By: Abhi Maras, Product Line Manager
If you track the WLAN security oriented certifications closely, you may have noticed that Ruckus was recently certified for Common Criteria. (You can find the certification here.) For those who are not familiar, let me give a quick insight into what it means and why it is important.
What is Common Criteria?
The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard for computer security certification.
Through the use of Protection Profiles (PPs) and Security Target (ST), vendors can implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, standard and repeatable manner at a level that is commensurate with the target environment for use.
There are member nations that are classified as Certificate Authorizing Members and Certificate Consuming Members. They have the authority to issue and consume a CC certification, and only consume (not authorize) certification given by any authorizing member, respectively.
At the time of this writing, there were 17 authorizing members and 8 consuming members.
If the product is certified does it mean it is secure?
Common Criteria certification is primarily specified for IT procurement. Typically, an Evaluation Assurance Level (EAL) or type of Protection Profile (PP) is specified. Common Criteria certification cannot guarantee security, but it can ensure that claims about the security attributes of the evaluated product were independently verified. In other words, products evaluated against a Common Criteria standard exhibit a clear chain of evidence that the process of specification, implementation, and evaluation has been conducted in a rigorous and standard manner. In general, getting a product CC certified shows a vendor’s commitment towards getting their product thoroughly examined against the claims they make. So, it’s a good thing!
Wait a minute, isn’t EAL is going to be obsolete?
Well, yes but then again….
In the EAL process, vendors create the ST and evaluate their products against it versus an existing PP that an under-certification product has to evaluate against in the PP world. This is great but the latter also took away the ability for two similar products to differentiate from each other, as this is a must have set of requirements. While PP is new and possibly the future, EAL is still very much alive and still being issued. At the time of starting the CC certification journey back in 2014, for various reasons EAL made more sense to us and some of the product enhancements to comply were applicable to PP as well. PP also has undergone quite a bit of evolutionary change in the past couple of years. You can read all about the evolution here.
While we at Ruckus enjoy working alongside the good folks at CC, I am glad this was completed at the intended stroke of the clock (how many times does that happen in software lifecycle!?) For more details on the certified products and versions please take a look at the Common Criteria website.