Evaluating a pioneering product in a CPSTIC/CCN-STIC105 taxonomy is both a great motivation and a challenge. Therefore, we are pleased to be the first laboratory that has successfully evaluated a product in the category of "Videoconferencing tools", being included in the Qualified Products section of the Spanish Catalogue of Information and Communication Technology Security Products (CPSTIC), published by the CCN. From here we would like to congratulate PEXIP for this reason and for the great work done.
What does it involve to evaluate a product that cannot be included in an already defined taxonomy?
Evaluating a product that is identified in a taxonomy means that the requirements have already been tested. When evaluating a product in a new category the evaluation requirements have to be adapted and improved.
As a pioneer laboratory, we at jtsec have had to face this improvement process as there was no product evaluated as a reference.
What exactly is a videoconferencing product?
According to Annex F.13 - M: Videoconferencing Tools of the ICT Security Guide CCN-STIC 140: "The products associated with the family of "Videoconferencing Tools" arise in response to the need of organizations to have services that allow two or more people to connect in real time from different locations, through the network, by using a mobile device, computer or tablet".
Specifically, PEXIP Infinity, developed by the manufacturer PEXIP, is the first product to obtain LINCE certification and is included as a "Videoconferencing tool" in the CPSTIC/CCN-STIC 105 catalogue. It is a virtualized and distributed videoconferencing infrastructure platform for managing H.323/SIP room videoconferencing equipment and PC, Mac and Linux desktop clients, with WebRTC client.
It acts as Call Control, and incorporates transversal firewall technology to talk to other networks, and multi-conference unit (MCU), allows management of room terminals and desktop and mobile users, allowing self-provisioning of users and equipment, as well as monitoring and analysis of activity in a secure way. It provides a connector to interoperate with Microsoft Teams, Google Meet, Skype for Business, Webex, Zoom and WebRTC users, and allows streaming and recording. It integrates with Outlook and Google Calendar for session scheduling, and with SSO, certificate and LDAP tools. It also has an extensive library of APIs for integration into the customer´s technological and security environment: MFA, SIEM, NTA, etc.
Evaluation requirements applied to videoconferencing tools
CCN establishes a series of fundamental security requirements for the evaluation of each product family. The requirements shown below are those that apply to the family of videoconferencing tools, highlighting the more specific requirements for this type of products, contained in the security functionality "Videoconferencing Requirements". In this case we can find the specific requirements in Annex F.13 – M: Videoconferencing Tools of the ICT Security Guide CCN-STIC 140.
These specific requirements ensure end-to-end confidentiality of communications, that sessions and data of participants of different calls are isolated, and that the product performs proper storage and processing of files shared via conferences.
Evaluation of videoconferencing tools, we can help you!
As the first laboratory in the evaluation of this taxonomy of products under the LINCE methodology, we have the necessary experience in case you wish to evaluate your product and include it in this category.
As the leading lab in LINCE evaluations, our experience will help you to make the certification process as agile as possible, thus reducing the time and resources needed by our clients.
If you want to obtain a valid cybersecurity certification for your videoconferencing tool, we will be happy to help you.
❝Being the first to certify a videoconferencing solution under the LINCE methodology was a challenge, thanks to the jtsec team it has been a success, throughout the process they have supported us and have managed the project with absolute professionalism.
Valentín Martín, EMEA Channel Head Public Sector at PEXIP