F5 Blog

 
Archive Search Articles

Realizing FIPS Validation in Virtualized, SDN, and Cloud Data Centers

F5 ADCs help customers in regulated industries achieve compliance while ensuring their applications perform and their data is protected. With FIPS certification for BIG-IP Virtual Edition, organizations can extend compliance in cloud environments, simply and cost-effectively.

Securing your data and infrastructure while also transitioning to cloud and software-defined everything is complicated, but then throw in tighter and stricter regulatory compliance and you really have complexity and risk. If you look at the U.S. federal government, it is the perfect example of the convergence of these trends. Federal agencies are undergoing an IT transformation as they consolidate and virtualize their data centers and move to the cloud, but they also must beef up security to protect sensitive information by encrypting all data in transit. Other regulated industries such as financial services (banks) and healthcare institutions have also adopted and recognized the use of federal security guidelines and standards to demonstrate and achieve security compliance.

In May, President Trump issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, requiring all heads of executive agencies and departments to modernize and strengthen the cybersecurity utilized within federal networks and critical infrastructure. As agencies move to comply with this EO, companies currently conducting business directly with the agencies must also follow suit. If those companies do not comply, they risk losing that part of their business. Compliance requires conformance to National Institute of Standards and Technology’s (NIST) Special Publication 800-53r4, which calls for the enforcement of cryptographic requirements outlined within the FIPS 140-2 standard. 

In another example of increased security requirements, in June, the Pentagon announced new security policies that require contractors doing business with the Department of Defense must now provide “adequate security” when connecting to the DoD network and its components—which at minimum means compliance with NIST 800-171.

Section 3.13.11 states product vendors must “employ FIPS-validated cryptography when used to protect the confidentiality of Controlled Unclassified Information (CUI).” Defense contractors have until the end of calendar year 2017 to comply.

FIPS 140-2 is the mandatory security standard for hardware, software, and firmware solutions in systems that use cryptography to encrypt sensitive but unclassified information. In U.S. government procurement, all solutions that use cryptography must complete FIPS 140-2 validation. There are different levels associated with achieving compliance with FIPS 140-2, and all require the use of a NIST-certified cryptographic module. FIPS 140-2 Level 1 can be achieved by incorporating a software-based certified module; no specific physical security mechanisms are required. FIPS 104-2 Level 2 adds the requirement that the module must include features that would show evidence of tampering or locks, and can typically be achieved by using a hardware-based certified module. Commercial cryptographic modules, commonly referred to as Hardware Security Modules (HSMs), are produced by vendors such as Cavium. F5 has historically provided Level 2 compliant solutions with specific BIG-IP FIPS hardware appliance models that integrate a Level 2 certified HSM.

Now F5 is excited to announce the availability of the F5 FIPS Certified BIG-IP Virtual Edition (VE) ADC solution, running initially on VMware ESXi hypervisor. Organizations can now deploy an advanced application delivery solution that is also a FIPS 140-2 Level 1 validated cryptographic software module. Federal government agencies, U.S. military organizations, contractors, and financial services companies can now take advantage of the best-of-breed security associated with the FIPS cryptographic module on a software BIG-IP.

BIG-IP VE is the industry-leading ADC solution that enables customers to deliver L7 traffic management and optimization, load balancing, SSL/TLS offload and visibility, network firewall and DDoS protection capabilities in VMware virtualized, SDN, and cloud environments. This new certification, along with future support for other hypervisors and public cloud environments, reflects F5's commitment to meeting security compliance requirements in the cloud, combined with industry-leading application delivery capabilities in a cost-effective manner.

NIST References: