Thursday, February 20, 2014

CPA certification: An exercise in trust

Neil Larkins
Chief Operating Officer
Egress Software Technologies Ltd.
Last year, we put Egress Switch to the test. Or rather, we allowed CESG, the UK National Technical Authority for Information Assurance and world-renowned cryptography experts, to put Switch to the test.

CESG’s Foundation Grade CPA programme certifies commercial security products for use by government, the wider public sector and industry in lower threat environments. For government and the public sector, this means that Switch is certified for sharing IL2 and low-threat IL3 information (OFFICIAL and OFFICIAL SENSITIVE under the new Government Classification Policy) over the internet – a topic we demystified in a previous blog post. While this is great news for organisations in the public sector, independent software assurance must be a key consideration for businesses across all industries when selecting an encryption service to protect their most valuable assets.

What does CPA involve?


Only products that perform a security enforcing function are eligible for certification. Specifically, email encryption products are expected to protect the confidentiality and integrity of emails, in addition to providing the recipient with authentication over the sender. In practice, this means that we need to think about the real risks to our information and give it the right levels of protection at all the points we are responsible for it. Therefore, when faced with the challenge of sharing highly sensitive data electronically, organisations must use the most appropriate technology available to ensure safe delivery to that space whilst maintaining the integrity and protection of internal networks at all times.  

CESG stipulates a detailed set of characteristics and security principles that an email encryption product should be tested against. This not only deals with how the data is encrypted, but also with interoperability with other systems and ensuring security is maintained at all times, even in the event of system crash or compromise.

CPA testing is carried out by CESG-approved Test Labs, under the supervision of GCHQ. Vendors are also involved throughout the process, on hand to provide technical assistance during the evaluation to ensure a good understanding of the product undergoing assessment. Once the evaluation is complete, CESG reviews the report, and if the assessment is successful, they award the Foundation Grade Certification. This process, however, is by no means a walk in the park, sometimes taking up to 12 months and including a complete review of the entire business and software applications.

Why does Switch’s CPA certification matter?


CESG states: “Foundation Grade certification represents a level of confidence in the security behaviours of a product, in line with commercial good practice.”

First and foremost, therefore, Switch’s CPA certification demonstrates to our customers that Egress’ technology and supporting business process can be fully trusted. Our software development methods and quality assurance practices have been rigorously tested by some of the best crypto-analysts in the world – and stood up to the challenge.

In practice, this means that Switch can be trusted to protect our customer’s information throughout the data sharing lifecycle. Many products use the same AES 256 bit encryption – however, the way that it is implemented is key to security.

It is interesting to note that not a single product, including Switch, has gone through CPA certification without some changes, both in software and procedural use of the product. This can only be seen as a good thing – as is third party assurance, especially when that third party happens to be a branch of government.

The certification also demonstrates that Egress has nothing to hide. We voluntarily put Switch forward for CPA testing because we have confidence in our product and the work we do. And this, again, is good news for our end-users. There are some companies who may shy away from CPA testing – and they would no doubt say they have their reasons for this. 

As an end-user, therefore, you have to ask yourself which product you want: the one that government experts approve or one that won’t be put to the test.