An Ounce of Prevention...
FIPS and Data Storage - What you need to know
FIPS and Data Storage - What you need to know
(FIPS = Federal Information Processing Standard)
In general FIPS defines cryptographic standards
1995: Modern FIPS Crypto standards are established (FIPS-140-1)
2001: FIPS 140-2 is established replacing FIPS 140-1 with up-to-date crypto standards and is the current standard as of 2020.
Within the FIPS 140-2 there are (4) levels of security requirements:
Level 1: The use of an approved crypto algorithm such as AES, 3DES, Diffie-Hellman, SHA, RSA and secret or public keys
https://docs.oracle.com/cd/E53394_01/html/E54966/fips-refs.html#OSFIPfips-certrefs-1
https://docs.oracle.com/cd/E53394_01/html/E54966/fips-refs.html#OSFIPfips-certrefs-1
Level 2: Includes the use of level 1 encryption algorithms plus tamper evidence and role-based access
such that the user is authenticated to a certain role.
Level 3: All of the requirements of Level's 1 and 2 but also add's that tempering will likely result in damage to the device and in particular the crypto module. Also requires identification of the user as well as key protection schemes such as storing keys in volatile memory. Finally, these keys must use separate I/O ports from data.
Level 4: All of the Level 1,2,3 requirements plus upon detection of tampering the device is zeroed. Also, protection against temperature or voltage irregularities - any anomalies result in device zeroing
Do you really need to implement FIPS 140-2?
The answer is yes, even if at Level 1. Look for FIPS 140-2 certification when buying new storage; most OEM's try to certify to Level 3.. Encryption helps protect against data compromise in cases where a disk is accidentally or needs to be returned to support or to reduce the costs of a data breach or even to meet regulatory requirements.
such that the user is authenticated to a certain role.
Level 3: All of the requirements of Level's 1 and 2 but also add's that tempering will likely result in damage to the device and in particular the crypto module. Also requires identification of the user as well as key protection schemes such as storing keys in volatile memory. Finally, these keys must use separate I/O ports from data.
Level 4: All of the Level 1,2,3 requirements plus upon detection of tampering the device is zeroed. Also, protection against temperature or voltage irregularities - any anomalies result in device zeroing
Do you really need to implement FIPS 140-2?
The answer is yes, even if at Level 1. Look for FIPS 140-2 certification when buying new storage; most OEM's try to certify to Level 3.. Encryption helps protect against data compromise in cases where a disk is accidentally or needs to be returned to support or to reduce the costs of a data breach or even to meet regulatory requirements.
No comments:
Post a Comment