jtsec evaluates the first Videoconferencing tool included in CPSTIC/CCN-STIC 105 catalog


- Sept
Posted by: José Ruiz
jtsec evaluates the first Videoconferencing tool included in CPSTIC/CCN-STIC 105 catalog

Evaluating a pioneering product in a CPSTIC/CCN-STIC 105 taxonomy is both a great motivation and a challenge. Therefore, we are pleased to be the first laboratory that has successfully evaluated a product in the category of "Videoconferencing tools", being included in the Qualified Products section of the Spanish Catalogue of Information and Communication Technology Security Products (CPSTIC), published by the CCN. From here we would like to congratulate PEXIP for this reason and for the great work done.

What does it involve to evaluate a product that cannot be included in an already defined taxonomy?

Evaluating a product that is identified in a taxonomy means that the requirements have already been tested. When evaluating a product in a new category the evaluation requirements have to be adapted and improved.

As a pioneer laboratory, we at jtsec have had to face this improvement process as there was no product evaluated as a reference.

What exactly is a videoconferencing product?

According to Annex D.9C-M - M: Videoconferencing Tools of the ICT Security Guide CCN-STIC 140: "The products associated with the family of "Videoconferencing Tools" arise in response to the need of organizations to have services that allow two or more people to connect in real time from different locations, through the network, by using a mobile device, computer or tablet".

Specifically, PEXIP Infinity, developed by the manufacturer PEXIP, is the first product to obtain LINCE certification and is included as a "Videoconferencing tool" in the CPSTIC/CCN-STIC 105 catalogue. It is a virtualized and distributed videoconferencing infrastructure platform for managing H.323/SIP room videoconferencing equipment and PC, Mac and Linux desktop clients, with WebRTC client.

It acts as Call Control, and incorporates transversal firewall technology to talk to other networks, and multi-conference unit (MCU), allows management of room terminals and desktop and mobile users, allowing self-provisioning of users and equipment, as well as monitoring and analysis of activity in a secure way. It provides a connector to interoperate with Microsoft Teams, Google Meet, Skype for Business, Webex, Zoom and WebRTC users, and allows streaming and recording. It integrates with Outlook and Google Calendar for session scheduling, and with SSO, certificate and LDAP tools. It also has an extensive library of APIs for integration into the customer´s technological and security environment: MFA, SIEM, NTA, etc.

Evaluation requirements applied to videoconferencing tools

CCN establishes a series of fundamental security requirements for the evaluation of each product family. The requirements shown below are those that apply to the family of videoconferencing tools, highlighting the more specific requirements for this type of products, contained in the security functionality "Videoconferencing Requirements". In this case we can find the specific requirements in Annex D.9C-M: Videoconferencing Tools of the ICT Security Guide CCN-STIC 140.

These specific requirements ensure end-to-end confidentiality of communications, that sessions and data of participants of different calls are isolated, and that the product performs proper storage and processing of files shared via conferences.

Evaluation of videoconferencing tools, we can help you!

As the first laboratory in the evaluation of this taxonomy of products under the LINCE methodology, we have the necessary experience in case you wish to evaluate your product and include it in this category.

As the leading lab in LINCE evaluations, our experience will help you to make the certification process as agile as possible, thus reducing the time and resources needed by our clients.

If you want to obtain a valid cybersecurity certification for your videoconferencing tool, we will be happy to help you.

Being the first to certify a videoconferencing solution under the LINCE methodology was a challenge, thanks to the jtsec team it has been a success, throughout the process they have supported us and have managed the project with absolute professionalism.

Valentín Martín, EMEA Channel Head Public Sector at PEXIP

José Ruiz/CTO

Jose is an expert consultant on the Common Criteria standard with more than 10 years of experience. Jose has a wide background in other security assurance standards in the field of the information technology as Common Criteria, FIPS 140-2, FIPS 140-3, GP TEE, PCI-PTS, LINCE. Jose has served as an evaluator, Technical Leader and CC Consultant for Epoche&Espri and as CC lab manager and Cyber Security Service Manager for Applus+. His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference) and ICMC (International Cryptographic Module Conference). He has been the “Chairman” of a subgroup within the ISCI WG1 Eurosmart Initiative to develop the CC Methodology. He is also member of different working groups as ISO SC27 or Global Platform TEE and an active member of the group ERNCIP “IACS Cybersecurity certification“.

In 2017 he founded with Javier what is now known as jtsec. He is currently in charge of promoting the commercial expansion of the company from its headquarters in Madrid as CTO. In addition, he represents jtsec in various national and international forums and is responsible for quality.


Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.