Is there such thing as an Android tablet that meets FIPS 140-2 Level 2 Requirements? I see Samsung tablets meet...
Level 1, and it looks like Blackberry 10 is actually Level 2. Does this require certain configurations within OS level? Is Android OS security up to par for FIPS 140-2 Level 2?
When evaluating devices that will be storing or processing sensitive data, it is essential to fully understand the security assertions a vendor makes about its products. Marketing claims like "meets FIPS 140 standards" or "FIPS encryption" should be disregarded -- instead look for "FIPS 140-2 Level N Certified." This means the product has undergone the rigorous certification process at an accredited testing lab. Even this certification should be checked out on NIST's cryptographic module validation program, as it's vital to understand the environment in which the module was tested.
The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard, commonly referred to as FIPS 140-2, used to accredit the design and implementation of cryptographic modules. A cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. FIPS has four increasing, qualitative levels of security requirements numbered one to four that address various security scenarios. The requirements cover areas such as specification, cryptographic module ports and interfaces, roles, services and authentication, physical security, operational environment, cryptographic key management, design assurance and mitigation of various attacks.
Even when a particular module has been FIPS-140 accredited, it doesn't mean that the same level of security can be achieved if the module is deployed in a different device, environment or with different configurations. The scope of the certification is also important, so take the time to find out what has been tested and in what scenarios. OpenSSL, for example, has FIPS 140-2 certification, but FIPS validation only checks the crypto routines. This means that the heartbeat protocol, which is not part of the crypto module, is outside the scope of FIPS certification -- something that not many people were aware of until the Heartbleed vulnerability was discovered.
There are no Android, Apple or Blackberry devices listed that are FIPS 140-2 Level 2 certified, but the Blackberry 10 Secure Work Space module and Samsung KNOX Workspace, which separate personal data from sensitive corporate content, both are. The value of having FIPS 140-2 Level 2 certification in these instances is that it provides proof of a consistent implementation of cryptography across the entire container solution: data stored in the container, data shared between containers, data in use by container apps and data in transit between the app and a back-end corporate server or cloud service.
While FIPS 140-2 certified products can provide stronger security for sensitive enterprise data, those using them need to be fully trained in how to use the different security features, otherwise user error or negligence can still lead to data being exposed. For example, IronKey Workspace W700 and W700SC USB drives are FIPS 140-2 Level 3 certified and can store a complete Windows 10 desktop, but the user still needs to be security aware and vigilant when using it, particularly as certification only covers the threat landscape at a single point in time.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn more about new Android M security improvements
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading