Blog | SafeLogic

Blog | SafeLogic

17 Jun 2016

Format-Preserving Encryption (FPE) in ‘FIPS Approved’ Mode

Vertical_Lock_ShortThe FIPS 140-2 Implementation Guidance (A.10) now includes vendor affirmation requirements for the format-preserving encryption schemes (FF1, FF3) specified in SP 800-38G.

As its name suggests, format-preserving encryption transforms plaintext to ciphertext of the same format and length. For example, format-preserving encryption may be used for a legacy application that needs to protect 16-digit credit card numbers and 9-digit social security numbers in a database without having to change their storage allocations. FPE has saved a lot of headaches in these use cases, as you can imagine.

For ‘FIPS Approved’ operation, until Cryptographic Algorithm Validation Program (CAVP) testing becomes available specifically for FPE, vendors will need to complete CAVP testing for the underlying AES algorithm, make documentation updates, and affirm compliance to SP 800-38G. Alternatively, SafeLogic can help you strategize and complete this process as easily as possible.

If you have a customer requirement to provide format-preserving encryption with FIPS 140-2 validation, then please contact us today.

BlogFooter_Mark

9 May 2016

Patch Panic Prevented!

Well, that’s finally behind us. After days of anticipation and fear, OpenSSL’s newest patches were released last Tuesday with little official fanfare from the Foundation and no cute names for vulnerabilities, but a good amount of comments from the peanut gallery on Twitter. Of course, the initial fix is just the tip of the iceberg. A minor spike in antacid sales on Monday, a flurry of cancelled dinner reservations on Tuesday, and a fair number of naps taken on Wednesday notwithstanding, most operations teams are in the clear… for now. We’re in that lull, the waiting period when engineers are watching like hawks, hoping nothing else breaks and that no additional work is required. The black hats are picking and probing, hoping that these patches, like so many before, have spawned new vulnerabilities to explore. We will know soon enough what they have discovered. Fahmida Y. Rashid has a great rundown of the vulnerabilities and associated fixes in her column at InfoWorld, if you’re interested.

high-fiveI’m proud to say that here at SafeLogic, we handled this round of patches with grace and poise, delivering as promised for our customers. [Yes, I intend to flatter and compliment our technical team. They deserve it. High five!] Since many of our clients deploy a version of CryptoComply that is forked from and compatible upstream with OpenSSL, it is imperative that we remain on top of the latest developments. It’s one of our central mandates as a company. Our customers rely upon us to ensure that new builds are tested, operate properly for their deployment, remain in compliance, and are provided in a timely fashion. And we do, with bells on.

It’s not even so much that I just want to trumpet the accolades for our team when they do their job as expected… that is table stakes. I don’t even need to dwell on how they exceed expectations and beat time estimates on a regular basis. (They do, though!) It’s that this professionalism and commitment to customer success is what sets SafeLogic apart. Our technical team is the embodiment of what we espouse on the marketing side when we chronicle the ways that our CryptoComply products are an upgrade from open source alternatives.

We talk about strong support. We’ve asserted many times that in this exact scenario, SafeLogic simply takes care of the new builds and pushes it out to customers. We remind our customers and prospective clients that we offer dynamic, effortless updates to reflect the constantly changing landscape of operating environments. Further, our customers avoid the stigma of open source. Instead of telling their end users that “Yes, we applied all patches and we believe that we’re all set”, our clients are able to simply reassure the users, saying, “We use SafeLogic encryption. They handle all of it. We’re covered, and so are you.” It’s a wonderful thing to put their minds at ease.

Bottom line – whether you were one of the myriads of Twitter users complaining about the patching process, the “aging and bloated” codebase of OpenSSL, or if you just want a better way to handle your crypto needs, contact us now. We might already be working with your rivals, which would explain why they aren’t fazed by these patches. They are staying focused on beating you while SafeLogic takes care of the crypto piece. Don’t worry – we have the bandwidth to help you too. Let’s even the playing field and take this headache off of your plate. Let us be your secret weapon, your competitive edge, or the equalizer. Let this be the last round of OpenSSL patches that your engineers have to wrangle. Our technical team is ready.

