Security: Itsec Repellent
Pete Morris explains why the hard-hitting Itsec security testing scheme is being shunned by antivirus software vendors
Almost everyone agrees that some kind of independent evaluation of IT security products is a good thing ? how else can dealers and customers know that a complex product does what it says it does? But there is a widespread industry belief that the current Itsec scheme, particularly with regard to antivirus products, is not working.
The Itsec scheme ? administered by the Communications Electronics Security Group (CESG), a division of GCHQ ? involves comprehensive testing of security product to one of six assurance levels. The testing is conducted by one of five testing centres, or Clefs (commercial evaluation facilities), and it is not cheap. Antivirus vendor Dr Solomon?s reckons it would cost up to #100,000 to certify just one of its products.
Having the Itsec seal of approval may be considered a good thing by some large government customers, but there is no guarantee that forking out all that money will bring in any extra sales.
For this reason, a number of US manufacturers are trying to get their UK distributors to pay a proportion of the evaluation costs, on the basis that it will increase sales and benefit the distributor. But what has really thrown the Itsec evaluation process under the spotlight is the Mexican stand-off in the antivirus world. As yet, none of the big vendors in the UK market (Dr Solomon?s, McAfee or Sophos) has elected to put its products through the scheme.
If the situation remains like this, then the future of Itsec?s antivirus evaluation is itself in doubt. Certification tends to work best when one company decides to invest in the badge, and its rivals then feel that they have to sign up as well ? principally to stop the first company stealing a march by using the certification as a marketing tool. This all breaks down if none of the vendors feel there is a need to invest in certification, and its customers are not clamouring for it either.
Mike Hill, product marketing manager at Dr Solomon?s, says Itsec?s antivirus testing proposals, which could cost his firm up to #1 million to accredit all its products, are too high. ?The Itsec antivirus scheme has not got off the ground. It has developed a good testing method, but the cost is too high and the tests are too academic for the business world.?
It is a bone of contention among manufacturers that the Itsec tests, for all products, are based more on checking that there are no flaws in the source code than simply on how well the product works. Hill says changing the tests to this more basic level would bring down the cost of certification, which would encourage more firms to get their products certified.
?All the main antivirus players in the UK are waiting for the other to jump. We won?t pay the money for certification if there is no need to,? says Hill.
He maintains the problem with the Itsec scheme stems from its limited appeal to users. ?Commercial customers don?t really care whether a security product has Itsec approval. They are more concerned with recommendations from other customers, resellers and magazine reviews. It is a scheme from one government department that appeals mainly to other government departments rather than to commercial customers.?
The Itsec scheme is not just concerned with antivirus software. The Clefs test and certify all types of products, from high-level encryption that can only be used by governments through to standard operating systems. Itsec has also started to certify firewalls.
Chris Durnan, MD of firewall distributor Peapod, says the Clefs are pushing hard to get into firewall certification, which is seen as a growth area.
?Once one company gets certified, others have to as well,? he explains.
Durnan says a blanket certification proposal from one of the larger Clefs for the Borderware firewall, which it distributes in the UK, would cost up to #80,000 as a one-off cost. There is also the problem of having to pay additional costs to recertify the product in future versions. The company paying for the evaluation (called the sponsor) also has to supply engineers to help the Clef get to grips with the product.
?The problems with the Itsec scheme are the cost and the time it takes,? says Durnan. The quicker the evaluation ? and manufacturers want to ensure they get in the earliest edition of the Itsec product catalogue ? and the higher the accreditation level, the more it costs.
?Security dealers want products to get certification,? says Durnan. ?But at the moment commercial customers don?t ask for it.? He reckons this will change, though, and that an Itsec certification will become an increasingly important part of the tendering process.
Oliver Mills, a representative of specialist distributor International Data Security (IDS), says Itsec accreditation is vital for products that are being sold to governments, and is of some use when selling commercially.
?A nod is given to the accreditation level by commercial customers,? he says. ?It means the product has been tested and this will give the customer some reassurance.?
But whether Itsec offers value for money for manufacturers, he says, is a harder question to answer.
?To certify an antivirus product will cost #50,000 to #70,000, which means the vendor needs to sell #150,000 to #200,000 of product to recoup that investment.? There is no guarantee that the accreditation will increase sales, and so the cost is prohibitive ? particularly to small security manufacturers, which would benefit most from having such a stamp of approval.
?It is more likely to improve sales of operating systems than specialist packages,? says Mills. Microsoft, for instance, has improved its credibility in the security market by getting Windows NT accredited, but a large company can more easily afford the cost. For an antivirus vendor or other security specialist it is unlikely that accreditation will bring such a sudden and dramatic increase in sales, and it is far harder to find the necessary cash.
Tim Moore, deputy head of the UK Itsec scheme at CESG, says he has some sympathy with manufacturers that complain about the cost of putting products through evaluation, but that tests have to be done professionally and thoroughly ? and that process does not come cheap. ?We are not aware of any automatic tools that could be used to test the logical components of systems thoroughly enough,? he says. ?So the testing has to be done by skilled people. The fees set are commensurate with the effort needed.?
One suggestion for creating a more level playing field would be for manufacturers (or other sponsoring companies) to pay a fee that was related to their size, thus avoiding the discrepancy of Microsoft paying the same as a small UK access control company. But Moore says that such a solution, which might seem like a sensible one, would cause more problems.
?We would have to audit companies to make sure that they really were the size that they claim, and in practice there would be complaints from all sides,? he says.
Moore also acknowledges that there are special problems raised by antivirus products when it comes to certification ? not least because viruses evolve so quickly, so antivirus software would need to be constantly upgraded. ?We are still talking to antivirus vendors,? he says.
One area of ongoing discussion is to what level any certification might be. The most common level of certification is E3 (see box) but, says Moore, antivirus vendors are considering lower-level evaluations to save money. ?Antivirus vendors do not think that much is expected of them,? he says. ?But the question is what value purchasers put on accreditation.?
Ultimately, CESG admits that it is for users and dealers to demand the certificates from their suppliers rather than companies being forced into the scheme.
Although Itsec?s immediate concern is how to deal with the thorny issue of antivirus certification, there are wider, underlying problems that also need to be addressed. The most obvious ones are cost and duration of the evaluation, and the relevance of the logical testing of source code to the majority of UK businesses (other organisations like the NCSA and the UK?s Secure Computing offer cheaper integrity testing of products). Since April 1997, the CESG has also charged its engineers? time at cost, adding to the amount that businesses have to pay.
There is also the issue of the geographic coverage of the certification. Until the advent of the Common Criterion standard next year (see box), there remains the problem that an Itsec accreditation is only of use in the UK and in some other European countries that have reciprocal arrangements. Product that is certified in the US currently needs to be recertified (at full cost) in the UK.
McAfee representative Caroline Kuipers says that the reciprocal agreements within Europe enable a manufacturer to get an accreditation elsewhere that is valid in the UK.
But the real key to what happens with accreditation is going to be driven by the customer. A combination of high pricing and a low profile has meant that the Itsec scheme has not really taken off in the UK, but in an increasingly congested security market it is vital for dealers and users to have an effective system of accreditation.