Warley is global head of research& development Integral Memory,manufacturers of the Crypto range ofhardware encrypted SSD. Crypto, hestates, provides the ultimate dataprotection for every format of computerhardware, including desktop, laptop,Ultrabook and tablet. Crypto SSD is FIPS140-22 validated and available in SATA2.5 ins, mSATA MO-3300, M.2 (previouslyknown as NGFF) form factors.