 |
|
|
| |||||||||
| |||||||||
Current Filter: Security>>>>>Opinion> Navigating the forest of security certifications Editorial Type: Opinion Date: 03-2015 Views: 2936   Key Topics: Security Security Certifications SSD Flash Memory SSDs Encryption Key Companies: Integral Memory Key Products: Key Industries: Government |  | ||
  | Patrick Warley, global head of research & development at Integral Memory, delivers his insights into the level of quality reassurance provided by the many security certification offerings now 'out there' In these times of heightened threats to your company's data, the need to verify the quality of your protection measures has never been more important. Whether you choose hardware or software to defend your business against security breaches, judging the robustness of the product is beset by a confusing 'forest' of certifications which are issued by an array of organisations worldwide. So where does today's CIO or security manager begin to make sense of this dense thicket of certificates? As the inventor and developer of the Integral 'Crypto' range of hardware encrypted SSD and USB flash memory drives, it is my role to navigate the many certifications from FIPS to CAPS, Opal and beyond. As a professional cryptographer, I find it a full-time challenge to keep abreast of the sheer number of security standards and groups at national government level worldwide - multiplied by federal bodies in the US and the EU. In this article, I hope to provide the end user with some clarification by explaining the various certifications and providing some context as to the quality reassurance they provide. It would be impossible to cover all issuing bodies, so I have chosen the key certificates used by leading vendors. Armed with an understanding of these terms, you will be able to make sense of what a security product states on the side of its box. FIPS (Federal Information Processing Standards) So let's start with FIPS. This standard is controlled by NIST (National Institute of Standards and Technology). This is a joint certification between the United States and Canada, but recognised around the world.
IT IS CATEGORISED ACCORDINGLY: FIPS 140-2 certification is broken down into 4 levels: Level 1: The basic security requirements are specified for a cryptographic module and at least one approved algorithm or approved security function will be used. No specific physical security mechanisms are required. Level 2: Security Level 2 improves upon the physical security by requiring features that flag up evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the cryptographic keys, critical security parameters and components. Level 3: In addition to the tamper-evident physical security, Level 3 attempts to prevent the intruder from gaining access to CSPs (Cryptographic Service Processes) held within the cryptographic module. Physical security mechanisms are required at Security Level 3 and may include the use of strong enclosures, tamper detection and response circuitry that 'zeroizes' all cryptographic keys, if the device is attacked. Level 4: Security Level 4 currently provides the highest level of security within the FIPS 140-2 standard. At this level, the physical security mechanisms provide a complete ring of protection around the cryptographic module, with the intent of detecting and responding to all unauthorised attempts at physical access. Security Level 4 also protects the cryptographic module against security threats due to adverse environmental conditions.
CC (COMMON CRITERIA)
Page 1 2 | ||
| Like this article? Click here to get the Newsletter and Magazine Free! | |||
| Email The Editor! OR Forward Article | Go Top | ||
PREVIOUS | NEXT |
||
