SALES & SUPPORT 844.600.0075

Protecting Your Data - All You Never Wanted to Know about FIPS 140-2

Warning! This blog starts out with some techy jargon but it’s well worth your time if you have data that needs to be secured. I promise this blog has a business focus.

FIPS 140-2 Protection“Security requirements for cryptographic modules.” That’s the official title of the Federal Information Processing Standards Publication 140-2, otherwise known as FIPS 140-2. This US Government standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. It was written for the government and any organization doing business with the government, and businesses have adopted it as a computing standard regardless of government interaction.

Wait! Don’t stop reading.

Are you thinking “this is way too deep for me”? Have your eyes glazed over yet?

I encourage you to read on. While this may sound very “techy”, it is very important for the security of your organization and your data.

Let’s boil it down to the essentials and what it means to business.

We’ll start by understanding a cryptographic module in business terms. A cryptographic module is any combination of computer hardware, firmware or software that encrypts or decrypts data, applies a digital signature, applies a variety of authentication techniques and/or uses random number generation.

In effect, it protects your data from someone else being able to use it even if they can get access to it.

Data breaches are in the news almost daily (many of us have experienced it personally and professionally). It is very likely an unauthorized person will gain access to your organization’s data. The FIPS 140-2 standard can render that data unusable should someone get unauthorized physical access to your hardware.

The FIPS 140-2 standard has 4 levels, each level providing increasing security for your data.

  • Level 1 – the lowest level of security, requires at least one approved algorithm or security function to be used, such as data encryption, when that data resides on your computer
  • Level 2 – enhances the physical security of the data by adding the requirement of tamper-evidence to Level 1 encryption. An example is the use of tamper-evident coatings or seals or pick-resistant locks on the physical computer.
  • Level 3 – you guessed it, Level 3 adds to Level 2. It does so by preventing an intruder from gaining access to critical security parameters (CSPs) by zeroing the CSPs when a removable cover/door of the computer is opened.

Let’s pause here for another definition – CSP, or critical security parameter, is security-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and PINs) whose disclosure or modification can compromise the security of a cryptographic module.

  • Level 4 – the highest level of security – at this level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate zeroization of all plaintext CSPs. Security Level 4 cryptographic modules are useful for operation in physically unprotected environments.

If you’re a business person - and if you have data that if compromised could put your customers, patients, employees or your business in jeopardy – you need to pay attention to the level of FIPS 140-2 security your company uses. You don’t need to know the details or how to implement it, you just need to make sure your company is using equipment & systems that have the right level of FIPS 140-2 security for your business.

If you’re an IT professional (and, perhaps thinking you know all this and the blog isn’t techy enough), decide what level of FIPS 140-2 security your organization needs and make sure you have implemented it. Talk to the business people and help them to understand why this is so important.

Implementing FIPS 140-2 validated hardware and software protect:

  • Stored Data – Data at rest (data that isn’t currently being transmitted between two or more computers) is secured through encryption and the complete sanitization of any data that is deleted. That means that once data is deleted, it can never be restored.
  • Data in Flight – This is data that is moving between two or more computers. Data in Flight is secured through SSL (FTPS), HTTP over SSL (HTTPS), and SFTP (SSH2) which is Secure File Transfer Protocol.
  • Access to Data – data is accessible only to those who are authorized to use it through permission-based access controls

If your organization is a financial institution, a healthcare provider, a retailer, or any organization that has sensitive data, you need to make sure you’re compliant with FIPS 140-2 standards. If that data is exposed to the wrong individuals, it can result in regulatory fines, civil damages, harm to your reputation, loss of revenue and more.

Consider this scenario. You’ve had a physical breach where somebody took a storage drive, or worse yet – an entire SAN (storage area network) from your data center. What would happen if they could access the data on it?

Why take the risk?

With FIPS 140-2 validated external key management, the data on that storage media is unusable without an established connection to the encryption keys.

If you want to learn all the details, you can access the full standard here - nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf. It’s an absolutely riveting 69-page document. I highly recommend it if you suffer from insomnia.

Or, you can contact CloudSAFE and we’ll be happy to discuss your needs and options to meet your objectives.

 Ask an Expert


CloudSAFE solutions include both Level 1 and Level 2 as part of each offer. CloudSAFE also provides External Key Management Service which enables Level 3, as an optional service. Learn more at: https://www.cloudsafe.com/it-infrastructure-solutions/external-key-manager-service/

← What is the right Data Backup Solution for Your Business?
How Virtual Desktops Ensure Continuous Operations →

About this Blog


How can you leverage The Cloud? How will you get there? What will protect you from disaster? Your cloud journey can start anywhere and evolve. CloudSAFE can help you no matter where you start or where you want to go.

Everyone says you need to be in The Cloud. But why? And how? CloudSAFE can help you determine what that means to your company and the best way to get there. The Cloud can be a powerful tool. It provides flexibility, security, capacity and it’s cost effective, enabling you to avoid capital investment. But the question remains, what is right for your company? Contrary to popular opinion, The Cloud is not one size fits all. CloudSAFE has a broad range of solutions and services focused on IT Business Continuity and Infrastructure as a Service.

CloudSAFE believes The Cloud is not “One Size Fits All”. Follow us on our blog and see what else we believe in, and be sure to share your feedback with us.

Subscribe to Email Updates

Recent Posts