Government agencies and private enterprises require the highest level of security for their API, SOA, XML, Web services and information sharing initiatives. The US National Information Assurance Partnership (NIAP) created Common Criteria (CC) certification and associated Protection Profiles (PP) to help government agencies improve security for their networks.
Network security solutions that receive Common Criteria certification have been rigorously engineered to the highest degree of quality and feature security capabilities that have been reliably implemented. Information regarding the Common Criteria and CC certification can be found in the following NIAP document:
“The CC combines the best aspects of existing criteria for the security evaluation of information technology systems and products.
The Common Criteria represents the outcome of efforts to develop criteria for evaluation of IT security that are widely useful within the international community. It is an alignment and development of a number of source criteria: the existing European, US and Canadian criteria (ITSEC, TCSEC and CTCPEC respectively). The Common Criteria resolves the conceptual and technical differences between the source criteria. It is a contribution to the development of an international standard, and opens the way to worldwide mutual recognition of evaluation results.
Criteria developments in Canada and European ITSEC countries followed the original US TCSEC work (Orange Book). The US Federal Criteria development was an early attempt to combine these other criteria with the TCSEC, and eventually led to the current pooling of resources towards production of the Common Criteria.”
Layer 7 provides secure SOA, XML, API and information sharing solutions to some of the most demanding private companies and governmental organizations. As part of its efforts to deliver the most reliable solutions for secure integration, Layer 7 is committed to maintaining Common Criteria certification for its Gateways, in both hardware and virtual appliance form factors.
The Layer 7 SOA Gateway was the first XML Gateway certified to comply with NIAP’s Common Criteria Evaluation Assurance Level 4 ALC_FLR.2 (EAL4+) evaluation. This certification meets the highest defense and intelligence community requirements for security, management and control capabilities in on-premise and cloud-based Web service deployments.
The SOA Gateway uses Layer 7’s industry-leading API Gateway technology to combine identity-based access control, message-level security, service mediation and SLA enforcement functionality in order to deliver effective governance, federated ESB and cross-domain solutions for integrations that span agencies, departments and the cloud.
As part of Layer 7’s continued efforts to assure the highest level of security in its products, the latest version of the company’s API Gateway technology has been submitted for Common Criteria evaluation. Layer 7’s API Gateway technology is currently being evaluated against the following Protection Profiles:
“This protection profile focuses on access control policy definition and management. ESM Policy Management products (PMs) will allow ESM Policy Administrators to configure and manage Access Control products in order to determine how objects should be protected throughout the enterprise.”
“This Protection Profile focuses on access control decision and enforcement. A product/product component that conforms to this Protection Profile consumes a centrally-defined access control policy and enforces it. In doing so, it provides preventative security to the enterprise in a consistent manner. A product that conforms to this Protection Profile is expected to intercept requests against some type of defined resource (such as a file system object on a workstation or a web site on an organizational intranet) and determine if the request should be allowed. In an ESM environment, this capability is called a Policy Decision Point, or PDP. It will then enforce the results of this determination or pass the decision to a trusted entity that does the enforcement itself. In an ESM environment, this second capability is called a Policy Enforcement Point, or PEP. Products that are compliant with the profile defined in this document provide both Policy Decision and Policy Enforcement.”