FIPS 140-3: The Security Standard That Protects Our Federal Data

FIPS (Federal Information Processing Standards) [1] defines a set of public security standards developed by NIST (National Institute of Standards and Technology) [2] that govern the security requirements for cryptographic modules used in government systems. FIPS 140-3 is the latest federal security standard, which includes state-of-the-art protection for deployment environments, such as the cloud, where the system could potentially be physically accessed by untrusted parties.

Why is this important (or even relevant) for common (non-federal) workloads? Different security frameworks cater to specific domains or regions, focusing on safeguarding sensitive individual data used in those domains (e.g., name, age, and medical history in the healthcare domain or name, credit, loan, and tax records in the financial domain). 

In contrast, standards like FIPS operate on a broader and stricter scale due to the federal use case and handle highly detailed and sensitive data, such as personal, organizational, and even classified records (e.g., containing secret information related to national security or organisational integrity). Therefore, a data breach in such workloads can have catastrophic impacts on the affected parties.

Context

Some of the most infamous data breaches in U.S. history [3] targeted major companies like Microsoft, Yahoo, Facebook, LinkedIn, JPMorgan Chase, Target, Marriott, and eBay, collectively affecting over 5 billion users. These breaches resulted in the theft of sensitive personal data, including credit card information, passwords, phone numbers, birthdates, email credentials, security questions, property records, and tax information — essentially, everything you care about!

New problems demand new ways of thinking, and the evolution of software paradigms is no different. Changing business goals drive shifts in use cases, which, in turn, influence programming paradigms. On the other hand, security paradigms evolve through a cyclic interplay between exploiters and researchers: a new method addresses a threat, only to be countered by a new threat devised over time, leading to improvements and further iterations. This ongoing cycle drives the evolution of security practices.

How Are Software Security Practices Evolving Historically?

The FIPS standard is the result of the evolution of security models, encryption standards, and regulatory standards and compliance.

Evolution of Security Models

Traditional security models become inadequate as technology and threats evolve, eventually being replaced by more robust paradigms that address the complexities and vulnerabilities of modern environments. Let us examine how these models have evolved.

Previously, all popular software architectures were termed monolithic, but with the arrival of microservices, a shift occurred. Similarly, the internet security model that prevailed for decades is now referred to in cybersecurity circles as the perimeter security model, also known as the castle-and-moat model (or even the cattle-barn-fence model!). The perimeter model relied on securing the network with firewalls, assuming everything inside was trustworthy and everything outside was suspicious. 

However, advanced threats like insider attacks and supply chain compromises, along with the rise of cloud services and mobile devices, have blurred the trust boundaries. Zero trust operates on the principle that no user, device, or application is inherently trusted, and every access request must be authenticated, authorised, and encrypted based on the principle of least privilege (users or applications have only the minimum permissions needed to perform their tasks) [4], regardless of its origin.

To summarise, adapting to new models is essential for maintaining security and efficiency.

Evolution of Encryption Standards

Similar to security models, encryption standards also evolve in response to the ever-increasing computational power that threatens the effectiveness of existing encryption methods. Let’s examine the evolution of encryption standards.

Since the early days of the Internet, the Data Encryption Standard (DES) [5], based on an algorithm developed by IBM, was the standard for a long time. It used a 56-bit encryption system, which meant there were 2^56 possibilities for a brute-force attacker to try. While this seemed unbreakable at the time, modern computers with higher computing power quickly proved otherwise. The Advanced Encryption Standard (AES) [6] followed, capable of encrypting data with 128, 192, and even 256 bits. Modern encryption methods continue to evolve, with quantum computing posing a potential challenge. Preparatory research for post-quantum encryption is already underway as quantum computing advances.

Encryption standards also evolved from symmetric types (e.g., DES, AES, IDEA) that use the same key for both encryption and decryption, which is faster and more efficient for data at rest, to asymmetric types (e.g., RSA, ECDSA, PGP) that use different keys for encryption and decryption, making it more secure for data transported through insecure channels.

This progression underscores the need for continuous advancements in encryption standards to stay ahead of emerging threats.

Evolution of Regulatory Standards and Compliance

Security regulatory standards and compliance are interconnected, with standards setting the benchmarks for security practices and compliance ensuring adherence to these standards. Security regulatory standards are established specifications that outline criteria for software security and serve as benchmarks (For example, FISMA, HIPAA, GDPR). Regulatory compliance, on the other hand, refers to the act of adhering to these established standards. Both evolve with a steady phase shift between them. Together, security standards and compliance reflect a growing awareness of the need for robust security measures and the imperative to protect sensitive information.

FIPS: Convergence of Practice, Technique, and Standard

Now, let’s combine these evolution stories to examine the state of the art. Federal organizations began recognizing the need to stay at the forefront of evolution to secure ultra-sensitive government data. Following several high-profile breaches mentioned earlier, the need for a more robust security standard became imperative.

FIPS is an exemplary embodiment of such a standard, representing the latest evolution in security models and encryption standards.

FIPS consists of a set of public security standards developed by NIST for use by federal agencies and contractors. At the core of FIPS standards for encryption lies FIPS 140, which governs the security requirements for cryptographic modules used in government systems to protect sensitive information.

FIPS 140-3 emerged as the latest federal security standard, providing stronger protection in physically exposed environments like the cloud. The guiding principles of FIPS 140-3 are:

• Be robust: use stronger encryption techniques
• Be pervasive: intra-system encrypted communications
• Be modular: use micro-segmentation to limit access, inhibiting breach propagation
• Be proactive: real-time monitoring to detect unauthorized access to data
• Be future-proof: begin adopting quantum-resistant algorithms to withstand future threats

In summary, FIPS 140-3 defines the most modern security practices, founded on zero trust policies, and provides the best mechanisms for protecting sensitive data for those concerned about it.

How does it differ from other security frameworks? Different security frameworks cater to specific domains or regions, focusing on safeguarding sensitive individual data. In contrast, federal standards like FIPS operate on a broader and stricter scale because the federal use case handles highly detailed and sensitive data, such as personal, organizational, and even classified records.

Do you run enterprise Java workloads and care about data security? You should strive to use the most modern security standards to protect your data and your clients' data.

Protecting sensitive data is not just a technical challenge but a fundamental responsibility that impacts individuals, organizations, and society at large. It is critical that we learn from this evolution, adopt proactive strategies, enhance our security frameworks, and foster a culture of vigilance to safeguard our digital future.

Sources

• [1] https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards
• [2] https://www.nist.gov
• [3] https://en.wikipedia.org/wiki/List_of_data_breaches
• [4] https://en.wikipedia.org/wiki/Principle_of_least_privilege
• [5] https://en.wikipedia.org/wiki/Data_Encryption_Standard
• [6] https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
• [7] https://developer.ibm.com/languages/java/semeru-runtimes/downloads
• [8] https://foojay.io/today/ibm-semeru-java-fips140-3-cryptographic-standard/