Can you trust a product that doesn’t have the right certification?

There are numerous organizations who, when looking for a new solution, will draw up a list of attributes products must have to proceed to the evaluation phase. FIPS accreditation, CAPS and CESG all appear regularly on this list of must haves, especially for government bodies. They’re obviously very important but do you know what these acronyms really mean?

Federal Information Processing Standards (FIPS), according to, are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4”. It does not specify in detail what level of security is required by any particular application. A word of warning, FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure.

CESG is the Information Assurance (IA) arm of GCHQ and is the Government’s National Technical Authority for IA responsible for enabling secure and trusted knowledge sharing, which helps its customers achieve their aims. CESG aims to protect and promote the vital interests of the UK by providing advice and assistance on the security of communications and electronic data. CAPS helps private sector companies to develop cryptographic products for use by HMG and other appropriate organisations. CAPS links the cryptographic knowledge of CESG (the national technical authority for information assurance) with the private sector’s expertise and resources.

However, a product that doesn’t have accreditation does not automatically mean that it isn’t capable of achieving it. In fact, by its own admission, NIST states that FIPS accreditation should not solely be relied upon suggesting that even if a product is certified, it may not actually be secure. In fact, this was proven in January when a flaw was unearthed in certain hardware-encrypted USB flash drives although it is true that the certification earned by the device in question never claimed it capable of doing what many perceived it should – be impenetrable.

Here are six key factors to consider when evaluating security solutions:

Accreditation: FIPS, CESG and CAPS have a place, but should not be considered the be all and end all to product selection. While a useful tool in assessing the security of encryption products, it is not a guarantee that a product is secure, the onus is on the end user to understand what they’re using. What they do provide is a benchmark for comparing and contrasting products against. Another solution that meets these criteria, but without the certification, can still be included in the evaluation if you want to make sure you are looking at ALL the options.

Cryptography: the Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256. It will depend on the sensitivity of the data whether you need 256 or if 128 would be adequate.

Data: The United Kingdom currently uses five levels of classification — from lowest to highest, they are: protect, restricted, confidential, secret and top secret. It stands to reason that it depends on the level of sensitivity that is being stored on the device that will determine what standards they would need to have or what kite marks are in place to ensure the level of protection.

Device: Considering where sensitive data resides will help determine the type of product you need and the standard it should have. If you are a government body/large corporate looking to protect mobile devices a central management policy will be required.

Cost: A number of factors will influence just how much you spend on protecting the data. There is the argument that you can’t put a price on security but it has to make commercial sense. There’s no point having a top of the range encryption solution if the data its protecting is the lunch time sandwich order! By the same token a minimal encryption solution would not be deemed adequate by the ICO should the device contain personal health records transported by a GP. The solution should be appropriate for the data it is protecting.

Company: A key element, and occasionally forgotten when checking products have the right acronyms, is the credibility of the company you are buying from. It’s products might have all the certifications money can buy but if, it’s been making headlines for being breached, do you want to find out if they’ve got it “all sorted’.

Accreditation does not just happen, organizations have to invest vast sums of money to ensure its products jump through the relative hoops to attain certification. Rather than being blinded by a set of acronyms, you should be steered by your own security policy to determine: what you’re protecting, where it is and how it might get there. Once you’ve collated this data you’ll be in a position to evaluate solutions which will meet these needs. Can you afford to discount the most appropriate technology in the marketplace simply because it hasn’t jumped high enough or spent a vast amount of money – yet!

Don't miss