The inside scoop on security certifications
People frequently ask me about certifications and what they all mean. Here at Fortinet, we realize that looking at marketing specs or documentation isn’t always enough when you’re looking for the ideal security solution. After all, just because it looks good on paper doesn’t mean it’s the right product for you, right? So, we invest a lot of time getting our firmware and hardware products certified on a regular basis.
This is why we know it’s important to invest in third-party certifications, and make it a regular part of our development and product release cycles. Offerings such as the consumer programs developed by ICSA, cryptographic module validations developed by NIST, and international security certifications adopted by NIAP are important to us and I hope I can explain why they should be important to you as well. It wouldn’t be possible to list them all, but I will provide a little more insight into why the ones I’ve just listed are notable – just to get you started.
Firstly, there are many security products on the market today. Some focus on specific functionality, like firewall or IPS; others like the FortiGate appliances provide an all-in-one solution. All vendors claim their products are the best at what they do, but often use proprietary terminology that can confuse you. Buyers then need help cutting through the buzzwords and getting to the point – does the product do what you need it to do?
Certifications help remove much of the mystery when comparing products by providing baseline requirements that are applied to all vendors, providing a better chance of comparing apples-to-apples. Combined with their unbiased assessments on how well the tested product functions, you’ll already be better off. Who doesn’t want a product that has been independently tested and given a stamp of approval by an objective party?
Unfortunately, there is one challenge with sifting through the various certification programs. The requirements are often vastly different. You can’t just compare one program to another. This is why we actively certify our products in multiple labs and programs. Each of the offerings listed above has a specific focus and targets a particular market and it allows us to make the product that much better. Keep in mind that even though all are significantly important to us, you might find that some are more relevant to your needs than others.
Third-party consumer certification labs, like ICSA, design test requirements for specific types of security products. They have programs specific to firewall security, antivirus protection and VPN technologies. When products are tested and certified in these programs, the lab makes sure that the product does what it says it does, what it needs to do and that the products can work together. This way, you can select a FortiGate appliance and put it on your network with other vendor gear and not worry about compatibility issues. ICSA also holds multiple ISO certifications and is active in government certifications so you can rest assured that they are adequately qualified to perform these services.
If you work in the IT department for a government agency, financial institution or an up-and-coming company and don’t want your intellectual property falling into the wrong hands. FIPS PUB 140-2 and its Cryptographic Module Validation program might be enough for you. FIPS is often sought after when one wants to know that the product uses strong encryption, sound security practices for administration, built-in self-tests to ensure consistently secure and reliable operation. Even the lowest level of FIPS is intended to make sure that the crypto used on the system can’t be bypassed by someone mischievous using downloadable hacking tools, a disgruntled customer, or someone snooping around for your trade secrets.
But in classified environments, you or your management team may need even more than ICSA and FIPS certifications. You might need evidence that the source code was written with security in mind. That the various hardware and internal software components actually work properly together. Or even, might need to know for certain how effectively the vendor support will support you after you buy the product. We can’t, of course, give you the source code and design specs, or give every customer a day-tour of our support and operations facilities. But we can get our products Common Criteria (or CC, if you prefer) certified. CC certifications are conducted by certified labs in over 20 countries world-wide and are mutually recognized. In other words, when a qualified lab in Canada has examined the product inside and out with a fine tooth comb and the Communications Security Establishment Canada issues the report, it’s also valid for other regions such as the US, UK and Australia.
I could go on, mentioning all the specific products that have been certified and go into more exhaustive detail of each of the offerings I’ve already mentioned. But as programs are constantly evolving, I’d prefer to point you to the official sites so that this blog entry will always remain relevant. Also, I invite you to have a look at our marketing pages, press releases and speak to our sales teams. If there is a specific product or certification you’re interested in, or just want more information on these certifications, let us know.