Looking at what it's not got, rather than what it has, means you could miss
the diamond in the rough
Let's pretend that it's time to elect a world leader. Here are some revealing
facts about the three candidates: Candidate A associates with crooked politicians,
and consults with astrologists; he's had two mistresses; chain smokes and drinks
8 to 10 martinis a day. Candidate B was kicked out of office, twice; sleeps
until noon; used opium in college and drinks a quart of whiskey every evening.
Finally, Candidate C is a decorated war hero; a vegetarian who doesn't smoke
and only drinks an occasional beer and he has never had ANY extramarital affairs.
Who gets your vote? Would it surprise you to discover that Candidate A is Franklin
D. Roosevelt; Candidate B is Winston Churchill and Candidate C is Adolph Hitler?
All very interesting but what has this got to do with FIPS, encryption or security
generally? It proves the point you shouldn't judge a book by its cover.
There are numerous organizations who, when looking for a new solution, will
draw up a list of attributes products must have to proceed to the evaluation
phase. FIPS accreditation, CAPS and CESG all appear regularly on this list of
must haves, especially for government bodies. They're obviously very important
but do you know what these acronyms really mean?
Federal Information Processing Standards (FIPS), according to Whatis.com, are
a set of standards that describe document processing, encryption algorithms
and other information technology standards for use within non-military government
agencies and by government contractors and vendors who work with the agencies.
The National Institute of Standards and Technology (NIST) issued the FIPS 140
Publication Series to coordinate the requirements and standards for cryptographic
modules which include both hardware and software components for use by departments
and agencies of the United States federal government. FIPS 140-2 defines four
levels of security, simply named "Level 1" to "Level 4."
It does not specify in detail what level of security is required by any particular
application. A word of warning, FIPS 140 does not purport to provide sufficient
conditions to guarantee that a module conforming to its requirements is secure,
still less that a system built using such modules is secure.
CESG is the Information Assurance (IA) arm of GCHQ and is the Government's
National Technical Authority for IA responsible for enabling secure and trusted
knowledge sharing, which helps its customers achieve their aims. CESG aims to
protect and promote the vital interests of the UK by providing advice and assistance
on the security of communications and electronic data. CAPS helps private sector
companies to develop cryptographic products for use by HMG and other appropriate
organizations. CAPS links the cryptographic knowledge of CESG (the national
technical authority for information assurance) with the private sector's expertise
However, a product that doesn't have accreditation does not automatically mean
that it isn't capable of achieving it. In fact, by its own admission, NIST states
that FIPS accreditation should not solely be relied upon suggesting that even
if a product is certified, it may not actually be secure. In fact, this was
proven in January when a flaw was unearthed in certain hardware-encrypted USB
flash drives although it is true that the certification earned by the device
in question never claimed it capable of doing what many perceived it should
- be impenetrable.
So just what should organizations examine when drawing up a shortlist of solutions?
Below are six key factors to consider when evaluating security solutions:
Accreditation: FIPS, CESG and CAPS have a place, but should not be considered
the be all and end all to product selection. While a useful tool in assessing
the security of encryption products, it is not a guarantee that a product is
secure, the onus is on the end user to understand what they're using. What they
do provide is a benchmark for comparing and contrasting products against. Another
solution that meets these criteria, but without the certification, can still
be included in the evaluation if you want to make sure you are looking at ALL
Cryptography: the Advanced Encryption Standard (AES) is a symmetric-key
encryption standard adopted by the U.S. government. The standard comprises three
block ciphers, AES-128, AES-192 and AES-256. It will depend on the sensitivity
of the data whether you need 256 or if 128 would be adequate.
Data: The United Kingdom currently uses five levels of classification
- from lowest to highest, they are: protect, restricted, confidential, secret
and top secret. It stands to reason that it depends on the level of sensitivity
that is being stored on the device that will determine what standards they would
need to have or what kite marks are in place to ensure the level of protection.
Device: Considering where sensitive data resides will help determine
the type of product you need and the standard it should have. If you are a government
body/large corporate looking to protect mobile devices a central management
policy will be required.
Cost: A number of factors will influence just how much you spend on
protecting the data. There is the argument that you can't put a price on security
but it has to make commercial sense. There's no point having a top of the range
encryption solution if the data its protecting is the lunch time sandwich order!
By the same token a minimal encryption solution would not be deemed adequate
by the ICO should the device contain personal health records transported by
a GP. The solution should be appropriate for the data it is protecting.
Company: A key element, and occasionally forgotten when checking products
have the right acronyms, is the credibility of the company you are buying from.
It's products might have all the certifications money can buy but if, it's been
making headlines for being breached, do you want to find out if they've got
it 'all sorted.'
Accreditation does not just happen, organizations have to invest vast sums
of money to ensure its products jump through the relative hoops to attain certification.
Rather than being blinded by a set of acronyms, you should be steered by your
own security policy to determine: what you're protecting, where it is and how
it might get there. Once you've collated this data you'll be in a position to
evaluate solutions which will meet these needs.
Can you afford to discount the most appropriate technology in the marketplace
simply because it hasn't jumped high enough or spent a vast amount of money