Why should enterprises care about FIPS cryptography compliance by their SaaS vendors?
VP of Cloud Engineering
FIPS compliance for cryptography is a rather very technical discussion. So, let me tell you about my journey of understanding it and I’m certain that will make it easier to understand its importance and concepts. I work in Nakisa R&D team. Nakisa invests heavily in its R&D activities, resulting in a large team and as such communication channels are buzzing with a breadth of Technology discussions all the time. Nakisa is indeed a Technology company at heart, and I've been a witness to it for the past fourteen years.
Technology leadership at Nakisa has taken insightful and far-reaching decisions to adopt cutting-edge business technologies over the years and that has put Nakisa at the forefront in its business domain.
For instance, Nakisa decided to build its home-grown platform for enterprise JAVA development based on MVC architecture in 2011, well before Spring Boot was envisioned and then switched to Spring Boot when it matured. In 2014 Nakisa adopted containerization, and soon adopted Kubernetes around 2016 to orchestrate the containers.
As a SaaS provider dealing with the big data of the majority of Fortune 500 enterprises, security is always a big part of Nakisa's development culture. When Nakisa went through its largest transformation from being an on-prem to a cloud-native solution provider; data and network security were put at the forefront of its priorities. Since then, technology leadership has introduced a new word to our dictionary – FIPS compliance. It has become a security buzzword that I often hear at Nakisa.
Among multiple layers of security, one of the sensitive security areas is dealing with the ciphers, key length and algorithms used. It forms a backbone for secure channel communication across various distributed systems, and it is crucial to the data and network security in the cloud systems. This has been deemed so secure that there does not exist any fallback to this security layer. Hence the importance of maintaining this layer cannot be overstated. Given the criticality of this layer, security experts have developed and constantly updated the various key-generation techniques and algorithms over the years. This resulted in a variety of Algorithms and types of Keys, with multiple versions and end-of-life announcements. However, there has not been any easy way to manage the lifecycle & maintenance activities and a set of standards to identify which ciphers are outdated and which ones are current. There were a lot of recommendations over the years by various cyber-security communities and experts on managing the ciphers and staying updated to reduce the risk and exposures. Then came a standardization by the NIST on the cryptography modules and it was named Federal Information Processing Standards (FIPS).
FIPS has defined multiple areas of security and the most important and well-established of all is indeed the standardization of cryptography modules. This part is also the one that is very well designed with specific algorithm/key types and their minimum versions when compared to the rest of the compliance standards. It filters out not only vulnerable or weak ciphers but more importantly it has phased out the ciphers that could be weakened because of incorrect configurations by Network or IT administrators, often set unknowingly. So, it had kept only the ciphers that are very strong and there are no concerns that an incorrect configuration could undermine it. In addition, its regularly updated based on the capabilities and advances in computation and cryptanalysis hardware and techniques.
Industry adoption of FIPS standards was progressing at a slow pace over the last decade. However, post-COVID, it has taken a boost since there is a big increase in cloud computing as businesses adopted cloud solutions at a record pace. Most Linux distributions are configuring the OS based on FIPS-140-2 standards since 2020. This is bringing visibility to the compliance level and forcing IT admins to question the usage of outdated ciphers.
Nakisa has been working on FIPS compliance for more than a decade to keep its network secure and protect its highly valuable customer data by phasing out any non-compliant components with the ones that comply with the latest FIPS 140 standards. As such recently Nakisa has a dedicated release to update its Cloud Connector to stay compliant with FIPS 140-2 standards for cryptography modules. Nakisa is also offering free dedicated support to help its customers update their infrastructure to stay secure and compliant with the latest FIPS cryptography standards.