Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can FIPS 140-2 certification improve enterprise mobile security?

FIPS 140-2 is a federal mobile security certification, so does it have any relevance in an enterprise setting? Michael Cobb explains.

I read that BlackBerry's Secure Work Space for iOS and Android received FIPS 140-2 certification. I know that these certifications are meant for government use, but what value or relevance do they have for enterprises? Would it be overkill to only run mobile infrastructure that has achieved FIPS 140-2 certification?

The Federal Information Processing Standard (FIPS) Publication 140-2 is one of many cryptographic standards maintained by the Computer Security Division of the U.S. National Institute for Standards and Technology. Before a technology receives FIPS 140-2 certification, it must pass through either the Cryptographic Algorithm Validation Program or the Cryptographic Module Validation Program. These programs review 11 areas that are key to protecting information:

  • Cryptographic module specification
  • Cryptographic module ports and interfaces
  • Roles, services and authentication
  • Finite state model
  • Physical security
  • Operational environment
  • Cryptographic key management
  • Electromagnetic interference/electromagnetic compatibility
  • Self-tests
  • Design assurance
  • Mitigation of other attacks

Depending on how many of the 11 requirements a cryptographic module meets, it can receive a Level 1 to Level 4 rating, with Level 1 providing the lowest level of security. FIPS 140-2 validation is an important goal for many vendors because it is a requirement for any products implementing cryptography that are to be used by the federal government or other regulated industries, such as finance and healthcare. By achieving FIPS 140-2 certification for its Secure Work Space for iOS and Android, BlackBerry can now offer a mobile security product for BlackBerry, iOS and Android devices to U.S. federal agencies. The appeal of Secure Work Space is that administrators can now extend the separation of sensitive corporate data from personal content to iOS and Android devices.

Any enterprise that collects, stores, transfers, shares and/or disseminates sensitive information should certainly favor products that have FIPS 140-2 validation over those that don't. However, certification doesn't guarantee security. USB flash drives sold by Kingston, SanDisk and Verbatim used AES 256-bit hardware encryption and had FIPS 140-2 Level 2 certification, yet security firm SySS found it relatively easy to access unencrypted data stored on them, even without the required password. But it's important to note that vulnerabilities like the one found by SySS often occur in cryptographic products and services because of poor implementation or key management errors, not because of weaknesses in the algorithms used.

Securing the data stored and communicated over a mobile infrastructure requires not only the right choice of products but also their correct configuration and integration within the infrastructure. FIPS 140-2 certified products are generally more expensive than non-certified products, so organizations may want to consider whether certain data warrants the additional cost and level of protection. FIPS 140-2 Level 2 certification only means that certain algorithms and role-based authentication are used, and that there is a level of tamper resistance and tamper-evident physical security (e.g., coatings, seals or pick-resistant locks) that must be broken to gain physical access to the plaintext cryptographic keys within the module. If these controls are excessive compared to the value and perceived risk to the data, then other products may be more relevant and more cost-effective.

Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your question now via email! (All questions are anonymous.)

This was last published in August 2014

Dig Deeper on BYOD and mobile device security best practices