Standards and certifications for HSM devices
When you purchase an IT solution for your organization, there is no simple way to determine which product is the absolute best, and which is the ideal choice for your company, your needs and your processes. Different solutions are required in different regions and different use cases. However, the commonly used certifications can help you pick the best product, since they indicate that the solution meets certain standards. Understanding the background and the details of these standards and certifications can make the choice easier. i4p has summarized the most important facts in this whitepaper.
Government agencies in many countries are obliged to purchase and use IT products that earned specific certifications. For example, FIPS 140-2 is mandated in the US for many federal agencies using cryptographic-based security systems to protect sensitive information in computer and telecommunication systems, while in many European countries, Common Criteria certifications are required in such cases. A great number of public organizations also choose to buy solutions with such certifications in order to ensure the security and reliability of the purchased product.
In case of cryptographic modules, companies can rely on two certificates: FIPS 140 and Common Criteria (in some cases, financial institutions have to comply with PCI DSS as well). In most aspects, the two certificates require the same security features and assurances. Basically, if a product has a CC EAL 4+ certificate for the PP for Cryptographic Module for Trust Services, it provides around the same functionality as a product with a FIPS 140-2 Level 3 certificate. However, organizations need different specifications and certificates for different use cases. Find out from our whitepaper which one is useful for your needs!
Download this ebook to find out: