Security certification for digital products and solutions is a hallmark of reliability. What does this certification entail, and how does it ensure a high level of cybersecurity?
Definition of a Security Certification
Security certification for computer solutions and software involves evaluating a product according to specific cybersecurity standards. This process is now crucial for ensuring the protection of data and systems in the face of increasing cyber threats. Security certification also supports businesses in their search for secure digital solutions for their strategic and sensitive uses. It ultimately helps to harmonize the security levels of solutions and contributes to the creation of a trusted digital system.
Types of Security Certifications
- Product Certifications: Focus on the security aspects of a specific product. They assess whether the product meets the required security standards and can resist potential cyber attacks.
- System Certifications: Evaluate the security of an entire system, including the products, processes, and people involved. This type of certification is broader and considers the systemic aspects of cybersecurity.
There are various security certifications internationally and in Europe. Here’s an overview:
International Cybersecurity Certifications
Common Criteria (CC)
Common Criteria is the international standard for cybersecurity certification of information technology. Also known as “Common Criteria for Information Technology Security Evaluation”, this international standard (ISO/IEC 15408) allows for the assessment of IT product security by accredited and independent laboratories based on demanding technical and organizational criteria. The certificates are internationally recognized by the signatories of the Common Criteria Recognition Arrangement (CCRA), which includes ANSSI in France.
FIPS 140-3
Developed by the National Institute of Standards and Technology (NIST) in the United States, the FIPS 140-3 standard is specifically concerned with verifying the security of encryption modules. Essential for products used in government and sensitive environments, the standard analyses in particular :
– the features and capabilities of the encryption module
– interactions with other systems
– management of access and authorised operations
– software component security
– secure maintenance and updates
– measures against various forms of potential attack.
This standard proposes four qualitative levels of security (basic to very high), adapted to different applications and IT environments.
European cybersecurity certifications
The European Cybersecurity Certification project
The EUCC certification scheme is based on the international Common Criteria scheme for certifying ICT products, their hardware and software (firewalls, encryption and electronic signature devices, routers, smartphones, bank cards, etc.). In October 2023, a first draft implementing act for the EUCC was published by the European Commission and opened for comments.
EUCS (European Certification Scheme for Cloud Services) under study
In the same vein as the EUCC, EUCS certification is aimed specifically at approving the security of products and services hosted in the cloud. The proposed text is now being studied by the European Cybersecurity Certification Group (ECCG) and will help to strengthen the security of cloud computing in Europe.
As part of the NIS 2 directive and the Cyber Resilience Act, these European certification projects aim to harmonise the security levels of IT solutions.
In France: ANSSI security certification
The security certification issued by ANSSI (Agence nationale de la sécurité des systèmes d’information) is a benchmark in France and throughout Europe. Based on the Common Criteria international certification standard, this national certification scheme assesses the robustness of a specific version of a product at a given time, based on the state of the art of cyber attacks. To award it, the approved laboratories and experts analyse a number of security criteria, including :
– Compliance with current national and international information systems security standards and regulations
– Technical and organisational security measures
– Resistance to attacks, including attempted intrusions, hacking and exploitation of vulnerabilities.
– Access management and authentication to control access to data and resources.
– Encryption and data protection
– Resilience and incident management
– Security maintenance and updates, to respond to new threats and vulnerabilities.
The ANSSI is also offering security qualification for digital products and services intended for critical and strategic sectors (OIV and OSE). This qualification will meet specific regulatory requirements, such as the French military programming law. The ANSSI’s security qualification attests to the suitability of the solutions for the sensitive needs identified by companies. The publisher must prove that it can meet its commitments over the long term.
How to assess the credibility of a security certification?
Which products are eligible for security certification?
A wide range of IT products and solutions are eligible for security certification if they expose data and/or are used by sensitive organisations. Here are some of the types of products covered by security certification:
- IT hardware: servers, routers, firewalls and other network equipment, etc.
- Software: operating systems, applications and databases, etc.
- Cloud Solutions: Cloud computing services, storage and cloud-based applications…
- Encryption products: Encryption modules, key management tools…
- Mobile Security Solutions: Security applications and infrastructures for mobile devices…
- Industrial Control Systems (ICS) and Internet of Things (IoT): connected devices in various industrial sectors…
Tixeo, certified and qualified by ANSSI for over 5 years
Tixeo secure video conferencing software has been certified and qualified by ANSSI for over 6 years. Thanks to its end-to-end encryption and its on-premise version, it offers businesses in critical sectors total confidentiality for their exchanges and, above all, a high level of operational resilience. Through its certification and qualification, the French government recommends its use for sensitive applications. Other European labels confirm the security of its solution.