We did it! Vormetric is officially the first vendor to receive the Enterprise Security Management (ESM) Policy Management Protection Profile (PP_ESM_PM_V2.1) Common Criteria certification for the Vormetric Data Security Manager (DSM) V6000 appliances. While this has been one long and difficult journey, it’s also been one huge accomplishment.
The National Information Assurance Partnership (NIAP) (a U.S. organization responsible for implementation of the common criteria certification) no longer evaluates products against Evaluation Assurance Levels (EAL). According to NIAP this strengthens evaluations by focusing on technology specific security requirements. NIAP-approved Protection Profile encompasses the security requirements and test activities suitable across the technology with no Evaluation Assurance Level (EAL) assigned – hence the conformance claim is "PP".
So, why did we claim conformance to the ESM Policy Management Protection Profile?
The ESM policy management protection profile focuses on access control policy definition and management. ESM Policy Management products (the Vormetric Data Security Manager in this case) allows policy administrators to configure and manage Access Control products (such as Vormetric Transparent Encryption) to determine how objects should be protected throughout the enterprise. This administrative action will produce and distribute policies to access control products. Policy Managers should also be able to control the basic behavior of these products (such as what access-control events they audit, where they store audited event data, and how they should operate in the event of a loss of communications with the Policy Manager (Vormetric DSM)). Vormetric Data Security Manager and Vormetric Transparent Encryption agents do exactly what the protection profile is all about.
Vormetric Data Security Manager gets even more robust security with strict adherence to cipher protocols, better entropy and audit logging for many security related events.
While this certification is a requirement for some U.S Federal Government agencies (and some government agencies across the globe) it also gives enterprise customers the assurance that products are audited and validated by U.S. Federal Government approved Common Criteria Test Laboratories and the National Information Assurance Partnership (NIAP).
Details about the product certification are available on the NIAP website.