FIPS 140-2 stamp a boon for customers, a “challenge” to cloud-security industry
- 24 October, 2014 11:17
It may have taken nearly two years to complete, but certification of CipherCloud's cryptographic tools to US government FIPS 140-2 requirements is finally set to help the cloud industry overcome many of the obstacles that have hindered its adoption in the past, the company's senior security director believes.
CipherCloud recently announced that its tools had completed FIPS 140-2 certification, a gruelling process that put every aspect of the company's technology through the wringer as it sought to kick-start cloud adoption in financial services, government bodies and other organisations where inherent conservatism had throttled the use of cloud services.
Compliance had provided a competitive differentiator for CipherCloud – “right now we're the only ones that have achieved this in our space,” global director of cloud security Willy Leichter told CSO Australia – but even more importantly had given many customers assurance that it was safe to proceed with large-scale cloud adoption projects.
“The projects we do tend to be large and can take 6 to 9 months to come to fruition,” Leichter said. “In a lot of cases, our customers have not deployed the cloud until they find the right compliance solutions – so we are starting from square 1. We have already seen a number of deals where they have accelerated their timing” in light of the impending FIPS 140-2 certification.
Many vendors were still playing the waiting game around formal government certification, which is expensive and requires extensive financial and staff resources. These restrictions make compliance particularly challenging for many smaller organisations, who are still ramping up their businesses and often don't have the spare resources to manage the process.
Managed by the US National Institute of Standards and Technology, FIPS 140-2 certification evaluates products against 11 different areas related to the design and implementation of a tool's cryptographic design. Tools are scored in each area to reflect relative strengths and weaknesses of each certified tool.
While the intensity of the process had made the decision to embark on certification a “game of chicken” for many vendors, Leichter said the company's decision to proceed was a “challenge” – even in Australia, where other certifications are required to get the official government imprimatur.
“We wanted to demonstrate leadership and gain confidence, and to put pressure on other vendors to go out and seek these standards as well,” he said, noting that better certifications were going to become the deciding factor for many organisations that had stayed out of the initial rush to adopt cloud services.
“We are dealing with a lot of very conservative, cautious organisations and have sold to the more forward-thinking ones already,” Leichter explained. “Now we're hitting the curve of slower moving, not-early adopter customers and I think the FIPS validation has a lot to do with that.”
“There aren't a lot of well established standards yet in the cloud, but we think it's a good thing to reassure people with this new security paradigm. It's all about giving people the confidence to put data in the cloud using our encryption.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.