Touch the Cloud: Closing the FIPS Validation Gap (C20c)
There is a big gap between the user’s expectation for a FIPS validated product and the FIPS 140-2 requirements for a successful validation. The user’s expectation is that their data is always securely protected via cryptography no matter whether it is in transit or at rest. Cryptographic protection in very general terms covers all routes to transmit data (e.g. wired network, wireless network, satellite network, blue tooth connection, etc.) and all storage (e.g. register, RAM, ROM, Flash, Disk, Cloud, etc.) to save the data. The FIPS certificates on the other hand present the information from the ground floor. They often specify a (long) list of the cryptographic algorithms on the tested platforms along with complex caveats. It is not only that the cloud platforms are out of the reach for a FIPS validation, but also a clear and loud statement that secure data transit and data storage is missing from FIPS certificates.
This presentation will analyze the causes for the disconnection through some examples. Due to the complexity of the cryptography, vendors tend to piece together third-party components ranging from hardware crypto accelerators to software libraries for their security solutions. The Cryptographic Module Validation Program (CMVP), with the primary responsibility to serve Federal Government agencies, is keen on the accuracy of what has actually been tested. An overarching umbrella statement on secure data protection is unlikely to be backed up by the CMVP. A few suggestions will be made at the end of the presentation with the hope to close the gap so the CMVP can begin the effort of touching the cloud.