Tuesday, January 11, 2022

It is atsec’s 22nd Anniversary!

A big hug to you all. Happy Birthday!

“atsec is a big hug to the whole team represented in the at-sign @ of our logo!”
audaces fortuna juvat
“An idea is nothing more or less than a new combination of old elements,” James Webb.

atsec, is: "A new idea based on old concepts." When atsec was founded on 01.11.2000, the founders knew what they wanted to achieve based on what they had experienced up until then: "A key international player in the niche market of information security, evaluation, testing, and assurance in general."  That niche today has expanded to encompass almost all aspects of our connected life and beyond!  

Fortune favors the bold!
Thank You All!

Monday, December 13, 2021

Happy Holidays and a Happy New Year from atsec

This year the motto for our Holiday greeting is “Bridges”, as it symbolizes much of what we do in our daily work. We bridge the difficult terrain of international and national standards between vendors and government agencies, so both parties can reach their respective goals. We bridge the gaps in knowledge by constantly training our own staff and transferring knowledge to our customers, so that they will have an easier time navigating the rules and requirements around testing and certification. We act as a bridge between different technical communities, e.g. by having started the International Cryptographic Module Conference (ICMC) and by hosting the Cryptographic Module User Forum (CMUF). We act as a bridge between the stakeholders and standard bodies like the CCUF & CMUF, ISO, O-TTPS , CMVP, CAVP, SCAP, BSI, CSA, CSEC, NIAP, OCSI, PCI and the GSMA. Bridges help navigating obstacles, they connect people, and allow progress into new areas. Here at atsec we strive to do the same.

The whole atsec team wishes you, your family, friends and colleagues Happy Holidays and a Happy New Year.

Monday, November 15, 2021

Is working for atsec an option for me?

by Michael Vogel

I’ve been with atsec for more than two years, and I am happy to be on board. But when I joined, I had some concerns. Coming from companies with thousands of employees and revenues in the billions, joining a company with less than one hundred employees worldwide and a few digits less in revenue felt like a step back in my career — although it was clear from the very beginning that I should take the role of one of the managing directors one day.

Joining would have been easier for me if I would have had a counterpart inside the company with the experience I have today who could have answered the burning questions I had before I started.

For people who are hesitant to join atsec today, I will try to sort things out in a fictional interview between a virtual applicant, “Alice,” and myself.

Alice: I would want to work as an evaluator in IT Security, but I am hesitant to join atsec because I think the company is too small.
Michael: I agree that in terms of head count, we are small, but we provide a big platform. You can work on Common Criteria (CC) evaluation or Federal Information Processing Standard (FIPS) testing. You can work with colleagues from six offices around the globe: Munich, Germany; Austin, US; Stockholm, Sweden; Rome, Italy; Beijing and Shanghai, China. All our locations have a sufficient number of employees to get the job done. For locations with about 10–20 evaluators, the size of the team is big enough to successfully conclude bigger projects in a reasonable timeframe on the one hand, and the team is small enough to keep the overhead low on the other hand. If you are growing beyond, let's say, 25 or 30 people, you will have to define teams or departments anyway to manage them efficiently. You’ll still end up working with a team of 10–20 people, even within a large organization.

Alice: But bigger companies have bigger revenues.
Michael: But they also have higher costs, overhead and many more people to share the revenues. atsec takes on highly intellectually challenging evaluations. People are our assets. The most significant chunk of our costs is the salaries and bonuses for our staff. And as long as our colleagues generate sufficient revenues that we can pay salaries and overhead costs, it doesn't make a difference whether we have 100 people, 1,000, 10,000 or 100,000. So, what is important is the revenue per person instead of the total revenues.

Alice: But bigger companies have bigger savings. That makes me feel more secure that the company will survive bad times.
Michael: You have to ask yourself — “why does a company need savings?” You may answer that companies need to be prepared to bridge "bad times" when revenues are temporarily lower than the costs. With the current high number of concurrent profitable projects that we have at each subsidiary, talking about "bad times" feels a little strange. But atsec is also prepared for bad times. We have sufficient savings to bridge longer unpleasant periods even if we haven't experienced any in our many years in operation. The main issue in our discussion, though, is the way you are looking at this topic.

Alice: What's that supposed to mean?
Michael: If you are part of a bigger company or large conglomerate of testing facilities that span industries such as the car, oil and gas, construction, chemical, and so on, the IT security evaluation laboratory work is not the company's core business. And the likelihood is high that this domain does not produce the highest profits compared to other domains the company is engaged in. What do you think will happen when these bigger companies face “bad times,” as you called it?

Alice: At a certain point, the big company will try to secure its core business with the most profitable domains.
Michael: And they will sacrifice everything else. See — you just lost your (virtual) job. And that's not a theoretical scenario. There have been some sad real-life examples in the past years… atsec's business is not “just a bunch of different domains” competing against each other, it's a coherent business in a well-defined domain.

So, our business model is not only tailored to the domain of security evaluation. Every manager at atsec is also experienced in this business, so that the risk of failure is pretty low. And each of them knows your face and your name, if that means anything to you. atsec does not need the decision of the board to pay bonuses, increase a salary, or assign a new role. We are a flat organization, defined by one level and half a hierarchy. Decisions are made quickly without waiting for any board to meet. We don’t have one. Last and not least, if any "bad time" does come, since we are independent, the management will be the first to sacrifice their pay and bonus to make sure our colleagues are being taken care of first. When we have savings, we heavily invested in our people so that we all know business well enough to avoid bad times.

Alice: What about Training? What does your company offer?
Michael: Education is constant at atsec, with both internal and external courses. We have a specific internal education program for the standards we are using to perform IT Security evaluations. Our internal training is thorough. At the same time, we give time to our new colleagues to digest the subject, since we want them to be prepared before facing customers. Mastering a standard is like learning a new language; it takes some time before being proficiently fluent.

Alice: What about participating in conferences and seminars?
Michael: Every year, we participate in at least two conferences: the International Common Criteria Conference (ICCC) and the International Cryptographic Module Conference (ICMC). We ask our colleagues to submit papers to these conferences. The company is a big sponsor of standards communities. We are present where more prominent companies are not. Above all, atsec is the sole founding partner of the International Cryptographic Module Conference (ICMC). We initiated it in 2013, and next year we will celebrate its 10th anniversary. We host and manage the Cryptographic Module User Forum (CMUF) and have colleagues in the ISO community and on Common Criteria User Forum (CCUF) board. We have a colleague participating in the ad-hoc working group defining the certification scheme of the European Cyber Security Act. In addition to Common Criteria and FIPS 140-3 other colleagues in different locations are also involved with: iTC, OTTP-S, FIPS 201 PIV, SCAP, GSA, PCI, GSMA, 5G, NESAS. A few colleagues with additional interest will go to specialized conferences and seminars.

When looking at our contribution, we are way "bigger" than many big companies. From what you can see, security testing and evaluation is a large domain, requiring dedication and commitment from both the company, colleagues, and new employees. Training, conferences, and seminars are part of the continuous learning process. That’s why I said at the beginning that we provide a big platform, where our people can grow into industry experts and become well respected through their contributions to the standardization bodies and leading roles in the security community.

Alice: Wait a minute. If all you described is true, why has no one ever tried to buy you? Shouldn't there be bigger companies eager to acquire you?
Michael: Who said nobody has tried to buy atsec? Do you have any idea how many companies tried to do that precisely? But the founders decided to remain and keep atsec independent. There have been many options where they could have cashed in, taken the money, and walked away. But they didn't. They decided to remain independent and pass the company to the new generation.

They wanted to preserve the culture imprinted in atsec’s four principles and remain an enabling platform for everyone who likes this kind of work, as was in the founders' original idea. In their younger lives, they experienced difficulties in doing this kind of job for a big company. At the same time, many laboratories were acquired by those big companies and conglomerates, and shortly after, either they shut down, or the people left, overwhelmed by the corporate culture. That's something that makes me feel more secure about my job. By the way, why does this independence matter?

We are doing, for example, approval projects for the government. Do you have any idea how keen governments are to work with labs that need source code for products used in government networks but with foreign investors who could force them to share exactly this information?

Alice: You bring an interesting point. What about your turnover?
Michael: We have a lot of colleagues in the company staying for over ten or more years. The founders are still involved, though some are reaching retirement age. We realized that those who do not like this job leave in the first year. Those who like it tend to stay. We’ve had only a few people leaving the lab to go to the vendor to do the same job on the vendor's side. Generally, these former colleagues are returning as customers, because they know we are good and can deliver. We had a few situations where colleagues left and then later asked to come back since they realized atsec is better.

Alice: Uha…. and you took them back?
Michael: Yes, we did! We always try in all situations to have a good environment for our colleagues whether they stay or decide to try a different career path. The employment is at will. We understand that the mind, heart and body must be in one place to achieve top performance. Colleagues who left and returned to us are treasures because they came back with their full heart.

Alice: But if you have that much insight into detailed information about relevant security products, wouldn't that be a good basis for developing your own products? I think that could be quite profitable.
Michael: If you are collaborating with customers on a level as we do as evaluators, you have to keep up your customers' faith and confidence in you every day. And that only works if these words mean something to you. Customers are only returning to you if you manage to succeed in precisely that. If you lose their trust, they are gone for good.
That's the reason why atsec has never developed or sold any products — from what I can see — it never will. In general, atsec doesn’t compete with its customers in any way or form. We are not imposing on our customers to buy or develop a tool to complete an evaluation. I am proud to be part of a company with a clear vision.

I see. It looks like you know what you are doing...
Michael: That's why atsec has been in the business for more than 20 years. And the future looks promising. It will help if you keep in mind that our world is getting more digital every day. And this implies that values are shifted to the digital world more and more. So, people want them to also be secured in the digital world. Therefore, the job of evaluators in IT security evaluation facilities is sort of “booming” at the moment. At the same time, the job requires highly trained experts in IT security, which are hard to find. But it is not only the technical expertise that matters. Integrity and reliability are essential for every single employee in that domain. atsec’s philosophy and culture is to grow our own experts organically through our rigorous and systematic training program in a nurturing environment. All we are asking is that you have passion for IT security and you are eager to learn. Do you have what it takes?

And how about YOU? Do you have what it takes? Then send your application to one of our offices - we are looking forward to hearing from you.

Friday, October 22, 2021

atsec at the (virtual) International Common Criteria Conference (ICCC) 2021

by Michael Vogel 

atsec participated in ICCC 2021 from October 19th to 20th, which was held as a fully virtualized conference the second year in a row due to the worldwide pandemic. While we appreciate to have the opportunity to exchange new information as well as give and receive presentations in our domain, we cannot deny that we are missing the direct contact to all the other stakeholders at the ICCC. We are hoping that we can meet face-to-face again next year. 

In addition to attending the ICCC 2021, a number of atsec consultants joined the virtual CCUF Workshop held a week prior to ICCC, including a joint session between the CCDB and the CCUF. 

On the first day of the conference our colleague Michael Vogel was moderating one of the sessions about Updates from Schemes and iTCs. On the second day of the conference our colleagues Rasma Araby and Michael Vogel gave a presentation about the use of NESAS vs. NDcPP for the approval of network components which was well received by the audience and triggered several questions. 

As a Gold Sponsor for the ICCC 2021, atsec hosted one of the ICCC Sponsor Showcases. In case you missed it or didn't manage to sign up for the ICCC this year, we invite you to take a look at the presentation:

ICCC 2021 Presentation from atsec information security on Vimeo.

Wednesday, September 15, 2021

Reasonable or just possible?

by Michael Vogel

A few days ago, I returned from my first business trip in months. I didn’t travel because I had to, but because I decided that it would be better to be on-site instead of handling the project remotely. And we are handling a lot of projects remotely at the moment. But for this project it was a customer we had never audited before, a site that has not been successfully formally audited so far and the requirements to be applied were rather high.

While I was on my way back from the site, I realized that something was new here. While remote testing had been an option in the past, the choice between on-site and remote auditing for a site visit was not common in the past. At least not in my world. I think my choice this time to go on-site was the right one, although the site was half empty. Many developers were still working from home. If I think back 10 years, wasn't secure software development and working from home perceived as 'unthinkable'? Will this status remain or will it revert back to what it was? And is it on us to decide?   

