AEP Networks Inc has received approval from the UK’s Communications Electronic Security Group, CESG, for its portable IPsec encryptor to protect traffic from mobile and home workers to the country’s Enhanced Grade (Confidential) standard.
Steve Lewis, VP of product management for the Somerset, New Jersey-based infosec developer, said the public sector is a major target for its products, so the decision by the Information Assurance arm of Britain’s Government Communications Headquarters is clearly a sine qua non of selling into that sector in the UK.
He said it also provides a calling card for talking to the GCHQ’s counterparts in other countries. We are now actively seeking accreditation with the NSA and the DoD in the States, he said. As for the EU and NATO, there is a requirement for products to be unique, in the sense that Net Remote will need to run different algorithms if it is to be targeted at them too, but the product itself is already accredited by virtue of the CESG’s approval. For other national governments within the EU, meanwhile, there is a process in place whereby their respective IA arms can recognize the CESG accreditation for a product like Net Remote, Lewis went on.
The market AEP plans to sell Net Remote into in the US, as and when it receives NSA approval, will be what Lewis referred to as high-end SBU, referring to the Sensitive But Unclassified category of information security in that country, which covers everything from protection of personal information through to communications between anti-terrorist authorities. Lewis said products that sell into the SBU segment are frequently referred to as complying with Federal Information Processing Standards, whereas Secret and Top Secret data calls into the higher Type 1 category.
What the US doesn’t currently have, however, is a Confidential marking, which is above Restricted but below Secret. In this sense, UK and European standards are more granular, and Net Remote, having achieved Confidential status with CESG, can be considered to be at the high end of SBU. Lewis said this puts it at an advantage vis-a-vis products from the company’s main competitor, SafeNet Inc, whose US origin means that its SBU-compliant products work to a lower standard than AEP’s. SBU products wouldn’t even meet the UK’s Restricted standard, and there is a growing understanding on US projects and their consultants that SBU may not be enough for applications such as serious and organized crime investigations and anti-terrorise bodies, he said.
AEP is the result of the late 2004 merger of Irish developer AEP Systems Ltd and Netilla Networks Inc from the US. Its portfolio comprises the fixed IPsec encryptor range called Net; the portable Net Remote device for itinerant and home workers; the SmartGate transport-layer encryption devices for the large enterprise and government agency market; the regular client-server SSL VPN boxes it got from the Netilla deal; and a private key management product called Keyper for sale into national or enterprise-level PKIs, an area where it competes with another player, nCipher Plc, whose acquisition by SafeNet was quashed by the UK earlier this year on competitive grounds.
Lewis said one area where AEP does not compete, however, is in the Type 1 arena, by virtue of the fact that the usual route into Type 1 is to respond to a tender for the development of an encryptor according to the [particular US agency’s] spec. He said this is more the preserve of companies such as General Dyamics, Harris and L-3. We’re in off-the-shelf software, where we put in our risk and derive out benefit, not in government contracts for bespoke work, he said.