As a specialist of attacks on secure devices, at eShard, I am often asked why we are not a lab so we could evaluate your products for certification.
Before being Underwriters Laboratory Director, I spent 10 years in the industry as principal expert for Oberthur now Idemia. Georges, eShard’s co-founder, had also this double vision as he worked for Verimatrix before joining UL. Thanks to this double experience, we were legitimate to build our own lab. We chose another path, we decided to build eShard.
To be trustful, a lab must show independence. A lab acts as a judge, it must be independent from the regulatory authority as well as independent from the candidates to the compliance.
Therefore, a lab cannot assist you to pass a certification, like a judge cannot assist you to comply with the law. At eShard, we are your lawyer, we advise and defend you. We are putting our knowledge of the compliance process and the product design to your service so you comply with any certification you target.
A lab cannot create Intellectual Property. A lab works in a “whitebox” context. They ask access to your code and design to evaluate your product. If IP is created in the lab, it would be subject to questions whether it comes from their clients. At eShard, we want to push the security of your product further. This is why we invest in R&D to create new solutions based on our IP while keeping your confidence.
The last reason why we are not a lab is our exploratory mindset. As a lab we would be part of a process: the regulator issues new rules and we would make sure you comply with the rules. At eShard, we think that complying with the rules is simply not enough. In the cybersecurity cat and mouse game, attacks are moving fast and so are the threats. Risk evaluation should be challenged daily. With a business model based on the rules compliance, a lab has no incentive to push you to be ahead of the curve and in line with modern risk management. Instead, we challenge the rules, anticipate the next move of the adversary and see one step ahead for our customers to bring them to the next security level.
These are the reasons why we are not a lab dealing with the certification you need to enter into one market or another. But we are the partner making sure you will exceed any certification. We are the partner thinking about risk management with you, putting the risk in the context of time to market and solutions life cycle. We are the partner giving you the right tool to get a better control of the risk and better apprehend it. We are not only pointing out the problem, we provide solutions.
Because it is the antelope running with the others that the lion devours, not the one leading the herd.