Would I lie to you? The Need for Independent Certification
Column byline, Nader Henein, Security Advisor, RIM EMEA
Advisors, evangelists or consultants. Companies have long tried to repackage the way they deliver their message on security so that it doesn’t sound like a sales pitch. But the simple fact is there is no reason why you should gamble the security and future of your organization on the promises of an employee tasked with portraying their product in the best possible light. I myself work within the Advisory Division of the BlackBerry Security Group and before speaking at an event or to a customer I make it a point of saying “please don’t take my word for it – due diligence is key.”
Let’s look at the typical scenario, Mr. John Doe shows up at the office of your CTO, on time, wearing a freshly pressed suit with a stack of crisp business cards. His title boasts impressive accolades such as “Senior Architect” and “CIISP”, he’s an older gentleman who demands respect and exudes wisdom, still is there any reason to trust him when it comes to your organization’s security?
Over the better part of the past decade we have worked very hard to build a product at the forefront of mobile security. We have dedicated hundreds of thousands of man-hours in architecture, development and testing, the result of which is a solution widely regarded as the “Gold Standard” of mobile security.
But how can clients who are concerned about the security of their network and their data differentiate the truth in the previous paragraph from a well-crafted marketing message? Quite simply, they shouldn’t have to. Trust should never enter into the equation and therein lays the need for independent third-party accreditation. Traditionally, this is conducted by well resourced, government certified labs to thoroughly test claims made by vendors about their products.
Within the BlackBerry Security Group we have a growing team dedicated to certification, they work tirelessly with labs in Canada, the US, the UK, Germany, China and many more on various government and industry certifications to effectively remove the need for “TRUST” from the equation. This is not a one-off process: we have to certify all major versions of our devices and sever software so that the entire lifecycle of the data as it travels from your network to the mobile device and back is covered.
The process of certification is an expensive and lengthy process that requires, amongst other things, code reviews, penetration testing and a close working relationship with these certification labs, which are more often than not, part of the sponsoring government.
So how does this affect you and the decisions you make? First of all, the next time Mr. John Doe comes to visit and makes a claim about the security provided by his product, perhaps you can ask him who has certified these claims and when was the last time they did an independent code review, or if the current version is covered? The lack of certification is quite telling as well, asking if they had started but not completed the process of certifying their product may indicate an undisclosed security flaw.
Secondly, only a handful of labs across the globe have the capacity and expertise to certify a complex product with millions of lines of code, so why try to do it in-house? Make a policy that “prefers” products that have passed certain internationally accepted certifications, this way you and your company can leverage a substantial amount of work to ultimately ensure you maintain a consistent security posture throughout the lifecycle of your data, from server, to laptop, to smartphone to USB drive and beyond that on private clouds.