The National Institute of Standards and Technology (NIST) issues Federal Information Processing Standards (FIPS) as guidelines for use across the Federal government. These standards are developed when there are compelling Federal government needs, such as in the areas of information security and interoperability. The FIPS 140-2 standard is an information technology security accreditation program for validating that the cryptographic modules produced by private sector companies meet well-defined federal security standards.
An encryption vendor whose cryptographic module product attains FIPS 140-2 validation certification attests that its solution:
- Uses an approved algorithm,
- Handles the keys appropriately, and
- Always handles the data to be encrypted in a certain way, in a certain block size, with a certain amount of padding, and with some amount of randomness so the ciphertext can’t be searched.
FIPS 197, another certification that includes Advanced Encryption Standard (AES) is an encryption algorithm specification established by the U.S. government. However, FIPS 197 alone does not meet all 3 of the above criteria, and is therefore not as rigorous as FIPS 140-2 compliance. FIPS 140-2 validation is mandatory for use in government departments that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.
PerspecSys’ Cloud Data Protection Gateway lets government agencies, public sector organizations and enterprises take full advantage of cloud SaaS applications such as Oracle CRM and Salesforce.com while ensuring their sensitive data remains on-premise, under their full control, and in compliance with data protection regulations at all times. PerspecSys’ solution does this without impacting an end-user’s ability to perform functions such as Searching and Sorting within their SaaS applications. By enabling the use of FIPS 140-2 validated modules to protect cloud data, PerspecSys is eliminating the security, compliance and usability barriers that previously prevented agencies from moving to the cloud. PerspecSys is the first and only company to offer this level of data protection while simultaneously preserving critical SaaS application capabilities, such as the ability to Search and Sort on FIPS 140-2 encrypted data fields. FIPS 140-2 encryption is also useful for enterprises in industries such as manufacturing and healthcare that frequently need to comply with government regulations such as International Traffic in Arms Regulations (ITAR) and HITECH, respectively.
NIST regularly publishes reports that comment on critical issues in data security and computing. One example is a publication entitled Cloud Computing Synopsis & Recommendations (Special Publication 800-146) that describes in detail the current cloud computing environment, explains the economic opportunities and risks associated with cloud adoption, and openly addresses the security and data privacy challenges. NIST makes numerous recommendations for companies or agencies considering the move to the cloud (including delivering a strong case for uniform management practices in the data security and governance arenas).
The report highlights several reasons why cloud-based SaaS applications present heightened security risks. As a means to offset the threats, NIST’s recommendation on encryption is clear-cut: organizations should require FIPS 140-2 compliant encryption to protect their sensitive data assets. This should apply to stored data as well as application data, and for Federal agencies, it’s a firm requirement, not simply a best practice or recommended guideline.
