What is FIPS 140 and what does it mean to be “FIPS compliant”?

FIPS was developed by the Computer Security Division of the National Institute of Standards and Technology (NIST). It established a data security and computer system standard that businesses must follow in accordance with the Federal Information Security Management Act of 2002. (FISMA). Federal government organizations in the United States are required by FISMA to minimize information technology risk to an acceptable level at a fair cost.

The Federal Information Security Modernization Act of 2014 (FISMA2014), which replaced FISMA in 2014, changed several of its original provisions to reflect the evolving nature of cybersecurity requirements and the need for supervision.

To be FIPS compliant (FIPS), organizations must follow the different data security and computer system standards described in the Federal Information Processing Standards.

A U.S. government agency or contractor’s computer systems must satisfy the criteria listed in the FIPS publications with the numbers FIPS 140, FIPS 180, FIPS 186, FIPS 197, FIPS 198, FIPS 199, FIPS 200, FIPS 201, and FIPS 202 to be considered FIPS compliant. In this blog, we will be focusing on FIPS 140.

“Security Requirements for Cryptographic Modules” according to FIPS 140

When creating, putting into use, and running cryptographic modules, the FIPS 140 standard is followed. The combination of hardware, software, and/or firmware known as a cryptographic module implements security features such as algorithm execution and key creation. The techniques for validating and testing the modules are also outlined in the standard.

The security standards cover cryptographic module interfaces, software and firmware security, operating environment, physical security, security parameter management, self-tests, attack mitigation, roles, services, and authentication. The cryptographic modules used by federal departments and agencies must pass testing to ensure they meet these requirements before they may be used.

FIPS Compliance Levels

“Level 1” through “Level 4” are the four security levels that are specified by FIPS 140-2. The levels rise, but they don’t always grow on top of one another. Additional testing is performed on a higher level for the level’s use case.

FIPS Level 1 is the first level of strong security certified by the FIPS standard. This level has  fundamental security requirements for the cryptography module and the algorithms contained therein. Beyond the fundamental necessity for production-grade components, a Security Level 1 cryptographic module does not include any additional physical security features. PC encryption boards are an illustration of a Security Level 1 cryptographic module.

FIPS Security Level 2 requires additional physical security mechanisms on top of the Security Level 1 cryptographic module by mandating elements that demonstrate tampering, such as tamper-evident coatings or seals that must be broken to gain physical access to cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to prevent unauthorized physical access.

FIPS Security Level 3 makes an effort to stop intruders from accessing CSPs stored within the cryptographic module in addition to the tamper-evident physical security measures necessary at Security Level 2. At Security Level 3, physical security procedures are necessary. These mechanisms are designed to be very likely to detect and react to attempts at physical access, use, or modification of the cryptographic module. Strong enclosures and tamper-detection/response circuitry that zeroes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened are two examples of physical security measures that could be used.

FIPS Security Level 4 offers a maximum level of security. To this degree, the physical security mechanisms surround the cryptographic module completely, serving as a barrier to prevent any illegal attempts at physical access from being made. There is a very high likelihood that any attempt to breach the enclosure of the cryptographic module will be identified, in which case all CSPs that include plaintext will be deleted immediately.

Cryptographic modules with Security Level 4 are helpful for use in areas without physical protection. A cryptographic module is shielded by Security Level 4 from security breaches brought on by external factors or variations outside the module’s typical working limits for voltage and temperature. Attackers may utilize deliberate deviations from the regular operating ranges to get around a cryptographic module’s defenses. For a reasonable assurance that the module won’t be impacted by fluctuations outside of the normal operating range in a way that can jeopardize the module’s security, a cryptographic module must either undergo rigorous environmental failure testing or include special environmental protection features designed to detect fluctuations and delete CSPs.

Utilizing FIPS 140-2 Validated Solutions to Secure Enterprise Data-At-Rest

Enterprises store, transact, and analyze large volumes of data and have an obligation to keep this data secure and private at all times. Enterprise data can exist in three states (at-rest, on-transit, and in-use) during its lifecycle and as it journeys through the enterprise and its network of suppliers and partners. Data at-rest and in-use can greatly benefit from the use of FIPS 140-2 validated encryption.

• Securing Data-at-Rest: Applying FIPS 140-2 validated encryption to data-at-rest i.e that is stored and not in active use, ensures that unauthorized entities cannot read the data even if they have access to the data files. The use of FIPS 140-2 validated encryption guarantees the strength of the underlying algorithms. 
• Securing Data-in-Use: Although data-in-use encryption is a relatively new area, we now have techniques that can keep valuable data encrypted even when it is actively being utilized by databases and applications. Depending on the specific encryption-in-use methodology, this can be secured using FIPS 140-2 validated encryption.  