Our (business) world has changed a lot due to the pandemic and we find ourselves more and more in the position of asking ‘what is reasonable’ instead of ‘what is possible’. For years we were flying across the world for some technical meetings while the technology was readily available to sort things out from the desk right in front of us. Today, remote testing and remote auditing work better than ever before. And to be honest, it wasn’t too hard to get from ‘we always have to perform task xyz at our customers’ site to the point where we are today.

For years, presence in the office was a must and the option to work from home was often the exception to the rule. Today, we know that our employees can work efficiently and effectively from home as well – and not only short term. There might be requirements, rules or regulations that force us to work in the office. But where we have the freedom of choice, we should make good use of it.

There are downsides to this new freedom of choice as well, of course. We need to show more discipline regarding communication as the talks at the coffee maker that augment communication take place less frequently than before. Working remotely usually also means being well organized and prepared, and you might need to invest some of the time you are saving by working from home into that. We see employees getting socially a little too distant and, in some cases, even lonely when they constantly work from home. In some families, tensions are on the rise when all family members are working from home all the time. Not all meetings and all audits can be held remotely. And I would really want to get back to on-site conferences today rather than tomorrow.  So, all in all, home office and remote working is not the cure to everything, but it’s much more a viable option than it has been considered for many years in the past.

The real challenge, though, is to fit a subjective ‘reasonable’ measure into formal company-wide regulations based on measurable criteria as 'reasonable' is difficult to quantify. Working for a rather small company like atsec, where we can rely more on guidelines and case-by-case decisions, is therefore quite a privilege these days. Everyone in the company knows about our business and we are the ones deciding about our own rules (as long as they are not determined by customer or accreditation requirements). We are constantly challenging ourselves to decide if we are still doing the right thing and why we are doing what we are doing - and not simply carrying out activities to satisfy a process description or a company regulation. In other words, our aim is that we are performing tasks because they are adding value to our customers and not because they can be done and can be billed. This is what determines our decision making every day. And whether we will be in the office tomorrow, on a business trip or working from home will be dependent on what is the best choice for our business and our customers. But we need to ensure that we are not gradually going back to where we came from. Because I want to be sure also that the next time I am on a business trip, I am on the road because it is reasonable and not only because it is possible.

Wednesday, September 1, 2021

Life of Module

Please enjoy this year's animation from Yi Mao's opening presentation at the 2021 International Cryptographic Module Conference (ICMC).

We also invite you to watch a recording of Yi Mao's welcome address for the ICMC:

Thursday, August 26, 2021

Sample Size in NIST SP800-90B

We invite you to watch this presentation by Richard Fant on Sample Size in SP800-90B.

Thursday, August 19, 2021

Introduction to the CMVP and CAVP

We invite you to watch this high-level overview about the CMVP and CAVP.

Tuesday, August 10, 2021

Do Remote Site Visits Work?

by Rasma Araby

While the home office has become a normality for many IT companies and operations during the pandemic, the requirements for security evaluation, certifications, accreditations, and other approvals have remained constant.

Site visits at the development sites are required to achieve the approval of certification and accreditation. How could this be accomplished when developers, auditors, and certifiers were located in different countries and were working from home?

In addition, there were multiple travel restrictions with varying rules in each country.

How did we do site visits for EAL3+ Common Criteria evaluations and NESAS audits?
How was atsec re-accredited from the national agency, and how did we maintain the level of certification for ISO 9000, ISO 27001, and other accreditation our lab must carry to provide evaluation services when an auditor from these agencies had to be on-site while our atsec colleagues worked from home?
We performed and received these site visits remotely!
Special "remote site-visit" rules were provided both by the SOG-IS for CC evaluations and GSMA for NESAS audits to allow remote site visits temporarily.

During the first remote site visits, the developers, auditors, and certifiers were skeptical. The main concern regarded the effectiveness of such an examination method in determining:

  • how to examine the development processes
  • how to demonstrate the ways records are kept
  • how to conduct effective interviews  
  • how to perform physical security examinations via video call

Going back to our first experience with a remote site visit, it went well, actually almost too well. The developers were able to show development processes and appropriate artifacts remotely. The developers were also better prepared and less nervous.
The auditors and certifiers were rested since they could avoid traveling. They were also better prepared since they had access to readily accessible digitally provided documentation on their computers rather than printed documentation. All documentation was examined during the video interview with the developer seamlessly, without any interruptions to the conversation.

