Labels remain a key issue in cybersecurity, with France’s cyberscore project on the one hand, and product certification and qualification on the other – to say nothing of individual certification. But as the number of second-tier companies grows at national and international level, it is becoming difficult for IT managers to negotiate this maze. Should you opt for certification rather than qualification? Which organisation should you trust? Are all labels the same? The questions keep on coming.
At the same time, an upsurge in online scams has left the general public struggling to assess the security of the online services they use. In an attempt to simplify the situation, the “cyberscore” project was launched in France. On paper, it is intended as a quick overview of the level of cybersecurity offered by a digital service. In practice, however, the label walks a tightrope between questions of security and sovereignty, pending clarification of the factors that need to be considered in this rating for private customers. But what about the corporate perspective?
A wide (maybe too wide?) range of cybersecurity certifications and qualifications
CSPN certification, basic, standard and enhanced qualification or Security Visa in France, "Producto Aprobado" or "Producto Cualificado" in Spain, Common Criteria certification, NATO Restricted or EU Restricted labels: a proliferation of cybersecurity product certifications is making it increasingly difficult for IT managers to know exactly what each one covers. And that, in turn, makes it difficult for them to choose the one best suited to their organisation. However, this proliferation is a positive sign, according to Julien Paffumi, Product Portfolio Manager at Stormshield, who maintains that “the proliferation of such certifications and qualifications is a sign that companies are becoming more aware of their cybersecurity needs. And not just any cybersecurity, but trusted cybersecurity guaranteed by a third party.”
The proliferation of such certifications and qualifications is a sign that companies are becoming more aware of their cybersecurity needs. And not just any cybersecurity, but trusted cybersecurity guaranteed by a third party.Julien Paffumi, Product Portfolio Manager, Stormshield
On the subject of cyber-regulations, one question often comes up: what are the differences between certification and qualification? In France, certification is a statement of the robustness of a security product, whereas qualification goes further. Qualification attests to the product's compliance with stringent regulatory, technical and security requirements, and provides a guarantee of robustness against cyberattacks. It therefore takes the form of a meaningful recommendation from the French agency ANSSI – a statement of the government’s confidence in the product in question and its supplier. Remember: ANSSI qualification is based first and foremost on a review of the source code of cybersecurity solutions to guarantee the absence of backdoors.
This attribution by an independent entity is critically important here, as it refers directly to the level of trust, and credibility, given to a certification or qualification.
Assessment and recognition of cybersecurity certifications and qualifications
And given that not all of these national and international certifications are equivalent, nor are they based on the same evaluation criteria, it is not uncommon to find publishers seeking multiple certifications to enhance the value of their technology. This situation emphasises the need to understand the differences between the various qualifications available and to ask legitimate questions: how do you compare the value of two different qualifications? Does international certification carry more weight than local certification? In Julien’s opinion, “A decision to choose local certification is often based on geopolitical criteria and the question of national sovereignty, whereas the choice of international certification is more a question of economic interest. For a publisher or a multinational customer, it makes sense to have a certification that is recognised in all the markets in which it operates.”
A decision to opt for local certification is often based on geopolitical criteria and the question of national sovereignty, whereas the choice of international certification is more a question of economic interest.Julien Paffumi, Product Portfolio Manager, Stormshield
It's also important to understand that all certifications and qualifications are different. For example, it is perfectly normal for an industrial certification not to have the same awarding criteria as a more general public qualification, since the issues and environments are extremely different. The level of requirements will also vary from one certification to another: for example, an ANSSI CSPN certification is less stringent than a Common Criteria certification, which is itself less demanding than a ANSSI standard qualification. Different requirements and different scope: in the case of Common Criteria certification, the scope of the assessment is set by the publisher, whereas in the case of ANSSI standard qualification, it must be approved by the ANSSI. Furthermore, a different level of requirement does not mean that a CSPN-certified product is necessarily any worse than a product qualified to standard level: it simply indicates that it has undergone less stringent testing. Guarantees obtained in the laboratory when the product is tested under different conditions by an independent third party. “The fact that every product, from every publisher, is subjected to the same test environment provides potential customers with objective and usable elements of comparison,” Julien explains. The choice of a label or certification must therefore begin with a clear definition of the need: is a certification specific to your own sector of activity (industry, banking sector, etc.) required? Do you fall into the category of organisations certified by the label in question? What minimum level of requirements do you need? And what level of trust?
