Is your key management appliance actually FIPS validated?

 

When your main job is to protect the proverbial “keys to the kingdom” for many enterprise-wide applications that encrypt data, it’s important to have confidence that your key management system enforces high-assurance, dependable security controls. Not only must your keys remain secured during the lifetime of your data, company’s also have to periodically demonstrate proof of that protection to auditors. That proof lies with your key manager. So ask yourself—can you trust your key management practices and procedures today? What assurance guarantees can you rely upon?

It may not seem like a big deal to the ordinary person, but security-conscious customers care a great deal about FIPS 140-2—the standard that determines security assurance level. Security vendors may tell you that their security appliances are FIPS validated, but ask them to prove it! You have the right to ask a security vendor to point you to their certificate or you can simply go look online to see if their key management appliance has been officially validated. I’ll show you where to look, a little further into the blog.

If you do ask a vendor if the products they are pushing are officially FIPS validated, you will likely find yourself asking questions like this...

  • The certificate you sent me is over a year old and is not applicable to the version you sold me, and it’s based on older software/firmware. You’ve come out with several security updates since then.
  • Oh wait, you don’t have a current valid certificate on the equipment you want me to buy?
  • What do you mean it’s in progress? How long is that going to take?
  • I didn’t realize you meant the validation is only based on some PCI card or a crypto library *inside* your appliance. That doesn’t sound like it includes a fully validated hardware boundary (i.e., the full appliance chassis) to protect the key database, logs, configurations, etc. inside.

Yep, that’s what we hear all the time from customers that have simply had enough and want the peace of mind they get from Hewlett Packard Enterprise. If you’re running sensitive government, financial, healthcare or other industry systems that require FIPS 140-2 compliance, you better be running them on systems that are actually current, covered and compliant. No one wants to be left in the lurch, running non-compliant solutions that do not meet the federal or industry requirements that you’re under a legal obligation to follow--especially when you were given misleading information from a vendor, or the smoke and mirrors of an incomplete solution.

A FIPS 140-2 evaluation is currently a requirement for the sale of products implementing cryptography within the US federal government for sensitive, but not confidential, data. FIPS 140-2 level 2 means the hardware appliance is tamper evident and utilizes role-based authentication. Yes, the hardware could be tampered with but you will know immediately that it has been compromised while the appliance remains locked in its rack and you can take appropriate action for recovery. Level 2 of the certification has basically become a baseline standard and a nonnegotiable item for many companies where a compromise of key data would be an issue. It is mandatory for US federal agencies that handle sensitive information but is becoming increasingly important in healthcare, legal, public safety and mobile operators that are now requiring the implementation of this standard. UK and Canadian government agencies are also incorporating the standard into their government encryption environments.

Hewlett Packard Enterprise sets the pace for security vendors when it comes to meeting or exceeding worldwide standards and best practices. FIPS is just one standard we stand behind. FIPS is an acronym for Federal Information Processing Standards. This is a set of computer security standards established by the US federal Department of Commerce’s National Institute of Standards and Technology (NIST). The Computer Security Division within NIST works with the Communications Security Establishment (CSE) of the Government of Canada to drive the Cryptographic Module Validation Program (CMVP). They review and verify the testing results of independent labs for vendor cryptographic modules wishing to obtain a FIPS 140-2 validation. Vendor affirmed does not equal vendor validated. FIPS Ready and Designed to FIPS does not mean it’s validated either. Besides keeping your key environment certified, equipment that is CMVP validated will help neutralize security weaknesses and interoperability problems between different vendor products. Vulnerabilities show up fast and running on systems that operate with older firmware are going to be hit first. Feel free to search this page and see if your security appliances have a current, viable validation—you might not find one: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

Are you running any applications that still use SSL with firmware prior to 2015? It’s unlikely after Poodle, Shellshock, Heartbleed, etc. which made firmware upgrades in 2015 critical. Ask if your security vendor’s FIPS-validated software or firmware was developed prior to 2015!

Version 4.0 and 4.1 firmware on the HPE Enterprise Secure Key Manager (ESKM) appliance is fully FIPS 140-2 level 2 validated by NIST. If you’re running HPE ESKM 4.1 you can feel confident of better security assurance because you’ll be protected with the most current, viable solution on the market. When HPE releases updates or patches that have NOT yet gone through FIPS validation, you’ll know the "apple didn’t fall far from the tree" and you are choosing a more reliable update.

Ask us about our SNIA certification as well for HPE ESKM’s implementation of the Key Management Interoperability Protocol (KMIP) which is governed by the OASIS standards body. HPE ESKM was the first hardware vendor to be certified by SNIA for the KMIP standard for security solution interoperability.

Keep up to date with HPE Security by following us on Twitter @HPE_Security and on LinkedIn