FIPS 140-2 Certification & EAL 2+ Common Criteria, Why It Matters...
Kanguru Products Provide More for Securing Your Sensitive Data
You may have seen a few of the headlines where unsecured methods were used to transport sensitive data - leading to a damaging information breach. These scenarios are unfortunate, especially when there are secure methods that could have prevented such events.
In today’s high-tech world of high-speed information, and ever-tightening government regulatory laws, it's very important to secure sensitive data on the most secure storage devices. You may have noticed that select Kanguru devices are FIPS 140-2 Certified as well as Common Criteria EAL 2+, and you may have questions regarding these certifications. As a manufacturer of highly-secure storage products, Kanguru takes data security very seriously, and adheres to strict government-level regulations. Kanguru is dedicated to ensuring that its customers and purchasers of secure IT products are provided with legitimate devices built on best practices. FIPS and Common Criteria are the main governing standards regarding information technology product security, with many levels of complexity and depth that can be confusing to many.You may wonder what exactly are these governing regulations, how do they compare to each other, and why do they matter? Here’s a simple look at FIPS and Common Criteria standards and how Kanguru pursues them to equip their customers with first-class products.
FIPS 140-2, or Federal Information Processing Standard 140-2 is a set of security requirements for cryptographic modules. FIPS 140-2 is overseen by CMVP (Cryptographic Module Validation Program) which is a joint effort mandated by both the United States and Canadian governments. CMVP is a partnership put in place by NIST of the United States, and CSEC of Canada. There are four increasing levels of security (levels 1-4) as well as several specific certifications within FIPS (FIPS 197, etc), each level achieving a higher concentration of certain criteria by the federal government, depending on the level of security and quality of testing necessary. The areas of concentration include basic design and documentation, physical security measures, cryptographic algorithms, module interfaces, and so on. The National Institute of Standards and Technology (NIST) reviews their FIPS standards every five years, and their standards have been adopted by the Canadian government’s Communications Security Establishment (CSE), as well as many other countries and institutions.
By achieving the security requirements of the FIPS 140-2 Cryptographic Module, Kanguru demonstrates recognized security and proficiency which government and commercial customers can rely on. Through discriminating examination, rigorous testing, and analysis, Kanguru has demonstrated that it’s certified products meet these quality standards for data security. Where FIPS level 1 usually focuses on software or very basic hardware modules, Kanguru has met or exceeded FIPS level 2 and level 3 requirements based more on hardware, developing a highly-robust and easier-to-use security product for our customers. The Kanguru’s Defender Series, for example, needs no software installation, as the encryption is built right into the hardware. But it might be interesting to note that despite the good intentions of the FIPS process, it is a strict evaluation of cryptographic modules and may miss evaluating certain components within the overall product set. Since Kanguru Solutions takes data security very seriously, we take it one step further by pursuing Common Criteria as well.
The Common Criteria for Information Technology Security Evaluation is another accreditation process adopted by over 24 different certifying nations through the CCRA (Common Criteria Recognition Agreement). Under the National Information Assurance Partnership, (NIAP), which is a branch of the Department of Defense, Common Criteria has a much wider review process of overall product design and functionality than FIPS, and covers the product from its inception, to final product and overall use. It takes an all-encompassing look at the software, hardware, and firmware of a device, as well as the overall development process of the product set from birth to commercial release. Ultimately, nearly every aspect and process which goes into the design, development, release, and support of a product is reviewed and scrutinized. Common Criteria evaluations can be a very costly and time-consuming process, but the results are a remarkably powerful and secure product. This complex evaluation process involves several testing labs and governing authorized members to oversee that certain security and functionality standards are met. Like FIPS, there are several levels of achievement based on the level of complexity, security and functionality necessary. Evaluated by levels of intensity of 1 through 7, Common Criteria tests products anywhere from a range of secure, to full-fledged national security standards.
By pursuing EAL 2+ level Common Criteria, Kanguru’s devices go above and beyond competing devices in the secure storage market. This is where the “rubber meets the road” when it comes to developing high-end security devices, ensuring a complete, thorough testing process, and meeting the highest standards in data protection. In Kanguru’s Defender Series for example, the Defender 2000 along with other Kanguru product sets has been evaluated under the Evaluation Assurance Level (EAL) 2. This means that the product set adheres to an agreed upon protection profile from a certifying country, and that the follow-up testing ensures that the processes which Kanguru uses to develop, design, and maintain its products are sound and secure.
Why It Matters
With the serious costs and damages associated with data security breaches, government and regulatory organizations have cracked down on financial corporations, medical institutions, and businesses alike, holding them accountable for maintaining, structuring and managing security of all sensitive data. Regulatory Acts such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA are just a few of the stringent regulations keeping organization’s “feet to the fire” so to speak. Violating or breaching these Acts comes with some very stiff penalties. Companies dealing with highly-sensitive or personal data must adhere and comply with these regulatory standards. Kanguru ensures that their products adhere to the highest of standards in order to assist companies and organizations to hold fast to these regulations.
By achieving both FIPS 140-2 and EAL 2+ together, Kanguru surpasses other similar devices in the industry, going above and beyond the call of duty. The fact that the entire product and set of processes has undergone a rigorous set of security evaluations makes a more compelling case for breadth of coverage than a product which has only had a specific component evaluated! Customers can be assured that their Kanguru FIPS and EAL 2+ evaluated products meet the toughest and most stringent standards in the industry, providing the strongest option available to comply with even the most rigorous regulatory, and data security laws.