Why you Want your Key Management Security Appliance to be FIPS Validated
If a Security vendor tells you that their encryption key management appliance is FIPS 140-2 level 2 validated, the standard that determines security assurance level, ask them to show you that their certificate is current. Also check if it is applicable to your firmware version, and not simply based on a crypto library inside the appliance. The appliance needs to be a fully validated hardware boundary (i.e., the full appliance chassis) to protect the key database, logs, configurations, etc. inside.
Why is FIPS important?
FIPS is an acronym for Federal Information Processing Standards. A FIPS 140-2 evaluation is currently a requirement for the sale of products implementing cryptography within the US federal government for sensitive, but not confidential data. FIPS 140-2 level 2 means the hardware appliance is tamper evident and utilizes role-based authentication. It is mandatory for US federal agencies that handle sensitive information, however it is becoming increasingly important in healthcare, legal, public safety and mobile operators.
For those running sensitive government, financial, healthcare or other industry systems that require FIPS 140-2 level 2 compliance, companies need to make sure that they are running on systems that are actually current, covered and validated. No one wants to be left in the lurch running non-compliant solutions that do not meet the federal or industry requirements that companies are under a legal obligation to follow.
Know your FIPS Terminology
Vendor affirmed does not equal vendor validated. FIPS Ready and Designed to FIPS does not mean it’s validated either. Besides keeping the key environment certified, equipment that is CMVP validated will help neutralize security weaknesses and interoperability problems between different vendor products. To find out if your key management appliances have a current, viable validation, view this page: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
ESKM is FIPS 140-2 level 2 validated
The HPE Enterprise Secure Key Manager (ESKM) appliance is fully FIPS 140-2 level 2 validated by National Institute of Standards and Technology (NIST). For more information on ESKM and FIPS validation, please see this Security Products blog: Is your key management appliance actually FIPS validated?