Finding your way through cybersecurity assessments

In 2021, cybersecurity can no longer be a matter for specialists. However, when companies and public organisations want to secure their information systems, they do not always know where to turn. “When you have to buy a security product, if there is no label to attest to its quality, you are only faced with the sales pitch without tangible proof,” remarked Martin Moreau during the FIC Observatory breakfast of 20 May 2021, entitled “Buyers and users of cybersecurity solutions: Why choose certified products?”

Moreau knows what he is talking about: he is an analyst at Amossys, one of the few French Information Technology Security Assessment Centres (‘CESTI’), approved by the French National Cybersecurity Agency (ANSSI) to assess security products. These centres issue two types of “labels”: certification and qualification. They represent pledges of trust validated by the French cybersecurity agency that can enlighten the choice of companies in their purchases. The problem is that there is a lot of confusion surrounding these labels, as buyers do not always know what they mean and how to differentiate them from each other. Let us review the situation.

To avoid any confusion, Philippe Loudenot, cybersecurity delegate within the Pays de la Loire regional council and administrator of CESIN, a club of decision-makers dedicated to cybersecurity, refused to talk about certification and qualification “labels”, as this term is too marketing oriented for his taste. “It’s not a label because it’s not a question of writing a cheque to obtain certification,” agreed Yves Gheeraert, director of France, Benelux and Southern Europe at Blancco, a French publisher of data erasure solutions.

Certification is a one-time assessment, while qualification is a long-term process

Certification and qualification are stamps awarded by ANSSI. Certification is a one-off assessment—carried out by a CESTI for the ANSSI—that attests to the security level of all or part of a product at a given time, in a specific version and a specific environment. Qualification is “an additional guarantee of quality,” added Martin Moreau. It requires the CESTI to carry out more tests (audits of various kinds, fault finding, pentesting, etc.). “It is much more focused on security over time,” commented Michel Benedittini, deputy director general of ANSSI, as qualification is equivalent to a recommendation from ANSSI for a product.

In France, there are two main types of certifications: the Common Criteria (international cybersecurity evaluation standards), which predate the creation of ANSSI, and the first-level security certification (CSPN), created in 2009 by ANSSI to offer a less burdensome and expensive certification than the Common Criteria.

For the ‘CSPN’, there are six steps to the process:

1. The drafting of a security target, which includes the version of the product (software or hardware), the functions to be evaluated, and the environment in which the product is used. This document is drafted by the applicant and validated by a CESTI.
2. The CESTI sends this document to the National Certification Centre (‘CCN’), which depends on ANSSI.
3. The ANSSI validates the security target.
4. The CESTI carries out an evaluation procedure.
5. The CESTI send its report to ANSSI.
6. The CESTI and ANSSI discuss to establish together the validity of the certification.

The security target, key to successful certification

“It’s a very rigorous process: just because you start a certification or qualification procedure doesn’t mean you’ll get it,” insisted Yves Gheeraert. The key, according to the entire panel of this FIC Observatory breakfast, is the drafting of the security target. Philippe Loudenot mentioned the example of two French firewall solutions that are ‘CSPN’ certified, but “one is certified for the entire perimeter of the product while the other is certified for only a few functions. This makes a big difference.” Today, some CESTIs, such as Amossys, also offer consulting services to help buyers through this difficult first step.

Unfortunately, access to certification—and a fortiori to qualification—remains too costly and laborious a procedure for some start-ups and a few small cybersecurity publishers. “We lack an intermediate fringe of trust that can be brought into a digital device, with a simplified and less expensive process, but guaranteed security,” lamented Philippe Loudenot.

Not to mention that the confusion over the various evaluation processes has not been resolved by the creation of the ANSSI security visas, which were supposed to bring under the same heading products that were CSPN-certified (but not Common Criteria-certified) and products that were qualified. On the contrary, “it has further complicated things” by adding a new term, deplored Philippe Loudenot. But it is now at the European level that simplification is at stake: the European Cybersecurity Agency (ENISA), the ANSSI, the German BSI, and some others are working in particular to create a common framework for CSPN and equivalent certifications, for example. And the CESIN administrator concluded with a proposal to further clarify things at the French level: “We could establish a number of points according to the evaluation, with, for example, 750 points for Common Criteria certification, 800 points for standard qualification, and 1,000 points for reinforced qualification…” A word to the wise.