The Importance of Common Criteria Certified Solutions in Highly Secure Environments

By: Carlos Soto
January 25, 2018

Facebooktwittergoogle_plusredditpinterestlinkedinmail

 

We ordinarily don’t do guest blogs at Tech Writers Bureau. However, recently we came across a glaring, cybersecurity gap: an absence of cybersecurity solutions with Common Criteria certification for network access control (NAC) tools leading to a potential vulnerability for most public and private networks.

This led us to invite Jon Green, CTO for Security at Aruba Networks – a Hewlett Packard Enterprise company – to write a short blog about this vulnerability and how ClearPass , a solutions from Aruba Networks, addresses this challenge.

Common Criteria Certified, ClearPass is Ideal for Highly Secure Environments 

By Jon Green

An increasingly digital world has created new levels of convenience and efficiency, but cyberattacks have been an unintended consequence. Mobile, cloud, and IoT are changing how people live and work, but they also significantly expand the attack surface. It’s no surprise that security teams are taking huge steps to protect their organizations against relentless—and increasingly successful—cyberattacks. Many security teams look to validated security standards to enhance their confidence in the products they deploy so they can protect their organizations in an increasingly complex and dangerous threat environment.

In more than 28 countries around the world, the gold standard for security is the Common Criteria. Governed by ISO/IEC standards bodies, the Common Criteria testing and validation program evaluates and ensures that IT products perform to high and consistent standards.

The Common Criteria is mandated for products used by US federal agencies, especially defense and intelligence, as well as critical infrastructure like power plants and dams. But increasingly, security professionals in the private sector look for products that are Common Criteria certified. Healthcare, financial services and other industries that must maintain highly secure environments are relying on the Common Criteria for independent validation that their IT products are safe and secure.

We have been at the forefront of Common Criteria certification across our product portfolio, including wireless access points, switches, mobility controllers, and remote VPN software. Now, we are proud that ClearPass Policy Manager is the first network access control (NAC) solution in the industry to be awarded Common Criteria certification under a government-approved protection profile.

In January 2018, ClearPass was awarded Common Criteria certification under both the Network Device collaborative Protection Profile (NDcPP) and the Authentication Server Extended Package. The certification was awarded by the National Information Assurance Partnership (NIAP), the US government initiative that oversees the Common Criteria program. ClearPass certification was validated through Gossamer Security Solutions, a world-renowned independent testing lab.

The Network Device collaborative Protection Profile (NDcPP) is a baseline for any network-connected device or system – in essence, if a product can connect to a network, it should meet these standards. The tests focused on security requirements covering authentication, encryption, physical security, X.509 certificate validation, known vulnerabilities, and TLS/SSL processing.  The Extended Package for Authentication Servers is an add-on for NDcPP and assesses functionality and security specific to RADIUS authentication servers.

The certification also qualifies ClearPass to participate in the US National Security Agency’s Commercial Solutions for Classified (CSfC) program. Now, US government customers deploying classified communications systems under the CSfC program may use ClearPass to authenticate user and device access over wired, wireless and remote connections.

Continuing our Security Leadership

ClearPass has long been known in security circles as a great NAC solution, but Aruba may be the best security company you’ve never heard of. For years, we were the only NSA-approved solution for Suite B (now known as the somewhat-longer “Commercial National Security Algorithm Suite”) wireless connectivity. Our access points and controllers have long been FIPS 140-2 and Common Criteria validated. We’re one of the only companies in our industry with a bug bounty program.  And we’re breaking new ground with IntroSpect User and Entity Behavior Analytics (UEBA), which uses machine learning to spot changes in user behavior that give security teams insights into malicious, compromised or negligent users, systems and devices, so they can cut off the threat before it does damage.

Go Deeper

Learn what’s new in ClearPass Policy Manager 6.6.3 release.

Read my previous blogs:

FIPS… Common Criteria… What Does It All Mean?

FIPS… Common Criteria… What Does It All Mean? (Part 2)