Saturday, January 17, 2009

Selling Government-Grade Security? Stop. NOW.

While thumbing through one of the myriad of show publications at CES last week, I happened upon an ad from Honeywell, touting their product's "government-grade security".

What a crock.

Lots of vendors who understand nothing about the government's security requirements like to advertise that they offer "government-grade" security, or the even more impressive-sounding "military-grade" security.

Neither of these terms means a thing. You're validated, or you're not. Period. Typically, vendors using these terms are trying to promote their use of 128-bit Advanced Encryption Standard for privacy.  Since just about anyone outside the Axis of Evil can readily access 128-bit AES, I don't really see the point.

Are you marketing security products?  Are you eager to use terms like "military" or "government" in your collateral?  Here's a handy checklist to see if you qualify...
If you can't answer "Yes" to one or more of these questions, you're not selling government-grade or military-grade security.  The government won't buy your product until it's undergone some form of validation or certification, which looks at issues like key generation and management, integrity, entropy, and a whole bunch of other items--not just key length of your encryption algorithm.  If you're not submitting your product through the processes required to validate compliance, you have nothing which can be legitimately marketed or sold as government-grade or military-grade.

So knock it off.

No comments:

Post a Comment