Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passbolt’s CSPN process: what does it mean for credential governance?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10158
Topic starter  

TL;DR: The CSPN application has been formally submitted to ANSSI after a pre-evaluation with Quarkslab, with the process now moving into review of the Security Target, supporting documentation, cryptographic design, and resistance to realistic attack scenarios, according to PassBolt. That matters because certification processes test whether a product’s security claims survive independent scrutiny, not just whether controls exist on paper.

NHIMG editorial — based on content published by Passbolt: Passbolt enters the CSPN certification process

Questions worth separating out

Q: How should security teams evaluate certification claims for credential management tools?

A: Treat certification as one evidence source, not as a buying decision by itself.

Q: Why does independent evaluation matter for NHI and secret management platforms?

A: Because these platforms sit inside the trust path for service accounts, shared credentials, and operational access.

Q: What should organisations look for beyond a security certification badge?

A: Look for the evaluated scope, the documented assumptions, the residual risks, and whether your use case matches the certified operating model.

Practitioner guidance

  • Map certification scope to your actual use case Confirm whether the evaluated product scope covers the deployment model, secret types, and administration patterns you plan to use.
  • Demand the assumptions behind the assurance claim Ask vendors to state which threat scenarios, installation patterns, and operational constraints were in scope for the assessment.
  • Treat documentation quality as a security control Review installation guidance, administrative procedures, and cryptographic documentation as part of procurement.

What's in the full analysis

Passbolt's full article covers the operational detail this post intentionally leaves for the source:

  • The pre-evaluation work completed with Quarkslab and the document set required for ANSSI review.
  • The Security Target and the specific security guarantees Passbolt says the CSPN process will test.
  • The formal review path, including the evaluation laboratory’s role and ANSSI’s certification decision process.
  • The distinction Passbolt draws between certification, penetration testing, and overall product assurance.

👉 Read Passbolt’s update on its CSPN certification submission →

Passbolt’s CSPN process: what does it mean for credential governance?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Credential platforms are trust infrastructure, so their assurance model must be stronger than their feature set. A product that stores and distributes secrets sits inside the identity control plane, not beside it. When that product is used to govern shared access, the quality of its documentation, cryptography, and deployment model becomes part of the security boundary. Practitioners should judge the platform by the evidence behind its trust claims, not the presence of a vault UI.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who should own the decision to trust a credential platform after certification?

A: Ownership should sit with the teams responsible for IAM, PAM, and NHI governance, not only procurement. They need to decide whether the assurance evidence is sufficient for the access patterns and secret lifecycle in scope. Certification informs the decision, but the accountability for risk acceptance remains internal.

👉 Read our full editorial: Passbolt’s CSPN submission and what it means for credential governance



   
ReplyQuote
Share: