In an era where data is the lifeblood of enterprise operations and data security threats are increasingly sophisticated, the imperative for robust secure data storage has never been more critical. For IT leaders, from enterprise architects to CIOs, the responsibility of safeguarding organizational data is paramount. Recognizing this, Cloudian is proud to announce a landmark achievement: our HyperStore object storage platform has attained FIPS 140-3 validation for its integrated Cloudian-FIPS Java API (C-FJA) cryptographic module.
Replacing our previous FIPS 140-2 accreditation, this validation isn’t just a certification; it’s a testament to Cloudian’s unwavering commitment to delivering the highest echelons of data protection and a cornerstone of our data security strategy. For IT professionals tasked with designing, implementing, and managing storage infrastructure, this development offers tangible assurances and significant benefits.
Understanding the Gold Standard: What is FIPS 140-3?
The Federal Information Processing Standard (FIPS) Publication 140-3 is the latest iteration of a U.S. government security standard used to validate cryptography modules. Overseen by the National Institute of Standards and Technology (NIST), FIPS 140-3 is recognized globally as a benchmark for cryptographic security. It establishes stringent requirements for the design, implementation, and operation of cryptographic modules, encompassing hardware, software, and firmware.
Achieving FIPS 140-3 validation means that a cryptographic module has undergone rigorous independent testing by an accredited laboratory and has been confirmed to meet these exacting standards. For IT professionals, specifying FIPS 140-3 validated solutions provides confidence that the data encryption mechanisms protecting sensitive information are sound and have been thoroughly vetted. While FIPS 140-3 has four security levels, Level 1, which Cloudian’s C-FJA module has achieved, provides a foundational level of security and is appropriate for software-only cryptographic modules, ensuring they operate in an approved manner using validated algorithms. This is crucial for developing a comprehensive Data Protection Policy and simplifying data protection impact assessments.
The transition from FIPS 140-2 to FIPS 140-3 aligns with international standards like ISO/IEC 19790, reflecting the evolving landscape of data security threats and best practices. For organizations, especially those in regulated industries like government, finance, and healthcare, or those aspiring to meet high data security best practices, FIPS 140-3 is often a prerequisite.
Tangible Benefits for IT Leadership and Operations: Value of FIPS 140-3 Validation
For enterprise architects, storage administrators, VPs of IT, and CIOs, Cloudian HyperStore’s FIPS 140-3 validation provides several important advantages that contribute to data security and operational efficiency:
- Strengthened Security Posture: Independently validated, best-in-class cryptography for data-at-rest encryption is utilized, enhancing the security foundation.
- Simplified Regulatory Compliance: This validation assists in meeting Data Protection Regulations that mandate or recommend strong encryption.
- Enhanced Risk Mitigation: Utilizing proven data security solutions helps reduce risks associated with data security threats, including ransomware and data breaches.
- Informed Data Protection Strategy: FIPS 140-3 validation supports the development and implementation of a robust Data Protection Policy.
- Increased Stakeholder Confidence: Demonstrating adherence to data security best practices through this validation can build trust with customers, partners, and internal stakeholders.
- Future-Proofing: Alignment with the latest FIPS standard ensures the cryptography remains robust against current and emerging threats, contributing to long-term data security.
- Improved Data Observability & Governance: Verified encryption standards enhance visibility into the security state of data assets, which supports data governance and security oversight.
Ultimately, achieving FIPS 140-3 validation offers a robust foundation for secure data management and strategic data protection.
Cloudian HyperStore & Bouncy Castle: A Synergy for Advanced Cryptography
Cloudian HyperStore leverages the robust, open-source Bouncy Castle Java cryptography libraries. Specifically, it’s the FIPS-certified version of this module within HyperStore that has achieved FIPS 140-3 validation (NIST Certificate #5068). This integration ensures that data-at-rest encryption within the HyperStore object storage environment meets the demanding criteria set by NIST.
Why is this significant for enterprise architects and storage administrators?
- Validated Encryption: It confirms that the core cryptography safeguarding your data within HyperStore employs approved algorithms and secure key management practices.
- Component of a Secure Architecture: This validated module is a critical building block in a multi-layered data security strategy, providing a strong foundation for protecting data throughout its lifecycle.
- Trust and Assurance: Independent validation eliminates guesswork, providing a verifiable assurance of the cryptographic integrity of the storage platform.
The use of a well-regarded module like Bouncy Castle, now with FIPS 140-3 validation, means that Cloudian HyperStore benefits from a mature, widely reviewed cryptographic library, further enhancing the platform’s security posture for secure data storage.
Under the Hood: How the Cloudian FIPS Module Secures Your Data
The Cloudian-FIPS Java API (C-FJA) module, as validated under FIPS 140-3, serves as the cryptographic engine within Cloudian HyperStore. It is crucial for protecting your data not only when it is stored (data-at-rest) but also, through configuration, when it is transmitted (data-in-flight via TLS). But how does it achieve this?
At its core, the C-FJA module is a software library that provides a comprehensive suite of cryptographic services. When HyperStore needs to perform a cryptographic operation—such as encrypting data before it’s written to disk, or decrypting it upon retrieval—it calls upon the C-FJA module. This module is responsible for executing these operations strictly in accordance with FIPS 140-3 requirements.
Key aspects of its operation include:
- Approved Cryptographic Algorithms: The module exclusively uses NIST-approved cryptographic algorithms for its operations. This includes robust symmetric key algorithms like AES (Advanced Encryption Standard) for bulk data encryption, hashing algorithms like SHA-2 and SHA-3 families for data integrity verification, and algorithms for message authentication (CMAC, HMAC), digital signatures (RSA, ECDSA), and secure key generation/agreement – all of which are foundational for both data-at-rest and data-in-flight security.
- FIPS Mode of Operation: To comply with FIPS 140-3, the module operates in a “FIPS Approved mode.” This means that only the validated, secure functions and algorithms are enabled. Any non-approved functions are disabled, ensuring that all cryptographic processes adhere to the stringent FIPS standards, whether applied to stored data or data in transit.
- Integrity and Self-Tests: Before performing any cryptographic operations, the C-FJA module executes a series of power-on self-tests. These include an integrity check to ensure the module’s software hasn’t been tampered with, and algorithm tests to verify that the cryptographic functions are operating correctly. It also performs conditional self-tests, such as continuous random number generator tests, during operation to maintain ongoing assurance of its integrity. Crucially, if the C-FJA module fails any of these critical self-tests during startup, HyperStore is designed to prevent itself from loading. This strict behavior ensures that the system will not operate if the integrity of its FIPS-validated cryptography cannot be guaranteed, thereby upholding the highest standard of data security and preventing any data processing without the assurance of validated cryptographic functions.
- Securing Data-in-Flight (TLS): Beyond its role in data-at-rest encryption, Cloudian HyperStore can be configured to utilize the C-FJA module to secure data in transit. When this option is enabled for Transport Layer Security (TLS) connections – for example, HTTPS access to the management console or S3 API endpoints – the module’s FIPS-validated cryptographic algorithms are employed for critical TLS operations. This encompasses establishing secure sessions through cryptographic handshakes, authenticating communicating parties, ensuring data integrity during transmission, and encrypting the data exchanged, all performed using FIPS-approved ciphers and protocols. This capability extends the umbrella of FIPS-validated security to cover data as it moves to and from the HyperStore cluster.
- Secure Key Management with KMIP: Cloudian HyperStore utilizes the Key Management Interoperability Protocol (KMIP) for enterprise-wide management of encryption keys. While HyperStore, through KMIP, manages the lifecycle of these keys (e.g., generation, storage, rotation, and revocation), the C-FJA module provides the secure FIPS-validated cryptographic functions for using these keys within its cryptographic boundary. This division of responsibility ensures that key management adheres to industry standards while the actual cryptographic operations involving those keys are performed by the validated FIPS module.
By integrating this FIPS 140-3 validated cryptography module for both data-at-rest and data-in-flight protection and providing robust key management integration via KMIP, Cloudian HyperStore ensures that the fundamental cryptography protecting your data is not just strong, but also implemented correctly, verifiably secure according to globally recognized standards, and operationally flexible. This provides enterprise architects and storage admins with a high degree of confidence in the underlying security mechanisms of their object storage infrastructure.
Aligning with CyberStorage Principles: Proactive Data Protection
The FIPS 140-3 validation directly supports and enhances Cloudian’s alignment with the CyberStorage paradigm, as detailed in NIST’s Cybersecurity White Paper (NIST.CSWP.29). CyberStorage calls for storage solutions that actively participate in protecting data, moving beyond passive repositories to become integral components of an organization’s cybersecurity framework. The core functions of the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) are all relevant here.
Cloudian’s FIPS 140-3 validation specifically bolsters the “Protect” function by ensuring that the data encryption mechanisms are independently verified to be strong and correctly implemented. This is fundamental because if the encryption itself is flawed, all other security measures built upon it are weakened.
For VPs of IT and CIOs shaping their organization’s data protection strategy, leveraging CyberStorage principles means:
- Resilience Against Ransomware: Strong, validated cryptography is a primary defense against ransomware. If attackers cannot decrypt your data, their leverage for demanding ransom is significantly diminished. This is a key aspect of ransomware backup and ransomware data recovery.
- Enhanced Data Integrity: Validated cryptographic modules ensure that data remains unaltered and trustworthy.
- Improved Data Observability: Knowing that your data is protected by FIPS-validated encryption enhances data observability from a security and compliance perspective. You have higher confidence in the state of your data’s protection.
Combined with other HyperStore features like S3 Object Lock for immutable storage, this FIPS validation creates a formidable barrier against data security threats, ensuring high data availability even in the face of attacks.
The Broad Spectrum of Data Protection: Regulations, Resilience, and Recovery
Achieving FIPS 140-3 validation is not an isolated technical achievement; it has far-reaching implications for an organization’s overall data protection posture.
Meeting Data Protection Regulations: While FIPS 140-3 is a U.S. standard, its rigor makes it a valuable asset for meeting various international and industry-specific Data Protection Regulations. For instance:
- GDPR Data Protection: The GDPR mandates “appropriate technical and organizational measures” to ensure data security. Using FIPS-validated encryption is a strong indicator of such measures, particularly for sensitive personal data.
- HIPAA, PCI-DSS, and others: Many regulations require strong encryption. FIPS validation provides a clear benchmark that helps organizations demonstrate due diligence.
- Data Sovereignty: For organizations dealing with Data Sovereignty requirements, ensuring that data stored within a specific jurisdiction is protected by globally recognized encryption standards like FIPS 140-3 is crucial.
Building Ransomware Resilience: Ransomware remains one of the most significant data security threats. A multi-layered defense is essential:
- FIPS-Validated Encryption: Protects data at rest, making it unreadable to unauthorized parties.
- S3 Object Lock (Immutable Storage): Cloudian HyperStore’s support for S3 Object Lock allows data to be made immutable for a defined retention period. This means that even if attackers gain access, they cannot encrypt, modify, or delete the protected data. This is a game-changer for ransomware data recovery, ensuring a clean copy of data is available.
- Ransomware Backup Strategies: Combining immutable storage with regular, verified backups creates a robust ransomware backup solution. FIPS-validated encryption on these backups adds another layer of security.
Ensuring Continuous Data Protection and Availability: Continuous Data Protection (CDP) aims to minimize data loss by capturing changes in real-time or near real-time. The security of the underlying storage is critical, and Cloudian HyperStore’s FIPS 140-3 validated encryption ensures that this continuously protected data is also continuously secure. This is a testament to Cloudian’s dedication to providing secure, scalable object storage that supports high Data Availability, ensuring data is both accessible and trustworthy when needed.
Cloudian: Leading the Charge in Secure, Scalable Object Storage
The achievement of FIPS 140-3 validation for the C-FJA cryptographic module within HyperStore is a significant milestone. It’s a clear signal of Cloudian’s dedication to leading the market in secure data storage. In an environment where data volumes are exploding and cyber threats are ever-present, IT leaders require storage solutions that are not only scalable and performant but also inherently secure.
By integrating validated, cutting-edge cryptography, aligning with CyberStorage principles, and enabling features like S3 Object Lock for immutable storage, Cloudian HyperStore provides a comprehensive platform for modern data protection. This allows organizations to confidently manage their data assets, meet stringent Data Protection Regulations, ensure Data Availability, and build a resilient data security strategy for today.
Moreover, Cloudian’s strategic reliance on the Bouncy Castle cryptographic libraries, which are at the forefront of developing and incorporating post-quantum cryptography, positions HyperStore to readily adapt to the next generation of data protection. This forward-looking approach means Cloudian is actively preparing to integrate these future PQC capabilities, ensuring HyperStore will offer long-term, resilient data security against the emerging threat of quantum computing, future-proofing our customers’ valuable data. This commitment to innovation solidifies Cloudian’s role not just as a provider of secure storage, but as a long-term partner in safeguarding your digital future.
Tom Blumenthal, Product Manager, Cloudian