Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Common Criteria and high ENS in IAM: are your controls enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Common Criteria and ENS Alto are presented as certification gates for IAM platforms, with the article arguing that third-party validation helps organisations satisfy audits while reducing exposure to security failures, according to Soffid. The real issue is not branding but whether identity platforms can prove control effectiveness under regulated scrutiny.

NHIMG editorial — based on content published by Soffid: Common Criteria and High ENS: why they matter in IAM

By the numbers:

Questions worth separating out

Q: How should IAM teams use certifications like Common Criteria and ENS Alto?

A: Use them as assurance evidence, not as proof that the IAM environment is fully secure.

Q: Why do certifications matter when evaluating IAM platforms?

A: They matter because they give buyers an external basis for trusting security claims instead of relying only on vendor statements.

Q: What should organisations verify beyond a certified IAM product?

A: They should verify how the product is configured, who administers it, how secrets and privileged access are handled, and whether audit logs are retained and reviewable.

Practitioner guidance

  • Map certification scope to actual IAM use cases Check whether the certified boundary covers the identity functions you intend to rely on, including administration, federation, and audit logging.
  • Use supplier assurance as a procurement gate Require independent evidence for security claims before signing or renewing contracts, especially where the IAM platform supports regulated access workflows or public-sector obligations.
  • Separate platform assurance from operational governance Keep access reviews, privilege monitoring, and secret lifecycle controls active even when the platform is certified.

What's in the full article

Soffid's full article covers the operational detail this post intentionally leaves for the source:

  • The certification distinctions between Common Criteria and ENS Alto in more implementation detail
  • The article's explanation of how regulated organisations can use certification evidence in procurement and audit discussions
  • The specific claims Soffid makes about its own IAM platform certification status
  • The sector framing for public administration and regulated supplier environments

👉 Read Soffid's article on Common Criteria and high ENS in IAM →

Common Criteria and high ENS in IAM: are your controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Certification is an assurance layer, not an identity control. Common Criteria and ENS Alto matter because they reduce ambiguity in procurement and audit, but they do not govern runtime privilege, session behaviour, or access lifecycle. IAM teams should treat certification as one input into trust decisions, not as evidence that operational identity governance is complete.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • A separate finding shows that only 1.5 out of 10 organisations are highly confident in securing NHIs, which helps explain why assurance signals matter so much in procurement.

A question worth separating out:

Q: Who is accountable when a certified IAM platform is misused or misconfigured?

A: The buying organisation remains accountable for how the platform is deployed, governed, and monitored. Certification may support due diligence, but it does not transfer operational responsibility. Teams should assign clear ownership for configuration, privileged access, audit evidence, and third-party risk so that certification does not become a false substitute for control.

👉 Read our full editorial: Common Criteria and high ENS in IAM: why certifications matter



   
ReplyQuote
Share: