There is no reason why the security and future of an organisation should be gambled on the promises of an employee tasked with portraying another company's product in the best possible light.
This is according to Nader Henein, security advisor for Research In Motion (RIM) EMEA, who recommends that customers do their due diligence when it comes to the security of their organisations. “Please don't just take my word for it,” he says.
Henein unpacks a typical scenario of a respectable man coming into an office, in a smart suit, and boasting of impressive security accolades. Although the person in this scenario exudes professionalism and wisdom, does one actually have any real reason to trust him with the security of the company? Henein thinks not.
The main issue is how clients who are concerned about the security of their networks and their data can differentiate the truth in this scenario from a well-crafted marketing message. “Quite simply, they shouldn't have to,” says Henein.
Thus, Henein calls for independent third-party accreditation. “Traditionally, this is conducted by well-resourced, government-certified labs to thoroughly test claims made by vendors about their products,” he says.
The BlackBerry Security Group has a team dedicated to certification, with labs around the globe. These labs work on various government and industry certifications to effectively remove the word “trust” from the equation.
The certification process is lengthy and expensive, as it requires code reviews, penetration testing and a close working relationship with certification labs.
“This is not a one-off process. We have to certify all major versions of our devices and sever software so that the entire life cycle of the data, as it travels from your network to the mobile device and back, is covered,” Henein says.
How does this affect you?
“First of all, the next time Mr John Doe comes to visit and makes a claim about the security provided by his product, perhaps you can ask him who has certified these claims and when was the last time they did an independent code review, or if the current version is covered?” says Henein. A lack of certification is telling, particularly if the company did not complete the process of certifying the product, as this could mean the product has a security flaw.
According to Henein, only a few labs across the world have the capacity and expertise to certify a complex product with millions of lines of code. It is important to favour products that have passed certain internationally accepted certifications. “This way, you and your company can leverage a substantial amount of work to ultimately ensure you maintain a consistent security posture throughout the life cycle of your data, from server, to laptop, to smartphone, to USB drive, and beyond that on private clouds.”
Share