Typically, cloud service providers protect keys using software-based solutions in order to avoid the additional cost and overhead of hardware-based security models.
Note that software-based key management solutions do not meet the physical security requirements specified in the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 140-2 or 140-3 specifications. The ability for software to provide evidence of tampering is unlikely. The lack of FIPS certification for encryption may be an issue for U.S. federal government agencies and other organizations.
FIPS 140-2
Federal Information Processing Standard (FIPS) 140 Publication Series was issued by the National Institute of Standards and Technology (NIST) to coordinate the requirements and standards for cryptography modules covering both hardware and software components for cloud and traditional computing environments.
The standard provides four distinct levels of security intended to cover a wide range of potential applications and environments with emphasis on secure design and implementation of a cryptographic module.
Relevant specifications include:
- Cryptographic module specification
- Cryptographic module ports
- Interfaces, roles, and services
- Authentication
- Physical security
- Operational environment
- Cryptographic key management
- Design assurance controls and mitigating techniques against attacks
FIPS 140-2 Goal
The primary goal for the FIPS 140-2 standard is to accredit and distinguish secure and well-architected cryptographic modules produced by private sector vendors who seek to have or are in the process of having their solutions and services certified for use in U.S. government departments and regulated industries (this includes financial services and healthcare) that collect, store, transfer, or share data that is deemed to be “sensitive” but not classified (i.e., secret/top secret).
When assessing the level of controls, FIPS is measured using a rating from Level 1 to Level 4. Despite the ratings and their associated requirements, FIPS does not state what level of certification is required by specific systems, applications, or data types.
NOTE: In cloud security, the FIPS 140-2 standard is a specification applied to Trusted Platform Modules (TPMs), hardware security modules (HSMs), and key escrow storage devices. Each of these items contains cryptographic modules requiring a specified level of protection. Although a U.S. federal concept, it is a worldwide product specification.
FIPS Levels
FIPS-140-2 certification levels are as follows:
- Security Level 1: The lowest level of security. To meet Level 1 requirements, basic cryptographic module requirements are specified for at least one approved security function or approved algorithm. Encryption of a PC board is an example of a Level 1 rating.
- Security Level 2: Enhances the required physical security mechanisms listed within Level 1, and requires that capabilities exist to illustrate evidence of tampering, including locks that are tamperproof on perimeter and internal covers to prevent unauthorized physical access to encryption keys.
- Security Level 3: In addition to the requirements of Level 1 and Level 2, Level 3 includes preventing the intruder from gaining access to information and data held within the cryptographic module. Additionally, physical security controls required at Level 3 should move toward detecting access attempts and responding appropriately to protect the cryptographic module.
- Security Level 4: Security Level 4 represents the highest rating and provides the highest level of security, with mechanisms providing complete protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access. Detection of an attempted breach triggers the immediate zeroization of all plaintext critical security parameters. Security Level 4 undergoes rigid testing to ensure its adequacy, completeness, and effectiveness.
All testing is performed by accredited third-party laboratories and is subject to strict guidelines and quality standards. Upon completion of testing, all ratings are provided, along with an overall rating on the vendor’s independent validation certificate. From a cloud computing perspective, these requirements form a necessary and required baseline for all U.S. government agencies that may be looking to utilize cloud-based services.
Outside of the United States, FIPS does not typically act as a driver or a requirement; however, other governments and enterprises tend to recognize the FIPS validation as an enabler or differentiator over other technologies that have not undergone independent assessments and/or certification.