To determine whether a certification will help in your product analysis, look at how the certification defines a particular security function, like whether a stateful packet-filtering firewall is tracking the state of a TCP session properly. Knowing that, for instance, TCP state is defined and tested in the certification lab as just TCP session setup and tear-down and doesn't include TCP sequence numbering and error-control mechanisms can help you decide if that particular certification is appropriate for your requirements.
Certification tests typically are restricted to a subset of a product's features. Although most firewalls support IPsec (IP security), just because a firewall passes ICSA Labs Firewall Certification doesn't mean it passes the IPsec VPN Certification. And these functional certifications merely confirm that a security feature works--they don't shed any light on the importance of the feature.
Common Criteria is the culmination of work between several countries, including the United States, Canada, Germany and the United Kingdom, to develop a set of universal requirements, test methodologies and structure for evaluating security products worldwide ("CC Glossary"). CC 2.1 and ISO (International Organization for Standardization) standard 15408 are the same. Although the CC was developed with government evaluation and purchasing in mind, its testing and certifications apply to the enterprise as well.
The CC comprises three parts. Part 1 is an overview. Part 2 defines the security components being tested. Vendors can use Part 2 to specify functions required for their product or subsystem, such as a firewall or encryption processor. The tested device is known as the "target of evaluation" (TOE) in CC parlance. Part 3 defines the security-assurance requirements. It's used to develop PP and security target (ST) documents. The ST document defines the functional capabilities of the product. Each evaluated product has an ST document. The PP defines a set of security requirements needed to achieve a security goal. CC doesn't require a PP for every product tested, but if it has one, the product has to satisfy that profile as well as the ST. CC also provides a certification report that summarizes the test, explains the testing environment and configuration, and describes any PPs used. The report includes special exceptions or issues, if any, surrounding the certification testing.
The CC's Evaluated Assurance Level (EAL) is an assessment that says the product meets the functional requirements stated in the ST and in the PP (see "CC EALs,"). EAL levels range from EAL1, which means a product was functionally tested and met the basic requirements, to EAL7, which signifies the product meets requirements for exceptionally secure environments.
Most products receive CC certification of EAL4 and below because EAL5, 6 and 7 certifications are extremely stringent--the CC evaluates the development process and theoretical framework behind the product along with the functional tests.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
