S'pore en route to become a Common Criteria certification center

Industry players welcome the evaluation lab for security products, but note that most customers currently do not ask for such high-level certification.

SINGAPORE--The country has unveiled plans to set up a lab to assess and certify security products against the internationally-recognized Common Criteria standard. But while industry players welcome the move, they stress that most companies currently do not ask for that high level of security assurance.

With this announcement, the island-state will join a current short list of seven such facilities located worldwide: Australia, Canada, France, Germany, Japan, the United Kingdom and the United States. The Common Criteria (CC) is a globally-recognized standard adopted by governments and organizations worldwide for the assessment and certification of security components within an IT product or system. It offers seven levels of certification.

Plans to establish a CC scheme here were first revealed in February this year when Singapore unveiled its S$38 million (US$23.2 million) Infocomm Security Masterplan.

"Products with Common Criteria certification receive worldwide acceptance and gain access to markets that mandate the use of these criteria," said Dr Lee Boon Yang, Singapore's Minister for Information, Communications and the Arts, during his keynote address at this morning's the Forum of Incident Response and Security Teams conference. "This initiative will greatly enhance Singapore's position as an ideal test-bed for infocomm technologies and solutions."

Established by the Infocomm Development Authority of Singapore (IDA), the CC scheme will provide an infrastructure for companies to evaluate and certify their security products and enable the local industry to penetrate foreign markets, said Khoong Hock Yun, IDA's assistant chief executive of infocomm development.

"A growing number of governments require info security products to be CC certified," he said. "If our products don't meet that (requirement), then those markets are closed to us."

Khoong added that by establishing an evaluation and certification facility in Singapore, companies here that want the CC endorsement on their products no longer have to spend as much resources just to send a team over to the other CC facilities located overseas.

The nation's Productivity and Standards Board (PSB) will be responsible for issuing the CC certifications, while T-Systems will operate the Singapore facility, he said.

PatchLink and e-Cop will be the first two companies to undergo the certification process here, which will also be assessed by "shadow" auditors from the international CC board to ensure the Singapore facility meets global requirements to be a CC center, Khoong explained. He added that IDA is targeting to have the lab become a full-fledge CC center by end-2006.

Bonus benchmark
The CC certification will serve as an additional benchmark that companies can rely on when they assess IT products in the market, said Yap Chee Yuen, CIO of JTC Corporation, a Singapore-based industrial land developer.

"It would save us a lot of cost, in terms of having to reinvent the wheel of testing and finding out information about the product before we decide to buy it," he said. "Of course we will still assess and evaluate the product, but with the CC certification, the safeguard is there. And I'll feel more comfortable using the product."

He also reviews security tools by the same standards as all other IT products and services. "They must be robust, stable and reliable. And they must be well supported by the vendor," he noted.

Yap added that although he would look out for products that adhere to such global standards, he would not necessarily peg them as a mandatory requirement. For JTC, a vendor's overall track record is just as important.

"In the absence of a CC-type certification, I would still look at the vendor's relevant industry experience and ask for a customer reference," he said. "Having such certification is a hallmark that the company has attained a certain level of product assurance and it helps cut down our assessment effort. But it's just another variant in how we evaluate a vendor's offerings. As long as they meet our criteria, we will still buy their products."

Singapore-based systems integrator Datacraft Asia-Pacific also welcomes the government's CC initiative, but notes that most businesses today do not actively seek such certification.

Keri Lewis, the company's general manager of security solutions, explained: "CC requirement in products is driven primarily by government regulatory requirements, financial institutions and other organizations in industries which regard security as a critical component in their business.

"It is a very specialist market," he noted. "Most customers don't require that level of security assurance within the products they deploy."

Having participated in a CC validation process with a company he once worked for, Lewis noted that the procedure requires "a significant effort".

"CC does carry a significant investment overhead for a technology provider, depending on the level of certification they seek, and that (cost) element itself could be passed on to the client," he noted.

Lewis added that the IT vendor also needs to send in its CC-certified products for re-evaluation and certification each time a new module or feature is added. And each time, the company will need to provide various product data such as diagrams, documentation and source codes, he said.

"That said, I certainly welcome this initiative because it sends a strong message out to the market and the world that Singapore is interested in security, and is prepared to work within the Asia-Pacific framework to build the capabilities here in the region," he noted.

The establishment of an evaluation facility also provides local resources for Asia-based companies to test and certify their products for the international market, Lewis added.