The certificate is a very important certificate, but a little papery.
What it gives, to whom and why it is needed, we are trying to figure it out under the cut.
What does certification give?
To begin with, let’s decide which certification will be discussed further. The physical meaning of certification of anything is the process of checking / confirming / assessing compliance with requirements recorded somewhere. Certification is mandatory or voluntary, depending on the application. Accordingly, various state and non-state structures are responsible for it. For example, a registration certificate (a clone of a certificate) after passing an examination is issued by Rospotrebnadzor for masks so close to us.
There are two main regulators in the field of certification of information security tools in Russia – FSTEC and FSB. The FSB is mainly engaged in the certification of cryptographic means, and the rest of the information security means (do not) need (we will discuss further) to be certified by the FSTEC.
FSTEC has developed sets of specialized requirements for the certification of standard protection tools, such as firewalls or antiviruses. The rest of the funds are certified for compliance with technical specifications or security targets, and the set of security functions is determined by the product developer. This is somewhat reminiscent of the Soviet stew in accordance with GOST and TU, but in some cases there are simply no GOSTs.
The path to the certificate is thorny and long. Everyone decides for himself to walk / crawl on it or “lie in the right direction”. Not everyone manages to get to the finish line, but for the lucky ones the coveted certificate gives a “pass” to the not the largest, but competitive market of certified information security products.
You will have to understand the product and its development technology
So, certification is a harsh process. Test labs take out the soul of developers as well as Shang Tsung.
You will not only have to find the security functions, but also show how exactly they work and what source code corresponds to these functions. Those who want to bring themselves closer to protecting the sovereign’s secrets will still have to go through entertaining quests with fuzzing and other fun tools from engineer John Kramer. Cold sweat and sleepless nights are guaranteed, but you will remember your code from “main ()” to “..lYa!”.
In addition to analyzing the code, you have to pass analyzes from the development process, describe your gitflow, CI process, fix bugs, deliver fixes to clients, etc.
The design of safety devices must be safe and not dangerous. Oh how!
These wonderful funs are still useful. Products made from govnokod are unlikely to receive a certificate. Agile in its worst sense, like “figuring right in production” is not suitable for certification, as well as products that were collected by crazy pens with burning eyes from a “pile of plastic bottles”.
What do certifiers and Langoliers have in common
These cute creatures tirelessly devour time and space. After deciding to start certification, consider that you and your team members are already a year older, because rarely who gets certified faster.
This usually happens like this. First, you teach your product to the laborers who will prove to the regulator that you are not a camel. In the sense that your product is not a camel and it has the necessary security features to obtain certification that you develop safely.
Next, you, together with the testing laboratory, write an application for certification and technical specifications (security assignment), where you determine which security functions should be looked for and found in your product. As soon as the application is accepted, the tedious part begins.
First, you need to prove and describe in detail the conformity of the declared functions of the testing laboratory, and then, together with the testing laboratory, you will have to withstand one hundred thousand “WHY” from the BODY … for certification. There can be N or even K iterations at each step. In short, it will not be easy, and sometimes Kapets, for how long.
Learn to string an owl onto a globe
Guidelines (Guidance Documents) are not guidelines and training videos from Google. RD can be read “not only by everyone”, but only by those who can translate from official into Russian without a dictionary. Most testing laboratories are successful in this task. But, alas, there remain those who cite the RD as Scripture. Therefore, when choosing a laboratory, look for the one whose representatives do not light up in religious ecstasy at the word “guiding document”. Otherwise, there is a chance to get into the branch of the Holy Inquisition, whose purpose is to turn the infidels into the faithful brightly and with fire.
“What does the owl and the globe have to do with it?” – you ask. And despite the fact that taking into account the release date of a part of the current RD (the beginning of the end of the XX century), which define the main terms and definitions, the success of certification sometimes depends on the correct interpretation of requirements and the ability to substantiate your position.
The testing lab should be your partner, not the torturer. In general, choose your partners carefully. Otherwise, you will be pulled on the globe.
Who needs certified products?
So, the cherished indulgence has been received. We can offer our product to thirsty government agencies and businesses with government participation. Why do they need certified products?
It’s simple. Use of non-certified products is either prohibited or not recommended. State information systems (GIS) cannot be put into operation without certification for compliance with safety requirements. And attestation, in turn, can be carried out only if safety requirements are implemented through certified means of protection.
Isn’t it a needle in an egg?
A similar situation is observed at critical information infrastructure (CII) facilities, where only domestic products and certified information security tools should be used. In general, there is a market. Small. Competitive. Clumsy …
In short, do not go here, not enough by ourselves ☺
It is also worth mentioning the protection of personal data. The requirements for it almost exactly coincide with the protection of GIS, but ISPDn (personal data information systems), unlike GIS, do not need to be certified, and no one is in a hurry to buy certified products ahead of time. After all, they should even theoretically cost more for the year that you donated to certification.
Who needs a certified mobile device protection and management system?
Now a little about the personal. In the vastness of our vast, where people breathe so freely, electrification has practically ended and we are moving by leaps and bounds towards digitalization, which only Word has not heard of. In order to “outstrip” (another unknown word for Word) the results of all who “do not like us, but really want to”, in all ministries and departments, practically all areas of the economy are digitized.
Take the name of any working profession, add the word “digital” to it and you can apply for a competition for innovative projects!
Consider, for example, the hypothetical Digital Milling Project.
Our project will be to equip the digital poor guy with a smartphone that will collect information from all the smart junk he wears and transfer it to the GIS server.
And the GIS server for this will return to the smartphone recommendations on how to sharpen the milling cutter, when you can go out of necessity, etc. to get the 13th salary.
So, we need to turn in a digital project. For this, it must be certified. And here we have only two ways:
Implement security functions in your software and certify it. It takes a year and dedicated people who will donate their man-hours on the altar of the certification process. Sometimes they do this, but more often they follow the second path.
Buy certified protective equipment that will fulfill the requirements for certification.
In practice, the following set of certified security tools for mobile devices is sufficient for successful GIS certification:
VPN with GOST encryption. Anyone with a certificate of the FSB of Russia will do.
MDM / EMM / UEM certified by FSTEC of Russia.
Antivirus with the FSTEC certificate of Russia.
And now the commercial break!
The only MDM / EMM / UEM certified solution for Android and iOS is our platform SafePhone… Of course, the iPad doesn’t shine for a digital router. But if the head from a specialized department, who has been forced to be deleted, wants to get access to work files from the iPad without sending them to a personal Google mailbox, he will have to certify the GIS of remote access and here we will help him.
One more thing. To optimize costs for our customers, we have recently integrated Kaspersky Lab anti-virus libraries into our platform. Now, to satisfy the regulator, you need to buy one less solution. Meet SafePhone MTD Edition…