As NSS Labs’ door closes another opens for community driven standards and testing
NSS Labs, a product security testing company, recently ceased operations. This comes just a year after the company was quietly acquired by private equity firm Consecutive, who according to Dark Reading, had hoped to reorganise NSS Labs and refocus its resources.
Unfortunately, says Dave Larson, general manager, Security Solutions at Spirent Communications, the loss of NSS Labs has left a gap in the market for reliable, third-party security product testing and validation services that enterprises still need, more so now that enterprise security perimeters are changing dramatically with more employees working remotely.
The community is ready to fill the gap
The good news is that, while NSS Labs may have been struggling, the industry has made some significant strides over the past few years, moving to open and transparent security performance testing standards and community-driven initiatives. In 2017, NetSecOpen was launched to level the playing field for security product testing, encouraging transparent “apples to apples” comparisons based on real-world testing conditions.
The goal of NetSecOpen is to help ensure a product that tests well in the lab will perform the same way in the customer environment. Many of the largest security vendors in the world are actively involved and working together in NetSecOpen, supporting open security product testing standards.
The Metro Ethernet Forum (MEF) is another increasingly important, global industry-led organisation that is strengthening collaboration among network, cloud and technology providers and driving community-driven standards and certifications around SD-WAN, Secure Access Service Edge (SASE), Zero-Trust Network Access (ZTNA) and other digital transformation technologies. The value of a MEF SD-WAN certification, for example, is the reliability, assurance and trust that the MEF certification implies for products competing in the category, allowing enterprises to make more informed product and service choices based on their individual business needs.
Advancing security testing for the cloud
The next logical evolution of community-driven standards will be security testing for increasingly complex cloud technologies. With 87% of enterprises accelerating their cloud plans due to the majority of employees working remotely, defining cloud security testing and standards has never been more important. But it’s not an easy task, given cloud complexities and the changing needs of each business.
The top cloud providers have done a good job of building in security into the public and hybrid clouds they offer. However, it is the responsibility of the enterprise to secure the data and applications running in each cloud instance, especially those that are internet facing. Businesses must determine what their security needs are when it comes to cloud deployments and then layer in security controls, depending on what they must protect.
For example, healthcare providers working with cloud applications must be compliant with HIPAA privacy regulations to ensure patient data in the cloud is kept safe. To confirm that each security measure deployed will work as advertised, many of these organisations rely on third-party testing, validation and certification. This is, of course, applicable to all industries who are adopting cloud computing and handle sensitive data.
As the migration to cloud continues to accelerate, enterprises require third-party validation to make well-informed choices when selecting cloud security tools and providers, in a similar fashion to how they have historically compared and contrasted network equipment vendors. Enterprises embracing hybrid clouds have the additional challenge of needing to understand the capabilities of both security appliances and controls deployed in their private infrastructure, as well as virtual security appliances and tools deployed in the cloud.
Many enterprises have relied on NSS Labs for traditional network security infrastructure validation and now they need a similar capability that extends to the cloud. Today’s market requires a much more holistic way to test cloud infrastructure and applications, wherever they are deployed – spanning 5G edge to the core network or even crossing international domain boundaries. In any case, while security testing and validation is getting more complex, the community, including the MEF and NetSecOpen, is up to the task.
We’re in this together
Just as the network equipment vendors have proactively come together to support community-based standards, the cloud providers and security vendors have a responsibility to their customers to participate in open, transparent and third-party validation initiatives. Luckily, many of the traditional network and security equipment manufacturers are already actively engaged in cloud security discussions via NetSecOpen and MEF, so gaining industry participation in community-based standards for cloud aligns well with their portfolio expansions to service the cloud market.
As a leader in testing, validation, and open community standards, Spirent is urging the technology community to come together and participate in community-driven industry best practices and open standards. Truly, if we’re going to be successful, this must be our path forward. Together, we can hold each other accountable as we move toward a more secure network and cloud ecosystem.
The author is Dave Larson, general manager of the security solutions business unit at Spirent Communications
About the author
Dave Larson, general manager of the Security Solutions business unit at Spirent Communications, responsible for driving the development of the company’s security test, validation and assurance offerings and integrating security differentiation across the company’s overall product, services and solution portfolio. Larson has more than 25 years’ experience across networking, network security and cloud architecture working in both emerging technology start-ups and large public enterprises.
Before joining Spirent, Dave was VP and general manager for the Data Centre Networking business and chief technologist for Networking, Security and Advanced Cloud Technology and Strategy at Hewlett Packard Enterprise. Dave has a Bachelor of Science degree in Physics from Gordon College in Wenham, MA.