Frequently Asked Questions
What is FIPS 140-2?
FIPS (Federal Information Processing Standard) 140-2 is a US government standard that describes the encryption and related security requirements that IT products should meet for sensitive, but unclassified, use.
What does FIPS 140-2 specify?
The standard ensures that a product uses sound security practices, such as approved, strong encryption algorithms and methods. It also specifies how individuals or other processes must be authorised in order to use the product, and how modules or components must be designed to interact securely with other systems.
Why is encryption necessary?
Hard disc drives are constantly retired (returned for warranty, repair and expired lease agreements, repurposed for other storage duties or sold), lost or stolen. When unprotected data leaves the owner’s control and is compromised, a company faces loss of revenue, market share and customer confidence. They may even be subject to civil penalties due to violation of data privacy regulations. This can be catastrophic for any organisation, and especially for SMBs.
- Seagate estimates that 50,000 drives containing terabytes of data leave data centres daily
- IBM estimates that 90 per cent of drives returned for warranty contain readable data
According to industry experts, such as the Ponemon Institute, the average cost per data breach increases every year, and on average was US$6.6 million in 2008, or US$202 per compromised record.1
The Ponemon Institute further estimates that 81 per cent of laptops contain sensitive data, and as many as 10 per cent of all laptops are lost or stolen during their lifetime. Additionally, it is estimated that every week 12,000 laptops are lost or stolen in US airports alone. The average cost to a business when a laptop containing sensitive, yet unencrypted, data disappears is nearly US$50,000. In extreme cases, the costs can be nearly US$1 million.2
What are the different levels associated with FIPS 140-2?
FIPS 140-2 defines four levels of security. FIPS 140-2 validation will specify the security level to which the product adheres.
- Level 1, typically used for software-only encryption products, imposes very limited security requirements. All components must be production-grade and various egregious kinds of insecurity must be absent.
- Level 2 requires role-based authentication. (Individual user authentication is not required.) It also requires the ability to detect physical tampering by using physical locks or tamper-evident seals.
- Level 3 adds physical tamper resistance to disassembly or modification, making it extremely difficult to hack. If tampering is detected, the device must be able to erase critical security parameters. Level 3 also includes robust cryptographic protection and key management, identity-based authentication, and physical or logical separation between the interfaces by which critical security parameters enter and leave.
- Level 4 includes advanced tamper protection and is designed for products that operate in physically unprotected environments.
What level of FIPS 140-2 validation did Seagate obtain?
Seagate® Self-Encrypting Drive (SED) storage devices are validated as FIPS 140-2 Level 2 compliant.
Why did Seagate obtain FIPS 140-2 Level 2 validation?
Organisations of all types are increasingly demanding that data at rest should be encrypted to protect against loss or theft. FIPS 140-2 Level 2 validation is viewed as a mark of security and quality, and certifies to all buyers that the Seagate FIPS SEDs meet the US federal government requirements for security products.
What types of products are relevant to FIPS 140-2?
FIPS 140-2 applies to any product that might store or transmit sensitive data. This includes hardware products such as link encryptors, hard discs, flash drives or other removable storage media. It also includes software products that encrypt data during transit or while stored.
Do I really need this much security? Isn’t the operating system password enough?
Operating system security such as a password can easily be bypassed by removing a hard disc and mounting it in another computer. Even BIOS ATA hard drive passwords have been found to be vulnerable if not used with something like a Seagate SED drive. Encrypting the data on the hard disc or storage medium is a well-proven way of protecting it.
What organisations or businesses require compliance with FIPS 140-2?
In the USA, the National Institute of Standards and Technology requires all federal agencies to use FIPS 140-2 Level 2 Validated™ products to secure data designated as Sensitive but Unclassifed within computer and telecommunications systems (including voice systems). 3 In Canada, the Communications Security Establishment (CSE) requires federal agencies to use FIPS 140-2 Level 2 Validated cryptographic modules to secure data designated as Protected Information (A or B) within computer and telecommunications systems (including voice systems). FIPS 140 validation is also a necessary prerequisite for a cryptographic product to be listed in the Canadian government’s ITS Prequalified Products List. 3 In the UK, the Communications-Electronics Security Group recommends the use of FIPS 140 Validated cryptographic modules. 4
Civilian companies worldwide that contract with US, Canadian or UK government organisations that require FIPS 140-2 encryption compliance are also required to be compliant. In addition, commercial companies — especially those involved in finance, health-care, education and infrastructure (national security) — are increasingly requiring FIPS 140-2 compliance throughout the world. These companies want to follow the highest standard in protecting data. They recognise the rigour that goes into a FIPS-140 certification, find it to be the preferred standard for security and choose to depend on this standard for their own encryption needs.
What is FIPS 140-2 validation?
FIPS 140-2 validation is a testing and certification programme that verifies a product's compliance with the FIPS 140-2 standard. NIST established the Cryptographic Module Validation Programme (CMVP) to validate products against these requirements.
What does it take to get a FIPS 140-2 certification?
To be FIPS 140-2 Validated™, a product must adhere to the stated design and implementation requirements, and be tested and approved by one of 13 independent labs that have been accredited by NIST.
Which FIPS 140 standard is current?
The 140 numbered FIPS publications are a series of security standards that specify requirements for cryptography modules. FIPS 140-1 was issued in 1994 but has been supplanted by FIPS 140-2, which is the current standard and was issued in 2001. FIPS 140-3 is a new version of the standard that has been under development since 2005. A draft was issued in December 2009, but is likely to take a year or more before superseding FIPS 140-2.
Is there a list of products that are FIPS 140-2 Validated?
NIST maintains a list of all commercially available products that have been FIPS 140-2 Validated. Go to http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm .
Why is FIPS 140-2 important to Seagate sales partners?
Seagate sales partners can use the FIPS 140-2 validation as an effective marketing tool to demonstrate the quality and critical security features that other products do not have. It is an important differentiator for today’s security-minded buyers.
1 Ponemon Institute, 2008 Annual Study: US Cost of a Data Breach, February 2009, www.ponemon.org, as quoted in Data-breach costs rising, study finds, Ellen Messmer, Network World, 02/02/09.
2 Intel Study: Stolen Laptops Cost to Business; eWeek, 23 April 2009; Ponemon Institute Study, April 2009.