Once these initial questions have been answered, the next step is to assess the professionalism and competence of the organisation issuing the certificate, and to examine the process used to obtain it: how many tests were carried out? Over what period? By whom? Secondly, the relevance of the certification target needs to be analysed in detail in terms of the specific points that were verified during the process. Yet as Julien points out, “As you dig deeper, it becomes difficult to follow the details: even for a cyber expert, it's not always easy to understand the subtleties of a certification target.” Hence the importance of identifying reliable, rigorous trusted third parties. He maintains that “the ANSSI qualification process, for example, is very demanding. The bar is set high, and the assessment bodies and the qualification office are very strict. As suppliers, we have to prove ourselves and sometimes make costly changes to our products in order to obtain this prestigious stamp of approval. That's what gives it its legitimacy as a mark of quality and trust.”
The ANSSI qualification process is very demanding. The bar is set high, and the assessment bodies and the qualification office are very strict. That's what gives it its legitimacy as a mark of quality and trust.Julien Paffumi, Product Portfolio Manager, Stormshield
When choosing a label, therefore, trust is essential. And in certain situations, it is preferable for guarantees to be provided by a local trusted third party. This is the case in France, for example, where ANSSI certification or qualification is important in terms of sovereignty issues, and can even be a criterion in invitations to tender for certain critical sectors. The French agency enjoys an excellent reputation in Europe, which also makes a strong business case for ANSSI certification/qualification at European level. The same phenomenon is at work in Spain, for example, where government agencies and critical infrastructures must use solutions certified by the national cybersecurity agency (Centro Criptológico Nacional – CNN). Fortunately, there is mutual recognition between certain countries, reducing the certification effort. This is true for the German (BSI) and French (ANSSI) agencies, which now mutually recognise each other’s first-level certificates.
Bilateral initiatives of this kind raise the question of moving towards a single, international, cross-sector certification framework.
The challenges of harmonising labels, certifications and qualifications
At European level, this harmonisation process has already begun with a European mutual recognition agreement known as SOG-IS. It is far from being “universal”, since its highest levels of recognition concern only two specific technical fields (“secure microcontrollers and similar products” and “hardware equipment with secure enclosures”). However, at least it's a start. Harmonisation of labels, certifications and qualifications is therefore a desirable way of raising the general level of cybersecurity, provided we avoid the pitfalls of “lowest common denominator” approaches or oversimplification. This may explain the lengthy discussions and the delay on the part of the European Union in developing the ENISA’s future European certification: will it adhere to the requirements of a French CSPN, an EAL3+ or EAL4+ common criteria certification, or a standard qualification? The definitive answer is expected by 2024 – at the same time as the expected release of the U.S. Cyber Trust Mark, another cybersecurity label from the United States.
These are encouraging steps towards harmonisation. After all, they are driving a grass-roots movement to establish common cybersecurity standards based on quality and rigour. “However, we will need to find the right balance between certification for all and a customised approach in order to deliver a solution that is relevant to each sector of activity,” warns Julien. This effort to harmonise certifications and qualifications could then lead to the emergence of a common label with the greatest possible level of recognition. At the same time, a reduction in the effort needed to comply with the cybersecurity regulatory requirements of each market would also encourage the adoption of good cyber practices by more businesses. This is a sound initiative, inspired in part by the ANSSI model in France, because, as Julien concludes: “cyber regulations and certifications often begin at a local level before being copied or expanded to other sectors and/or other geographical areas.”