Blue Cedar joins with OpenSSL, Akamai, NetApp and VMware to develop new FIPS module; to democratize access to cryptographic library



Blue Cedar announced on Thursday that it has joined an industry initiative to develop the next-generation open-source FIPS 140-2 module for OpenSSL. Blue Cedar will collaborate with various vendors including Open SSL, Akamai, NetApp and VMware, in the effort to upgrade and improve secure data transfers using the OpenSSL cryptographic library.

Updating the open source FIPS 140-2 module, which is currently used by millions of web servers and internet-connected devices, will make it easier for companies to comply with the ubiquitous TLS and SSL open source cryptographic standards.

The current FIPS 140-2 module for OpenSSL is overdue for an upgrade. The last significant update was in 2012, and encryption standards have evolved considerably since then. Until a FIPS 140-2 validated cryptographic module is available for OpenSSL, federal agencies and organizations are forced to rely on older, less secure implementations of OpenSSL.

FIPS (Federal Information Processing Standard) 140-2 is an accepted certification standard used by government agencies, financial, healthcare, and other industries as the de facto standard for certification of the cryptographic modules used within commercial and open source products. FIPS 140-2 certification ensures strong and validated cryptographic protection for data at rest and data in transit across networks.

The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate requirements and standards for cryptography modules that include both hardware and software components. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module.

This standard specifies the security requirements that will be satisfied by a cryptographic module. The standard provides for increasing qualitative levels of security intended to cover a wide range of potential applications and environments.

The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.

Blue Cedar delivers in-app security solutions that protect mobile and other edge apps and data whenever and wherever they are used, and is contributing its expertise and other resources to the FIPS 140-2 module development effort.

Last month, an expert team of Blue Cedar security engineers took part in a face-to-face meeting in Brisbane, Australia where members of the consortium and partner organizations focused on a modernized implementation of FIPS 140-2 that can support the community now and in the future.

“Today, if a small company wishes to engage with a government, bank, or healthcare system, it can do one of two things to meet the FIPS 140-2 certification requirement: build its own cryptographic library or buy one at great expense,” said Kevin Fox, CTO at Blue Cedar. “We are proud to be joining with other key players in the Free and Open Source Security (FOSS) community to develop an option that will maintain an open standard with truly secure cryptography that is accessible to all.”

Earlier this year, Blue Cedar added a policy capability to its enterprise product that allows enterprises to leverage mobility to accelerate their digital transformation strategies. Using this dynamic policy capability, IT teams can now push fine-grained security controls to mobile apps protected by Blue Cedar.

Blue Cedar enables IT teams to regulate access control based on dynamically configurable rules, rather than having to resort to less intelligent “allow” or “block” controls. For example, in an environment with multiple apps that must run securely, teams can configure rules that first warn users to upgrade the OS or install security patches before a certain deadline and then block access after the deadline passes.

Administrators have complete control over end-user screens, how they appear in apps, and whether to serve or block end users or warn and allow them in.

Blue Cedar also enables customers with corporate app stores to notify their users of information related to Blue Cedar-secured apps via an embedded link to the app store, giving them fine-grained control over app lifecycle communications.

For example, customers can deliver custom notifications to apps that inform end users that they are using out-of-date versions of internal apps, that newer versions of apps are available, or that old versions of apps are going out of service. They can issue multiple warnings to users to upgrade an app or face being blocked, and they can set deadlines for users to upgrade to avoid being blocked.

 

Leave a Reply

WWPI – Covering the best in IT since 1980