Shortly after the first virtual site visit, some Certification Bodies issued updated procedures to state that the site visit oversight should be performed remotely using Information and Communication Technology (ICT), suitable for the purpose of the site visit oversight. They found that the remote site-visit procedures work very well and should be used, among other things, to avoid extensive traveling.

I would not dare to say that a remote site visit can replace an actual site visit. Still, it is possible to examine the majority of the security measures and development processes remotely. It depends on the goals of the site visit and the preparation by the developer, auditor, and certifier. The pandemic has taught us that a full or partial remote site visit should be considered to save time spent on traveling, save costs on travel and accommodation, and enable more sites to be audited cost-effectively.

We had witnessed working both ways: when we did site visits and when we received site visits. We understand that some technical areas, such as hardware evaluations, require on-site visits based on the nature of the analysis.
There is a lot of discussion about returning to the office after the pandemic. Most IT companies are considering hybrid solutions, some days in the office and some from home. 

The procedures requiring on-site visits should consider the same approach of a hybrid solution: partly remote and partly on-site. It would help to shorten the on-site audit since the remote portion would help identify the part that requires the auditor's presence on-site. This, in turn, allows the on-site portion to be more focused. It won't reduce the cost and time for traveling but might lessen the permanence of the auditor on-site since the developer will also be prepared for what the auditor is requiring.

Friday, July 23, 2021

atsec China adds PCI CPSA (Logical and Physical) Assessor Qualifications

Beijing, July 23 2021

atsec China has been qualified by PCI SSC (Payment Card Industry Security Standards Council) as a Card Production Security Assessor (CPSA) Company to validate an entity's adherence to the PCI Card Production and Provisioning Logical Security and  Physical Security Requirements (two separate security standards). Currently atsec provides the PCI Card Production Logical Security and Physical Security Standards assessment services in the CEMEA, Canada, Europe, LAC, USA and Asia Pacific markets.

The development, manufacture, transport, and personalization of payment cards and their components have a strong impact on the security structures of the payment systems, issuers, and vendors involved in their issuance. Data security is the primary focus of the standards.

The PCI Card Production and Provisioning Logical Security Requirements (“PCI Card Production Logical Security Standard”) addresses the logical security controls associated with card production and provisioning such as:

  •  EMV data preparation
  •  Pre-personalization
  •  Card embossing
  •  IC and magnetic-stripe personalization
  •  PIN generation
  •  PIN mailers
  •  Card carriers
  •  Distribution 

PCI Card Production and Provisioning Physical Security Requirements (“PCI Card Production Physical Security Standard”) define a comprehensive source of information for entities involved in card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment. The standard specifies the physical security requirements and procedures that entities must follow before, during, and after the following processes:

  • Card Manufacturing
  • Chip embedding
  • Personalization
  • Storage
  • Packaging
  • Mailing
  • Shipping or delivery
  • Fulfillment

In addition to the card production activities above, the two standards describe the logical and physical security requirements for entities that:

  • Perform cloud-based or secure element (SE) provisioning services;
  • Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data;
  • Manage associated cryptographic keys.

atsec’s CPSA assessors can work with you to confirm the assessment scope, perform the assessment on-site, complete PCI Card Production ROC (Report on Compliance) and AOC (Attestation of Compliance), submit them to applicable payment brands or cooperative entities, and re-validation can be further performed where applicable.

In addition to the assessment service, atsec offers a full range of consulting services to support your organization in achieving compliance with the PCI Card Production Logical and/or Physical Security Standards. atsec consultants have experience in each of the requirement areas (e.g. data security, network security, system security hardening and management, user management, key management, PIN distribution, personal security management, premises security protection, production procedures security control, security audit, secure packaging and delivery), and can help you develop appropriate measures in order to achieve your compliance.

The CPSA Assessors list can be found on the official website of PCI SSC, and atsec’s qualification is shown below: 

In addition to CPSA assessor, as an accredited PCI QSA, ASV, QPA, PA QSA, P2PE, 3DS assessor, SSF assessor and PFI, atsec offers a full range of services to support organizations in achieving PCI compliance.

For more information about atsec’s PCI services, please visit: