Government agencies and private enterprises require the highest level of security for their API, SOA, XML, Web services and information sharing initiatives. The US National Information Assurance Partnership (NIAP) created Common Criteria (CC) certification and associated Protection Profiles (PP) to help government agencies improve security for their networks. The Common Criteria evaluation process is an internationally-recognized certification for information assurance products. Many US government agencies include Common Criteria certification as a requirement in their RFPs.
Network security solutions that receive Common Criteria certification have been rigorously engineered to the highest degree of quality and feature security capabilities that have been reliably implemented. Information regarding the Common Criteria and CC certification can be found in the following NIAP document:
“The CC combines the best aspects of existing criteria for the security evaluation of information technology systems and products.
The Common Criteria represents the outcome of efforts to develop criteria for evaluation of IT security that are widely useful within the international community. It is an alignment and development of a number of source criteria: the existing European, US and Canadian criteria (ITSEC, TCSEC and CTCPEC respectively). The Common Criteria resolves the conceptual and technical differences between the source criteria. It is a contribution to the development of an international standard, and opens the way to worldwide mutual recognition of evaluation results.
Criteria developments in Canada and European ITSEC countries followed the original US TCSEC work (Orange Book). The US Federal Criteria development was an early attempt to combine these other criteria with the TCSEC, and eventually led to the current pooling of resources towards production of the Common Criteria.”
CA Layer 7 provides secure API, SOA, XML and information sharing solutions to some of the most demanding private companies and governmental organizations around the world. As part of its efforts to deliver the most reliable solutions for secure integration, CA Layer 7 is committed to maintaining Common Criteria certification for its API Gateways, in both hardware and virtual appliance form factors.
The CA Layer 7 SOA Gateway v8.0 has recently been certified to be conformant with NIAP’s Common Criteria Protection Profiles for Enterprise Service Management:
“This Protection Profile focuses on access control decision and enforcement. A product/product component that conforms to this Protection Profile consumes a centrally-defined access control policy and enforces it. In doing so, it provides preventative security to the enterprise in a consistent manner. A product that conforms to this Protection Profile is expected to intercept requests against some type of defined resource (such as a file system object on a workstation or a web site on an organizational intranet) and determine if the request should be allowed”
“This protection profile focuses on access control policy definition and management. ESM Policy Management products (PMs) will allow ESM Policy Administrators to configure and manage Access Control products in order to determine how objects should be protected throughout the enterprise. The output of this administrative action will be the production and distribution of policies to Access Control products. PMs should also be able to control the basic behavior of these products such as what events they audit, where they store audited event data, and how they should operate in the event of a loss of communications with the PM.”
The Common Methodology for Information Technology Security Evaluation v3.1 rev.3 was used as the evaluation methodology. This methodology meets the highest defense and intelligence community requirements for security, management and control capabilities in on-premise and cloud-based data security deployments.
The Layer 7 SOA Gateway uses industry-leading API Gateway technology from CA Layer 7 to combine identity-based access control, message-level security, service mediation and SLA enforcement functionality in order to deliver effective governance, federated ESB and cross-domain solutions for integrations that span agencies, departments and the cloud.