Warning! This blog starts out with some techy jargon but it’s well worth your time if you have data that needs to be secured. I promise this blog has a business focus.
“Security requirements for cryptographic modules.” That’s the official title of the Federal Information Processing Standards Publication 140-2, otherwise known as FIPS 140-2. This US Government standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. It was written for the government and any organization doing business with the government, and businesses have adopted it as a computing standard regardless of government interaction.
Wait! Don’t stop reading.
Are you thinking “this is way too deep for me”? Have your eyes glazed over yet?
I encourage you to read on. While this may sound very “techy”, it is very important for the security of your organization and your data.
Let’s boil it down to the essentials and what it means to business.
We’ll start by understanding a cryptographic module in business terms. A cryptographic module is any combination of computer hardware, firmware or software that encrypts or decrypts data, applies a digital signature, applies a variety of authentication techniques and/or uses random number generation.
In effect, it protects your data from someone else being able to use it even if they can get access to it.
Data breaches are in the news almost daily (many of us have experienced it personally and professionally). It is very likely an unauthorized person will gain access to your organization’s data. The FIPS 140-2 standard can render that data unusable should someone get unauthorized physical access to your hardware.
The FIPS 140-2 standard has 4 levels, each level providing increasing security for your data.
- Level 1 – the lowest level of security, requires at least one approved algorithm or security function to be used, such as data encryption, when that data resides on your computer
- Level 2 – enhances the physical security of the data by adding the requirement of tamper-evidence to Level 1 encryption. An example is the use of tamper-evident coatings or seals or pick-resistant locks on the physical computer.
- Level 3 – you guessed it, Level 3 adds to Level 2. It does so by preventing an intruder from gaining access to critical security parameters (CSPs) by zeroing the CSPs when a removable cover/door of the computer is opened.
Let’s pause here for another definition – CSP, or critical security parameter, is security-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and PINs) whose disclosure or modification can compromise the security of a cryptographic module.
- Level 4 – the highest level of security – at this level, the physical security mechanisms provide a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate zeroization of all plaintext CSPs. Security Level 4 cryptographic modules are useful for operation in physically unprotected environments.
If you’re a business person - and if you have data that if compromised could put your customers, patients, employees or your business in jeopardy – you need to pay attention to the level of FIPS 140-2 security your company uses. You don’t need to know the details or how to implement it, you just need to make sure your company is using equipment & systems that have the right level of FIPS 140-2 security for your business.
If you’re an IT professional (and, perhaps thinking you know all this and the blog isn’t techy enough), decide what level of FIPS 140-2 security your organization needs and make sure you have implemented it. Talk to the business people and help them to understand why this is so important.
Implementing FIPS 140-2 validated hardware and software protect:
- Stored Data – Data at rest (data that isn’t currently being transmitted between two or more computers) is secured through encryption and the complete sanitization of any data that is deleted. That means that once data is deleted, it can never be restored.
- Data in Flight – This is data that is moving between two or more computers. Data in Flight is secured through SSL (FTPS), HTTP over SSL (HTTPS), and SFTP (SSH2) which is Secure File Transfer Protocol.
- Access to Data – data is accessible only to those who are authorized to use it through permission-based access controls
If your organization is a financial institution, a healthcare provider, a retailer, or any organization that has sensitive data, you need to make sure you’re compliant with FIPS 140-2 standards. If that data is exposed to the wrong individuals, it can result in regulatory fines, civil damages, harm to your reputation, loss of revenue and more.
Consider this scenario. You’ve had a physical breach where somebody took a storage drive, or worse yet – an entire SAN (storage area network) from your data center. What would happen if they could access the data on it?
Why take the risk?
With FIPS 140-2 validated external key management, the data on that storage media is unusable without an established connection to the encryption keys.
If you want to learn all the details, you can access the full standard here - nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf. It’s an absolutely riveting 69-page document. I highly recommend it if you suffer from insomnia.
Or, you can contact CloudSAFE and we’ll be happy to discuss your needs and options to meet your objectives.
CloudSAFE solutions include both Level 1 and Level 2 as part of each offer. CloudSAFE also provides External Key Management Service which enables Level 3, as an optional service. Learn more at: https://www.cloudsafe.com/it-infrastructure-solutions/external-key-manager-service/