Specific areas where FIPS 140-2 validated encryption can be used to secure enterprise data are: data-at-rest for all types of databases, repositories, both structured and unstructured; for FIPS 140-2 validated data-in-use encryption (encryption-in-use), this is now available for a large variety of databases, enterprise search platforms, object stores, and file shares via Portal26. 

Many of these platforms such Enterprise Search platforms like Elasticsearch and OpenSearch must index and persist large amounts of clear text data for searches and analytics. These platforms are ideal prey for data-hungry ransomware and extortion criminals, who either hunt for improperly configured clusters or steal admin credentials. Similarly, misconfigured or commonly accessible AWS S3 buckets are another major source of data compromise.

How do we stop these attacks? Portal26, a data protection solution that can ensure that valuable data will not get compromised, even if attackers break in successfully and leave with it, is the only encryption-in-use solution with NIST FIPS 140-2 certification for all underlying algorithms. 

Portal26 distinguishes itself by offering functional capabilities equivalent to at least three other data security solutions in addition to the state-of-the-art encryption-in-use. Multiple privacy preserving formats such as Tokenization, data masking, or general-purpose encryption are combined with high-performance encryption-in-use and are all included in the same package at no extra cost to businesses using Portal26 for encrypted processing and ransomware protection. Portal26 is one of the most practical options in the CISO’s toolkit today and is faster than its closest competitors, while offering wider coverage at a fraction of the cost. In addition, Portal26 offers a robust key management infrastructure, including integrations to significant key vaults, field-level key derivation, index-specific keys, and keystore integrations (allowing BYOK).

The Portal26 FIPS 140-2 Validated Product Suite:

Portal26 FileShare Security: For file servers and other systems used for file sharing, Portal26 offers always-on encryption. Regardless of privilege, Portal26 ensures that all files are always protected with NIST FIPS 140-2 verified strong encryption and that unencrypted data is never directly accessible via the file share.To learn more about functionality, read more here.

Portal26 Object Store Proxy: Portal26 Proxy offers transparent application-level NIST FIPS 140-2 approved encryption for cloud object stores. Portal26 encryption offers total data security even if the organization is the target of an attack, while native cloud platform encryption protects data against compromise on the cloud provider. Full details on Portal26 Object Store Proxy can be found here.

Portal26 Vault: Portal26 Vault is a stand-alone data vault that can analyze and store both structured and unstructured data while maintaining strong NIST FIPS 140-2 encryption without ever needing to decode data, even when it’s being processed in memory or the computer’s hardware.To find out the full extent of the Vault’s capabilities, read more here.

Portal26 Plugin: Without compromising search efficiency or limiting fully featured search options, Portal26 Plugin secures sensitive data inside of the most popular enterprise search systems. For all versions of Elasticsearch, OpenDistro, and OpenSearch on AWS/Azure, Portal26 Plugin is accessible.Check out more on the high-performance capabilities of the Plugin here.

Portal26 API/Translation service: The Portal26 API service can be used independently or in conjunction with any other Portal26 products to produce a high-quality data translation solution. Existing applications can resist ransomware and other data-related threats with the Portal26 Translation Service alone. Additionally, it can guarantee that downstream applications can quickly translate protected data exiting other Portal26 products into clear text or other private formats. The Portal26 API enables other Portal26-protected systems to be completely locked down, in line with the Zero Trust Data security standard, from the nine secure and private formats (including searchable encryption) and types of data, including keywords, text, numbers, dates, IP Addresses, Binary and PII-specific data types.

Portal26 Studio: The Studio also offers a management interface for other Portal26 products. In the event of a successful attack, it offers dashboards, analytics, and granular compliance certifications. CISOs can see first hand how Portal26 Studio reports as auditable proof that their data maintained encryption throughout the attack by clicking here.

The Importance of Being FIPS Compliant

All users should be informed of the value of security awareness and the necessity of making information security a management priority. Organizations should identify their information resources and assess the sensitivity to and potential impact of losses because information security needs vary from application to application. The selection of available controls, such as administrative policies and procedures, environmental and physical controls, information and data controls, software development and acquisition controls, and backup and contingency planning, should be based on probable risks. Portal26 covers all bases as the only encryption-in-use solution with NIST FIPS 140-2 certification.

To browse our suite of FIPS 140-2 validated products, view our product page or schedule a demo today!

Schedule a Demo >