The Communications-Electronics Security Group (CESG) is the information assurance arm of the UK’s Government Communications Headquarters (GCHQ), itself the centre for the government’s signals intelligence (SIGINT) activities. It is an irony that such national authorities often set the commercial security standards that make their own ‘intelligence’ activities more difficult (the National Security Agency’s involvement in the development of the Advance Encryption Standard being a prime example).
In the UK, CESG operates the Commercial Product Assurance (CPA) programme, a new framework for gaining confidence in commercial security products. It works by using independent assessment organizations to test products against CESG-defined security criteria. The framework comprises four basic assurance categories: intrinsic, extrinsic, implementation and operational. Use of CPA-authenticated products can be mandated for the public sector, but are equally valid in the private sector. Launched last year, the first products are now starting to come through this evaluation process.
The very first CPA-certified product is Becrypt’s DISK Protect, certified at Foundation Grade. At the beginning of this year, the Electronic Frontier Foundation urged everyone to make and keep one primary resolution for 2012: full disk encryption for all hard disks. Becrypt does just that – it provides full disk encryption for both desktop and portable computers, and can ensure that data on removable media such as Firewire, USB devices, SD cards, and other mass storage devices is encrypted under the AES standard.
Every week we hear about new personal data loss through mislaid and stolen laptops, often by local authorities and national bodies such as the NHS. “This CPA Foundation certification,” Becrypt’s Keith Ricketts told Infosecurity, “gives organizations like local authorities, NHS trusts and commercial organizations in financial services, pharmaceutical and even engineering, an assurance that the product is fit for purpose and has been tested against a set of strict criteria.” We are moving, he added, “towards the situation where every public sector laptop and mobile device will be fully encrypted as standard. Almost every week we hear of another laptop holding citizen data that has been lost. The CPA Foundation certification means that there is really no excuse for organizations not to protect data.”