Is your server trusted? Look for Common Criteria Validation to prove security assurance!

When it comes to securing the encryption keys that protect your sensitive data, would you want to rely on a vendor that certifies only a part of their security solution (which may not offer complete assurance of meeting regulatory and policy compliance requirements) or one that certifies the overall security functionality of the entire appliance and its operations?

Seems like a no-brainer, yet many companies do not fully investigate the depth to which many security products are actually qualified. HPE knows this, and helps customers navigate these shifting waters of security compliance every day. In fact, governments around the world are increasingly relying on security certifications in order to even approve using a vendor's products. Among its other current certifications, the HPE Enterprise Secure Key Manager 4.1 (ESKM) appliance is now awarded the prestigious Common Criteria certification. 

  • HPE ESKM version 4.1 is the Target of Evaluation (TOE) for the Evaluation Assurance Level 2  (EAL2+) Augmented with ALC_FLR.2 Evaluation, and
  • HPE ESKM is evaluated at an accredited and licensed evaluation lab using the Common Methodology for IT Security Evaluation, version 3.1 revision 4 (Ref [3]).

But, what does this mean in English? What did we have certified?

Common Criteria (CC) is a universally-accepted, mutually recognized standard for measuring and validating the “trust” of security applications through an independent lab certification. The evaluation focused on all security aspects of the HPE ESKM 4.1 appliance including audit, cryptographic support, user data protection, identification and authentication, management, data integrity, access controls and trusted path/channels.  HPE also validated the ESKM in a cluster (for disaster recovery and high-availability) and all interfaces were thoroughly tested against the strict CC testing requirements. Eight ESKMs can be configured in a cluster and no other vendor can claim this high availability capability. This Common Criteria certification helps provide true Global Security Assurance for HPE ESKM customers.  The official certification listing can be found here on the Common Criteria portal (Listed in the tab under Key Management Systems). Read more about the details of the HPE ESKM CC validation.

By the way, Common Criteria is just the latest certification awarded to the HPE Enterprise Secure Key Manager appliance, as it was also recently re-validated on FIPS 140-2 level 2. At HPE, the Data Security team takes pride in the fact that ESKM is THE MOST validated, certified and trusted key management system available on the market today. Providing security assurance to customers is the primary objective in everything we develop for years of reliable, trusted performance. As HPE Data Security products are updated or evolve, newer versions are submitted for testing so that current certifications can be quickly re-validated. You can relax because you made the right decision to go with HPE! After all, you want to be as prepared as possible and minimize risk to better comply with industry standards, regulatory requirements, and similar policy-driven mandates.

It doesn’t matter if you’re in mission critical enterprises that range from payment and financial businesses to health care or even worldwide governments, with ESKM’s Common Criteria and FIPS certifications you’re covered with the leading industry accepted standards for independent validation of security vendors.

  • CC EAL2+ (Common Criteria) certified
  • FIPS 140-2 level 2 entire appliance boundary (Federal Information Processing Standard)

And it’s not just Common Criteria and FIPS, but ESKM can also boast about its storage industry benchmarks that demonstrate compliance with interoperability standards, such as SNIA/SSIF conformance testing ESKM as the first (and most compliant!) KMIP-interoperable commercial server product and OASIS with their Interoperability Showcase at the annual RSA Conference.

  • SSIF KMIP Conformance Test (Storage Security Industry Forum) first validated commercial server and best KMIP compliance support
  • RSA Conference 2016 – OASIS Interoperability Showcase (leading KMIP-compliant commercial enterprise key management server supporting KMIP operations)

HPE wants to give customers the peace of mind that what they run in production to protect their data meets the highest security standards and provides the contemporary, proven solution for centralized key management they need. The medals already worn by the HPE ESKM are starting to make it look like a true Olympic champion. Customers worldwide, regardless of country or industry, will see this as another validation benchmark which adds credibility to our message when we talk about high-assurance hardware protection of keys for your business-critical encryption applications.

When it comes down to encrypting your data and securely managing the encryption keys that protect that data, customers demand the most trusted, qualified platform available. Regulators and auditors would much rather walk into a known and widely certified environment that conforms to security best practices, instead of one that is a mish-mash of older and unqualified software, devices and accessories. In my last blog, I asked the question “Is your key management appliance actually FIPS validated?” The purpose of the piece was to bring attention to the fact that you want to make sure validation and certification claims by security vendors apply to the current versions they sell, or that you are running. It does not help if their products are certified on an older system or earlier firmware that has been superseded by current security threats that probably didn't even exist when they originally obtained the validation. Some companies may certify once to get that “checkbox” checked, but continue to rely upon an outdated certification logo, knowing that it’s no longer relevant for today's products you actually must use for security assurance.

About Common Criteria

Common Criteria is an internationally recognized standard and set of guidelines (ISO 15408) for evaluating IT product security products and is recognized by over 26 countries around the world across EMEA/APJ and the Americas. Many global government and enterprise customers consider Common Criteria a mandatory requirement for the procurement of security products. The Common Criteria Mutual Recognition Agreement (CCRA) is a pact, which was designed to allow all evaluations up to an evaluation assurance level (EAL) 2, to be recognized by all participating countries, regardless of where the evaluation was completed. Higher EAL levels do not necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively verified

The U.S. government mandates Common Criteria certification of security products for federal purchases. The National Information Assurance Acquisition Policy, NSTISSP No. 11, requires agencies to procure only those commercial security products that have met specified third-party assurance requirements and have been tested by an accredited national laboratory.

The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) established the National Information Assurance Partnership (NIAP) to evaluate IT product conformance to the Common Criteria for Information Technology Security Evaluation, an international standard. The program, officially known as the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) is a partnership between the public and private sectors to help organizations select commercial off-the-shelf information technology (IT) products that meet their security requirements and to help manufacturers of those products gain acceptance in the global marketplace.