certification insights
NAVIGATING THE FOREST OF SECURITY CERTIFICATIONS PATRICK WARLEY, GLOBAL HEAD OF RESEARCH & DEVELOPMENT INTEGRAL MEMORY, DELIVERS HIS INSIGHTS INTO THE LEVEL OF QUALITY REASSURANCE PROVIDED BY THE MANY SECURITY CERTIFICATION OFFERINGS NOW 'OUT THERE'
I
n these times of heightened threats to your company's data, the need to verify the quality of your protection measures has never been more important. Whether you choose hardware or software to defend your business against security breaches, judging the robustness of the product is beset by a confusing 'forest' of certifications which are issued by an array of organisations worldwide. So where does today's CIO or security manager begin to make sense of this dense thicket of certificates? As the inventor and developer of the Integral 'Crypto' range of hardware encrypted SSD and USB flash memory drives, it is my role to navigate the many certifications from FIPS to CAPS, Opal and beyond. As a professional cryptographer, I find it a full-time challenge to keep abreast of the sheer number of security standards and groups at national government level worldwide - multiplied by federal bodies in the US and the EU. In this article, I hope to provide the end user with some clarification by explaining the various certifications and providing some context as to the quality reassurance they provide. It would be impossible to cover all issuing bodies, so I have chosen the key certificates used by leading vendors. Armed with an understanding of these terms, you will be able to make sense of what a security product states on the side of its box.
18
computing security
FIPS (FEDERAL INFORMATION PROCESSING STANDARDS) So let's start with FIPS. This standard is controlled by NIST (National Institute of Standards and Technology). This is a joint certification between the United States and Canada, but recognised around the world. It is categorised accordingly: FIPS 197 certification looks at the hardware encryption algorithms used to protect the data. Most FIPS certified product will use more than one encrypted algorithm. FIPS validation assures users that a given technology has passed CAVP (Cryptographic Algorithm Validation Program) or CMVP (Cryptographic Module Validation Program). Products are tested by a certified laboratory. FIPS 140-2 2 certification is broken down into 4 levels: Level 1: The basic security requirements are specified for a cryptographic module and at least one approved algorithm or approved security function will be used. No specific physical security mechanisms are required. Level 2: Security Level 2 improves upon the physical security by requiring features that flag up evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the cryptographic keys, critical security parameters and components. Level 3: In addition to the tamper-evident
@CSMagAndAwards
physical security, Level 3 attempts to prevent the intruder from gaining access to CSPs (Cryptographic Service Processes) held within the cryptographic module. Physical security mechanisms are required at Security Level 3 and may include the use of strong enclosures, tamper detection and response circuitry that 'zeroizes' all cryptographic keys, if the device is attacked. Level 4: Security Level 4 currently provides the highest level of security within the FIPS 140-2 standard. At this level, the physical security mechanisms provide a complete ring of protection around the cryptographic module, with the intent of detecting and responding to all unauthorised attempts at physical access. Security Level 4 also protects the cryptographic module against security threats due to adverse environmental conditions.
CC (COMMON CRITERIA) Common Criteria is a globally recognised certification where venders can make claims about the security qualities of their products. The claims are tested (similar to FIPS) by a certified laboratory against a set of requirements contained in protection profiles and the laboratory tests a vendor's product against these criteria. Essentially, Common Criteria provides a guarantee that the specification and implementation of a security product has been tested in a standard way and at a level
www.computingsecurity.co.uk
certification insights
in keeping with its intended use. CC is used as the foundation of many government certification schemes.
CESG (COMMUNICATIONSELECTRONICS SECURITY GROUP) CESG is the UK Government controlling body that runs the CAPS and CPA security validation schemes. CAPS (CESG Assisted Products Scheme) is a standard under which companies can develop sound and cryptographically strong products for use by the UK Government and its agencies and other companies that do work on the behalf of the UK government that are required to protect data at a level of SECRET and above. CAPS evaluations are akin to a partnership between CESG and the vendors who manufacture the Cryptographic product. Once a product is approved, it is given an approval letter, stating what its level of protection is, and then included in a list of approved products listed on the CESG Site.
CPA (COMMERCIAL PRODUCT ASSURANCE) The CPA scheme evaluates commercial offthe-shelf (COTS) products and their developers against published security and development standards. The CPA products are more targeted at the commercial sector and UK government agencies that do not need data protection rules that are as stringent as CAPS. The CPA programme is a merger of several different schemes that were also under the CESG, such as the CESG Claims Tested Mark (CCTM). To gain a CPA Certification, the vendor will need to team up with a certified laboratory that can complete the foundation grade certification. The CPA programme is open to any vendor within the UK. Products are tested against CPA security characteristics. These security characteristics define the properties CESG expects a good product to feature, using policy, guidance and CESG
www.computingsecurity.co.uk
understanding of technology and the threat. CPA security characteristic's documentation can be found on the CESG website, but I have listed some of the things that are covered for different products: Data at Rest, Data Sanitisation, Endpoint Lockdown & control, Email Encryption, Firewalls, Remote Desktop, Secure Real-time Communications Client, Secure Voice Over IP, Virtualisation and VPNs.
TCG (TRUSTED COMPUTER GROUP) AND OPAL The Opal Storage Specification is a standard developed by the Trusted Computer Group that defines a set of parameters for selfencrypting drives (SED). TCG specifications of self-encrypting drives enable integrated encryption and control of the entry of the protected hardware within the drive. It also provides a solution for full disk encryption, protecting data when the laptop or drive is lost or stolen. TCG's Opal standards provide multi-vendor interoperability between hardware and software device vendors that comply with the standard.
THE FUTURE The future of certification must be one of standardisation between the many issuing bodies. Some tentative steps have been made in this direction. Elements of ISO characteristics feature in some existing standards - which is an encouraging start. However, an international call is needed at a global leadership level, as the battle against data theft intensifies.
Patrick Warley is global head of research & development Integral Memory, manufacturers of the Crypto range of hardware encrypted SSD. Crypto, he states, provides the ultimate data protection for every format of computer hardware, including desktop, laptop, Ultrabook and tablet. Crypto SSD is FIPS 140-2 2 validated and available in SATA 2.5 ins, mSATA MO-3 300, M.2 (previously known as NGFF) form factors.
For a more in-depth look at each certification body, please visit the suggested websites: http://www.nist.gov/ https://www.niap-cccevs.org/ http://www.cesg.gov.uk/servicecatalogue/Pro duct-A Assurance/CAPS/Pages/CAPS.aspx http://www.cesg.gov.uk/servicecatalogue/Pro duct-A Assurance/CPA/Pages/CPA.aspx http://www.trustedcomputinggroup.org/
@CSMagAndAwards
computing security
19