Product certification is an integral part of the manufacturing process. Without this element, how do buyers know the goods they purchase are secure or correctly operating?
Here, Bernard Parsons, CEO and co-founder of Becrypt, briefs defence writer Domhnall Macinnes on the value of software accreditation in cyber security.
In order to qualify a product as certified, it must pass a host of performance and quality assurance tests and satisfy the relevant regulatory criteria.
Commercial Product Assurance (CPA) is an accreditation scheme put in place by the UK Government to ensure the cyber security products utilised by both public and private sector entities meet published security and development standards. A security product awarded Foundation Grade certification is proven to demonstrate good commercial security practice and is suitable for lower-threat environments.
The UK Government’s National Technical Authority for Information Assurance (CESG) advises organisations on how to protect their information systems against cyber threats. CESG is an arm of the Government Communications Headquarters (GCHQ) and is the body providing the CPA scheme.
Becrypt, a company that manufactures cyber security software, is best known for its encryption software and supplies its products across both the public and private sectors. It has aided the Ministry of Defence in making better use of emerging technologies and emerging form factors, primarily in mobile devices. Becrypt’s Disk Protect data encryption solution – a cyber security solution it manufactures and supplies to government – was the first product to achieve Foundation Grade CPA certification back in March 2012.
Bernard Parsons, CEO and co-founder of Becrypt, commented on the value of the CPA scheme.
He said: “The changes that the CPA scheme brought about from a product perspective allowed for far more flexibility in terms of how products could be implemented and managed. It meant that we were able to deliver for the first time the kind of user experience that is common and expected within the commercial and enterprise space, and deliver that experience into government.
“The certification schemes that had existed prior to that – in particular the CESG Assisted Products Service (CAPS) scheme – were far too rigid in terms of how they mandated how the products were put together.”
He continued:
While not dropping the standards of security, it has been a much more agile and flexible certification scheme and meant that we could start delivering a very different experience to our users.
“CPA allowed for integration across lots of different product areas, so while the focus was on disk encryption, it was integrated with associated technology; be that device control, media encryption or just end point auditing. This meant that we could support a far broader range of devices, so as new tablets and other ruggedised devices came out we were able to evolve products at a pace able to support those. This was important for some of our customers deployed in ruggedised-appropriate environments.”
Becrypt’s original disk encryption software was imbued with fundamental requirements for protecting data on devices such as laptops and tablets, ensuring that, if the device were lost or stolen, the data could not be recovered by unauthorised personnel. The product was employed by the MOD and is still utilised across all levels of classification.
The software is available in commercial space but also provides variants that protect data in secret environments, whether within the office or within deployed space. However, when branching out into deployed environments, there are typically requirements that extend beyond controlling and protecting the data on the device.
The user starts to think about whether they can trust the integrity of the operating system, whether they can reduce the likelihood of the operating system being compromised and whether they can adequately control how the device is used in terms of the applications it connects to.
With regard to electronic hardware and software manufacture, the two coincide, as Dr Parsons explained.
He said: “So much of hardware manufacture is driven by software. It’s the means by which a lot of hardware subsystems are put together. Especially if you’re talking about safety and security in critical systems, there is a lot of formality around software processes, so there is a tremendous overlap. This is why you see engineers flitting about in between the two domains.”
He continued: “Although our role is specifically software, we work closely with device manufacturers to the point where we can influence design and confirmation. This ultimately leads to a joint solution provided to our customers. We’re predominantly talking here about mobile computing devices such as ruggedised tablets or semi-ruggedised smartphones.
“One of our active products at the moment is a semi-ruggedised smartphone where again we’ve worked with the manufacturer and have a deep understanding of their hardware architecture. From this we have built software on top of that which equates to a combined solution in the form of a secure semi-ruggedised smartphone being provided into defence.”
The CPA holds an important place in the manufacture of cyber security software. The CPA scheme is the most accurate way an organisation can obtain a high level of confidence in the components of a system. It provides confidence in the processes and the quality of the company, the relatability of the product architecture and visibility that the implementation has been carried out with quality.
Dr Parsons commented: “I think CPA has a real place. However, it is to a certain extent at risk as a scheme in terms of its longevity.
I would argue that it could benefit from more support and recognition. There is still a tendency with certain sectors just to opt for commercial best practice. That is a fairly undefined statement and it’s not going to meet the risk appetites of everyone, so there is a place for a scheme that guarantees that breadth of quality. I think it’s important that it gets the recognition that it needs to continue.”
Dr Parsons touched on the high standards in defence manufacture and provided some valuable advice to SMEs looking to break into the market.
He concluded: “High-grade standards in industry have evolved and become tougher. Some of those levels in the past have led to high costs, as one would expect. However, there is a lot of innovative work being done by SMEs at the moment which is demonstrating agility in this environment. CyberFirst is an example of a small UK company that is managing to operate successfully and demonstrate these kinds of attributes.
SMEs should try and tap into government initiatives – look at funding opportunities. However, just as important, make sure you’ve got visibility of emerging use of requirements that are often channelled through those initiatives.”
“Or indeed, validate your own ideas by testing them within these initiatives. You have things like Innovate UK which has funding associated with it but it also provides you a view of emerging requirements.
“You also have initiatives like Cyber Invest which bring together an ecosystem of vendors and academia, with input from government in terms of emerging requirements. So that’s a really good community to be a part of.”
Further Information
For more information, visit: www.cesg.gov.uk and: www.becrypt.com
If you would like to join our community and read more articles like this then please click here
Post written by: Domhnall MacInnes
I am a features writer for MOD DCB magazine and Defence Online and a Content Marketing Executive with BiP Solutions.
RELATED ARTICLES
November 26, 2024
Homeland - DTEP SMEs make their mark in the UK defence supply chain
Small and medium-size UK enterprises (SMEs) funded through the DASA-delivered Defence Technology Exploitation Programme (DTEP), which aims to improve the
October 23, 2024
Homeland - DTEP funding announced for three more UK SMEs
Three UK based SMEs have been awarded funding through the latest rounds of the Defence Technology Exploitation Programme (DTEP). High Temperature
