We recently announced that Forum Sentry is the first and only API gateway to attain compliance with the internationally recognized Network Device Protection Profile (NDPP) certification. We are also the only FIPS- and DoD-certified cloud integration technology in the industry. Now PP Compliant, Forum Sentry is the industry’s only API Gateway to achieve these certifications for technology that enables secure connectivity between users, applications and the cloud.
With some of the controversy surrounding EAL Certification, we sometimes get asked, “Why do these certifications matter?”
- It shows commitment
- It conveys trust
- It demonstrates consistency
To be fair, certifications like these take a long time and resources from companies who want to be certified. This barrier is often seen as too expensive and time consuming by many vendors where their security protocols likely meet the standards set forth. These vendors then take the easy path by implementing technology and standards that are “good enough.” These companies simply don’t have the commitment to demonstrate that they meet these standards.
Unfortunately, such companies who are as not as committed often take shortcuts in other areas as well.
For example, Forum Sentry was the only API and cloud security gateway found to be inherently safe from the Heartbleed OpenSSL vulnerability earlier this year. None of this was based on certifications, but based on our creating the most hardened platform that delivers the industry’s strongest cryptography. As we designed Forum Sentry, we decided not to rely on OpenSSL for our cryptographic software library, which could have been much easier. Instead Forum Sentry provides its own centralized location for SSL processing and private key management.
Just having certifications helps customers have peace of mind that our solutions meet the required base standards. For example, the FIPS 140-2 standard is overseen by Cryptographic Module Validation Program (CMVP), a joint partnership between the US Government’s National Institute of Standards and Technology (NIST) and the Canadian government’s Communications Security Establishment Canada (CSEC). Both governments require specific and rigorous standards be met to achieve certifications and standards are reviewed every five years.
These international certifications demonstrate that organizations have met the standards set forth by the U.S. Government, where security is paramount. Achieving international certification from the NIAP demonstrates an even a higher level of security is in place – that the security standards of the certified solution are the best on the planet.
Compliance testing is often a far more rigorous process than many realize. Solutions are tested, retested and tested again to show that they can meet the standards over and over again in many different scenarios. If they fail on occasion, they are not consistent enough to make the certification.
This is one reason why the generic EAL 4 requirements have lost their relevancy, as achieving repeatable results in all cases was not required. However, with the new Protection Profiles (PP) set forth by the NDPP, vendors must demonstrate that their solutions meet the standards needed consistently.
Yes, it matters
For any company, the ramifications associated with a security breach of any kind have an extreme magnitude. Organizations should know that any company that spends resources getting more than one certification can be trusted, and that their solutions have met some of the toughest and most rigorous security standards that governments require.
We’d love to hear from you on why you think certifications matter?