The defense industry, public authorities and many operations in critical infrastructure have critical information that needs to be protected from falling into the wrong hands and/or be manipulated. This information resides in secure and in some cases even secret networks, networks that all have strong security requirements. But how do you fulfill these strong security requirements? And what does it really mean that ‘something is secure’? The way forward is to focus on assurance.
High security increasingly important - security requirements increasingly higher
That something is “secure" is a trait that is becoming increasingly desirable. How nice wouldn’t it be to be able to trust security fully in all the technology that our systems require? Security requirements are constantly rising. What do you do in systems where it must never go wrong, when it really must be secure?
What do we mean by secure and how do you measure it?
First, we need to think about what do we really mean by secure? Although it is possible to define what you want for a given situation, for example 'It should not be possible to hack the network!', security is almost impossible to verify. There are no absolute methods that can extract a value and place it on a scale of what the security level is for a particular technical gadget. So both stating requirements on security and measuring it is difficult.
That it is difficult to measure security is the reason why we prefer to talk about assurance, rather than security.
There are approaches to how to express security requirements. For example, Common Criteria (CC), ISO / IEC 15408, which is an international standard for setting requirements for and evaluating the implementation of the security of IT products. To express their requirements for security in IT products, Common Criteria demands you write the requirements expressed in a protection profile. Protection profiles are used to describe requirements for the security features of the IT product and the corresponding assurance requirements in a clear and verifiable manner.
The requirements for security are formed based on two aspects:
- Security features: what security features are needed to meet the potential threats (security features mean what function the product has, such as encrypting, filtering information or ensuring that information only goes in one direction are all different security features)
- Assurance requirements: how carefully the security features should be evaluated, ie how far should one go in presenting evidence. The further you go, the more confidence you gain in the security feature.
High assurance ensures confidence in the security features
What does high assurance mean? If you look at dictionary.com, you will see that assurance can mean a declaration intended to give confidence. Advenica uses the following definition:
"assurance in security means the degree of confidence that a product or system correctly performs its required security functions and that they cannot be circumvented"
Assurance is not an absolute feature either, but it shifts the discussion to something that you can actively act on. I.e. What activities and methods have been used to increase the likelihood that the security product will behave securely? These can be methods for defining security requirements, choice of architecture, design choice and quality assurance methods.
In recent times, it has also proved important to look beyond the design and consider the risks in the manufacturing of the security product. In addition to activities under development and manufacturing, the assurance needs to be maintained after a security product has been distributed. As a respected security company, it is natural that you continuously monitor the outside world and inform your customers if the security, or the assurance, is affected in the delivered solutions if weaknesses are found or when trust in some technology is changed.
Listen to our webinar about the design and implementation of Top Secret products!
When security requirements are high - then products with high assurance are required
Advenica offers solutions for cybersecurity that meet the very highest security requirements. We analyse, design and implement security solutions that prevent intrusion, data leakage and manipulation of information worthy of protection.
We control every step from design to aftermarket to ensure high assurance.
The product development at Advenica differs from traditional development work. Our customers demand that we with high assurance can vouch for and can demonstrate that our solutions are secure. We can only do this if all work is done under strong security protection and if the solutions chosen are easy to gain confidence in, ie they are easily evaluable.
High demands on security mean that we develop and produce important parts of solutions ourselves. This means that we can ensure the IT security protection for the development and manufacturing environments, the shell protection of the premises, including the availability of reliable and security conscious personnel.
Different methods are used to demonstrate the security of our solutions. One is to let a third party review the solution and report on the security. Another method is for the customer to review our solution to form their own opinion about the level of assurance and security. Another method is for the customer to take part of Advenica's security analysis of the solution.
Once the product is delivered, Advenica hands over the responsibility for the product's security protection to the customer. To facilitate, Advenica encloses distinct recommendations on how the product needs to be managed. A classic challenge in maintaining security is to configure and use the product correctly. It is therefore important that Advenica trains the customer's staff. Interactivity during the training is a reassurance for both the customer and Advenica that the security of the solution will be well managed.
Secure the future
As part of Advenica's high assurance targets and long-term commitment, we currently provide detailed monitoring of the outside world for products used by our customers. This means that we continuously review external factors that may affect the requirements for maintaining the right information security, such as legal requirements, new types of threats, current events or problems that could potentially affect the solutions. External monitoring of Advenica's products may be included in a support agreement.
Thanks to this monitoring, our customers, with our products and services, can take full advantage of the digitalisation without compromising security, integrity and confidentiality, today as well as in the future.
Read more about our product development with high assurance in our White paper #08 "Product development with high assurance".