BlogFooterWalt2

19 Jan 2016

The CMVP Legacy List Returns

Last week, our blog featured information about the RNG issue identified for removal by NIST. It was written by Mark Minnoch, our new Technical Account Manager, and I’m totally pumped he’s joined the SafeLogic team. If his name is familiar, it’s because he used to lead the lab at Infogard and he’s a regular at the International Cryptographic Module Conference (ICMC) and other industry events. He also contributes to our company quota for follicle-challenged white guys over 6’5”, which is a severely under-represented demographic for us.

This week, I’d like to talk a bit about the other category of FIPS 140-2 certificates that have been slated for relocation to the archive list. These validations are doomed to begin expiring in January of 2017 and annually going forward for the most grave of offenses. Has a backdoor been discovered? No… Improper entropy seeding? Use of a non-approved algorithm? No, not those either. It’s because they hadn’t received an update within the last five years.

That’s right. The CMVP is now taking action and their plan is to simply chuck every certificate that doesn’t carry a validation date from recently enough. For reference, “quinquennial” is the official term which means “every five years”. I’m adding it to my list of relevant jargon for 2016.

twitter-graphic_Lock2This is the part where I remind you that SafeLogic doesn’t just provide a fantastic crypto module. We don’t just complete FIPS 140-2 validations in 8 weeks with RapidCert. We stick around! We offer free support for the first year, which includes integration, strategy and marketing assistance. Then we encourage customers to renew their support on an annual basis to take advantage of the patches that we provide upstream of our modules. Even better, smart clients opt for RapidCert Premium, which adds annual certificate updates. These reflect the newest release of iOS, for example, so that the validation is always in full compliance for the current version.

Now comes the part where I explain why this matters. FIPS 140-2 validation has always been a pain in the ass. The queue length spiked a few years ago due to increased demand, furloughs, agency shutdowns, lack of funding… pretty much everything that could go wrong, did go wrong. The queue has softened somewhat recently, thanks to renewed effort and a few Shark Weeks (you know… act like a predator, take no prisoners…) but it is still pretty diabolical and requires significant effort to survive the process. Now they are tightening the requirements and requiring updates on a five year interval, whether they’re actually necessary or not. The overhead needed to achieve validation has always been high, but now the maintenance needs are rising as well and revalidation is a real and ugly possibility.

It’s time to re-examine the costs associated with handling FIPS 140 validations in-house. Hiring a consultant once to push through the initial certificate has one set of calculations, but the days of “set it and forget it” validations are a thing of the past. Keeping those consultants on retainer for updates every five years (and likely much more often than that, to complete the now-frequent NIST changes) has the potential to destroy a budget. SafeLogic brings significant value to the table as we simply take care of it. We usher the original certificate through the CMVP, we maintain it for full perpetual compliance, and we guarantee that you won’t get removed from the validated list. It’s all part of your contract.

Whether your certificate is headed to the Legacy List or you’re planning a first foray into FIPS 140-2, contact our team immediately. The game has changed and SafeLogic has the answers you need. Whether you want to call it Validation-as-a-Service or Managed Certifications or something else… we call it RapidCert and it will save you time, money, stress and effort. I promise.

BlogFooterRay2

14 Jan 2016

The Transition Is Here: RNGs Disallowed in 2016

Question: I’m hearing rumors that my FIPS 140-2 cryptographic module will be moved to NIST’s Legacy Validation List on January 31, 2016.  Is this true?

Answer: The rumors are true for many organizations, unfortunately. If your cryptographic module contains any of the RNGs in FIPS 186-2, ANS X9.31, or ANS X.9.62-1998 on the “FIPS Approved algorithm” list, your certificate will be re-classified and moved to the Legacy Validation List unless it is reaffirmed otherwise.  In addition, certificates that have not been updated since 2011 or prior will be relegated to the Legacy List next year, as part of a five year rolling expiration.  More on that soon.

The bad news: Federal agencies have been instructed to strictly avoid products that have been moved to this Legacy Validation List. We know that DISA has already contacted technology vendors that are in danger of having their certificates moved to the Legacy Validation List. This is a demonstration of DISA’s attention to this issue – they plan to be extremely proactive and solutions that fall out of compliance will not be able to slide under the radar.  Every vendor with an RNG included on their FIPS certificate should immediately take action to keep their modules available for procurement.

NIST Special Publication 800-131A has been warning that these RNGs will be “disallowed” in 2016. The SP800-131A publication contains guidance for the use of stronger cryptographic keys and more robust algorithms. Concerns of increasing computing power and possible new attacks, the older RNGs have been dropped by the NIST Cryptographic Technology Group in favor of the newer SP800-90A DRBG algorithms: HASH_DRBG, HMAC_DRBG and CTR_DRBG. Since randomness in generating keying material is essential to strong cryptography, this is a proactive step by NIST to evolve to stronger security solutions for federal agencies.

The good news: SafeLogic customers will not be affected. Our clients will remain on NIST’s Active Validation Lists. Federal agencies will still be allowed to acquire products that are using SafeLogic’s cryptographic modules when enforcement begins on January 31, 2016, due to our strong support team and aggressive updates to ensure compliance.  SafeLogic’s dedication to certificate maintenance has saved our customers significant time, effort and heartache.  With NIST’s renewed commitment to keeping the validation list current, maintenance is more crucial than ever before.  Neglecting your certificate can quickly render obsolete the product of years of work and significant investment – and that’s never a good thing.

Whether you have questions about the RNG transition, want more information on SafeLogic’s drop-in FIPS solutions, or your current validation is being re-classified to the archive list, please contact us. SafeLogic can help!

Now that you know SafeLogic can take care of your FIPS cert, here’s some RNG humor to help dissipate that stress:

Classic Dilbert from 2001.

Classic Dilbert from 2001.

BlogFooter_Mark

30 Dec 2015

Bring on 2016!

Jan1
Ahh, the year-end crunch time is here. Closing and reconciling the books. Working with our customers to get in (or delay, when strategic, of course) last minute invoices and accruals. Making sure contracts are executed before the calendar flips over. Catching up. Projecting out. Forward planning. Requisite CEO year-end blog posts like this one. Check it off the list, Marketing Team!

To say that our 2015 was dynamic at SafeLogic is an understatement. As I’m recapping and reviewing our goals for 2015, I see areas where we “crushed it” (in the Silicon Valley lexicon), areas for improvement (yes, it’s a nice way to say that we dropped the ball on a few initiatives and no, I’m not too proud to admit it), and areas for new growth and development. I’m glad this year is behind us, because I’m just so damn ready for 2016.

SafeLogic’s 2016 campaign will be about growth, balance, and clarity. Almost like the plans of current Presidential candidates but without the lunacy and grandstanding, and a lot less speJanuarynd on TV commercials (sorry, Marketing Team). So how will these elements unfold?

Well, we added some very high profile customers to our wall this year, and we’ll grow our share in the market. We’ll increase our team and improve our infrastructure to support those new clients. We will balance delivery, professional development, budgets, customer requirements, and every other moving part that defines a software company. We’ll move quickly but carefully. We’ll work on the right things for our customers and for the industry, while having clear communication internally and externally.  We’ll have a lot of fun while delivering on very serious business-driven goals.

It’s going to be an exciting time. We’re launching some of our Skunk Works projects this year, and we’ve got new projects bidding to be added to the docket. It isn’t always easy to bring innovative and progressive new ideas to a field that is historically stagnant, challenging, and sometimes non-sensical (I’m talking to you, encryption, and you, regulatory compliance). But it’s what we do. And while I think we always have room for improvement, I think we do it pretty damn well, so expect more of the same next year, in higher dosages and more frequently.

I’m thrilled about the new year. We have the right priorities, the right team, the right solutions, and the right processes in place at SafeLogic. Now will someone please turn the calendar over to January? We’re ready to rock!

BlogFooterRay2

11 Dec 2015

Walking the Red Carpet with SafeLogic Customers

That 'other prize' announcement on December 10th.

That other prize announcement on December 10th.

The date was December 10, 2015.  Tucked nicely between the Emmys in September and the Oscars and Grammys in February, before you get to the Golden Globes in January, there was another awards announcement.  Oh, the Nobel Prize?  Yes, actually, but also the SC Magazine finalists were announced yesterday!  You weren’t watching the red carpet show on E! Entertainment?

In all seriousness, there are a lot of technology awards out there.  A whole lot.  Some of them are pay-to-play, others are just inconsequential.  SC Magazine is one of the few programs that I actually follow and appreciate, which is why I was so pumped when the list of 2016 U.S. finalists was released yesterday!  I’m pretty sure Johnny Depp got snubbed again, but there were many SafeLogic customers that were nominated.  Outstanding.  Check out the highlights below.

scawards2016finalist_882954

 

Best Cloud Computing Security Solution

Skyhigh Networks

 

Best Multifactor Solution

MicroStrategy

SecureAuth

Yubico

 

Best Enterprise Security Solution

Skyhigh Networks

 

Best Network Access Control (NAC) Solution

Pulse Secure

 

Best Behavior Analytics / Enterprise Threat Detection Solution

Vectra Networks

 

Best Email Security Solution

Raytheon | Websense

 

So awesome.  You can check out the full list, including all the finalist companies that have not yet been publicly announced as SafeLogic customers, here.  We are just so proud of all of the amazing companies that we work with every day.  Congrats to all the nominees and good luck!

BlogFooterWalt

3 Dec 2015

Tackling the Federal Procurement Conundrum

Lt. Col. Scott Trail had a great editorial in National Defense magazine that I read recently. It was titled ‘How to Unlock Innovation at the Defense Department’. Coming from a Defense and Aerospace Acquisition Team Lead, this was an interesting topic to be sure.

He was a young man when he first submitted this proposal to the DoD.

He was a young man when he submitted that proposal to the DoD.

Trail delivered, as he didn’t pull any punches. He emphasized the need for speed and the real urgency of accelerating the schedule for procurement and deployment, lest we fall [arguably further] behind our global rivals. In fact, he asserts an opinion that we are spending too much time trying to make drastic improvements and we need to take a more agile approach.  Deploy and revise on a much shorter lifecycle, he says.  “Speed should be considered as a strategic enabler over fielding full capacity in a single step.”  While Trail uses helicopters and amphibious transports as the examples from his area of expertise, the concept extends to smaller technology and definitely applies to software.

In our sphere, we see engineering teams that are so accustomed to the legacy FIPS 140-2 process that they automatically peg it for a future release barely on the horizon. They expect hundreds of man-hours and months of aggravation. They figure that since it used to take a year to a year-and-a-half, nothing that they build during that waiting period really matters for federal procurement. As a result, we get federal-specific software releases that are obsolete before they even get a SKU assigned, because the supported platforms are so old. Why? Because those were the relevant operating environments when the FIPS effort began.

Bottom line – it’s all too often that the software offered to the public sector is either old or non-compliant. What a conundrum! The product is updated for private use – quickly, frequently and effectively – but hasn’t received the proper testing for federal deployment. Unhelpful. The product earmarked for government has been updated, but slowly, sporadically and it’s frankly irrelevant by the time it has been revved. This is not competitive and it doesn’t help anyone!

FederalGraphicEvery production version of your solution should be ready for federal procurement. That’s our philosophy. You should be able to move at the speed of business, not on a timeline set by testing labs and consultants. The company that will win is the one that is able to sell their current product [yes, the one that marketing has described as “bleeding edge” and “next gen”] in real-time to federal, in full compliance with procurement requirements on the actual operating environments that are being used. We will be in 2016 in the blink of an eye. The fact that this is still being regarded as the stuff of sci-fi is just sad. We can do it today.

I’m not saying that SafeLogic is saving America… but I am saying that faster FIPS 140-2 validation yields faster product iterations, faster acquisitions and faster deployments. Soldiers and bureaucrats have the same appetite for current technology. Let’s give it to them as soon as possible. THAT is what will benefit our nation… and your revenue numbers.

Contact us for information on our lightning fast RapidCert FIPS 140-2 validations and how we can keep your certificate perpetually updated.  We’re ready.

 

BlogFooterWalt2

12 Nov 2015

Lockheed Martin’s Bad Stretch Was Still Better Than Yours

Lockheed Martin had a rough few months.

Lockheed Martin’s prototype Joint Light Tactical Vehicle (JLTV).

Lockheed Martin’s prototype Joint Light Tactical Vehicle (JLTV)

In August, Oshkosh Corporation won the contract to build the next generation Joint Light Tactical Vehicles (JLTV) for the Marines and the Army. Lockheed Martin and the incumbent, Humvee manufacturer AM General, were the runner-ups.

In October, Northrup Grumman won the contract to build the Long Range Strike-Bomber (LRS-B) for the Air Force. Lockheed Martin was again the runner-up, this time despite their joint effort with Boeing. [Weren’t we just talking about frenemies?]

The first one hurt. The contract was for $6.75 billion USD, and Lockheed had bought partner BAE Systems’ entire wheeled vehicle production line and literally moved it from Sealy, Texas to Camden, Arkansas in preparation.

The second one was just brutal. The United States Air Force plans to purchase 80–100 of the LRS-B aircraft at a cost of about $600 million each. Add in an estimated $20 billion for research and development, and the total value of the contract could close in on $80 billion USD. Even shared with Boeing, that would have been a massive win for the famed defense contractor.

Artist’s concept of Lockheed-Boeing Long Range Strike Bomber - BreakingDefense.com

Concept art of Lockheed-Boeing Long Range Strike Bomber (LRS-B)

Lockheed Martin is a huge company with net sales over $45 billion USD in 2014. Winning either contract would have been a significant boost and a feather in their cap. Winning both would have cemented Lockheed’s title as the top dog among defense contractors. Instead, they have been forced to sit on the sidelines and exercise their right to a 100 day challenge and review of the contract award.

So why does this matter to you? Let’s do some math.

In the first case, the Hummer replacement contract, Lockheed was one of three finalists. The contract was worth $6.75 billion. Entering the final phase of the bidding, each of the bids had a reasonably equal shot at securing the contract – a 33% win expectancy, if you will.

$6,750,000,000.00 x 33% (three bids) = $2,227,500,000.00

That means that their selection to the final round of proposals was worth over $2 billion.  Obviously the contract was anticipated to be awarded in full to only one of the companies, but probability dictates the equal thirds of expected value.  Likewise, if we assume for the sake of simplicity that Lockheed Martin and Boeing would share the bomber contract 50-50, the math on the second deal is:

$80,000,000,000.00 x 50% (only two bids!) x 50% (sharing with Boeing) = $20,000,000,000.00

Lockheed’s expected contract awards, based on these simplified odds, totaled over $22 billion. While neither came through, it was a huge and worthwhile effort to bid. That calculated $22B, while unrealized, was $22 billion more than the other, unnamed companies eliminated earlier in the procurement process. It was $22 billion more than the companies that didn’t bother bidding and $22 billion more than the companies that weren’t even eligible to bid.

The questions for you: How much projected revenue from federal contracts are you leaving on the table? How big are the contracts being awarded to your rivals? Are you providing competitive proposals? Are you even eligible to bid?

If you don’t take the necessary steps to enter the public sector and provide proposals to bring your solutions to the federal government, your competitors will run wild. Their win expectancy skyrockets if you don’t participate. They can bid whatever they see fit, since you didn’t submit a proposal to keep them honest. Imagine what they’ll do with that padded profit margin – fund more R&D, increase their salesforce and marketing budget, boost their payroll so they can hire away your very best people. It won’t be pretty… except for their shareholders. They will reap the PR benefits of winning the contract, and the earned credibility will fuel efforts to parlay their success in the public sector to other regulated industries.

So yeah, Lockheed Martin had a rough couple of months when they didn’t win either contract… but it was still a better stretch than the rest of the companies who had been sitting on the sidelines all along.

These two contracts have been awarded, but there a lot more currently open and coming soon for a variety of agencies and branches, for nearly every type of technology you can imagine.  If you want to be eligible to bid on these contracts and sell to the federal government, you need FIPS 140-2 validated encryption. SafeLogic provides immediate compliance and a full validation, in your name, in 8 weeks. Let’s get you in the game!

 

BlogFooterWalt2

 

[Image credits: BreakingDefense.com]

 

21 Oct 2015

Worse than Frenemies

You’ve heard the term ‘frenemies’ before, right?  You most likely have if you’ve got kids past middle school, unfortunately.  It’s the mash-up of ‘friend’ and ‘enemy’ with the distinction defined in the helpful illustration below.

FrenemiesEnemies

Today’s blog post is a public service announcement – Beware of frenemies.  Many of us forget about this life lesson once we are adults and it can really sting.  Frenemies come in several flavors in the business world, but many are friend/competitors.  Maybe these should be called ‘frempetitors’.

Our prime example is Samsung and Apple.  They have been engaged in litigation since 2011, and yet Tim Cook’s braintrust thought it was a good idea to contract with Samsung to produce A9 processors for the iPhone 6S.  Samsung was even accused of engaging in corporate espionage to displace TSMC, who had been slated for the full order.  Even the most forgiving folks would have to be a little suspicious, right?

Now the kicker – Samsung’s version of the A9 chip has been benchmarked for worse heat dissipation and shorter battery life than the alternative version by TSMC.  Was this malicious?  Was Samsung actively trying to undermine the reputation of Apple’s new flagship phone?  Popular Apple-centric blog ‘Cult of Mac’ says maybe they are.  The fact that the two corporate giants have been locked in mortal combat in both the courtroom and for market share automatically throws a shadow on the developing situation.  Despite Apple’s public claims that the variance is only 2-3% and it won’t affect typical use, Samsung doesn’t get the benefit of the doubt, since they are the very definition of ‘frempetitors’.  I’d love to hear the internal discussions in Cupertino on the topic.

So why do you care?  Well, we’ve had a spike lately in inquiries from companies in a specific industry that have been using an encryption product from their frempetitor.  Yes, they licensed a crypto module from [company name redacted] even though they are competing head-to-head against that company’s flagship product.  This boggles my mind.  We’re not talking about complementary offerings, we’re talking about the exact same kind of Apple-Samsung clash of the titans but on a smaller battlefield.  Why would you trust this frempetitor?  It’s not like their product is so fantastic that you had no choice. It’s certainly not that their pricing was so incredible that you couldn’t afford to pass it up.  For comparison’s sake, it’s not even like they provide FIPS 140-2 validation services, Rapid or otherwise.  This is just a head-scratcher.

What happens when their module isn’t working properly or if it is proven to be vulnerable?  Will they step up and patch it in a timely manner?  Or will they prioritize their own products and customers first, and you’ll have to wait until they get around to it?

What if your crypto provider pulls your license in an effort to sidetrack your engineering team and cripple your momentum, because you’ve been taking market share from their primary offering?  Are you prepared to pivot quickly on your competitor’s whim?

Would you be concerned that you are relying upon an internal component that was designed by a competitor?  What if it slows down your product’s performance?  What if it includes tracking capabilities so that they can monitor your install base?

Paranoid?  Sure, but definitely within the realm of possible.

If you ran a restaurant, you would never purchase your ingredients from a competitive restaurant.  You’d rightfully assume that they would cherrypick the best produce, the best cuts of meat, the proverbial cream of the crop, and leave you the rest.

Would your boss/investors/shareholders/customers give you the benefit of the doubt in these scenarios?  Is choosing to work with a frempetitor ever a justifiable position in retrospect?

Skip the heartache and paranoia.  Don’t get stabbed in the back and don’t give a competitor the opportunity to be a part of your supply chain.

If you are currently using encryption provided by a company that would stand to gain from your troubles, contact us immediately and we’ll help you escape from this dysfunctional relationship.  If you are considering them, please think very carefully about it before you move forward.  I don’t promise never to say “I told you so”, but I do promise that SafeLogic will be ready to help when you’re ready.  Plus, we have better modules, greater compatibility and platform coverage, and RapidCert‘s lightning fast validation is just the cherry on top.  Choose wisely!

BlogFooterWalt2

6 Oct 2015

The Need for Speed

TopGunThe Miramar Air Show was this weekend, a highlight of the year for Southern Californians.  Bay Area flight enthusiasts will get their own dose of the Blue Angels this weekend at Fleet Week San Francisco, before the iconic jet team heads to Oahu and then closes their season with dates in Georgia and Florida.  I like to think that our San Diego event holds a special place in the hearts of these naval aviators, since Marine Corps Air Station (MCAS) Miramar was the setting for the film that still reigns #1 among pilots – Top Gun.  I could have walked up to any of the soldiers on the base and asked if they ‘felt the need for speed’ and gotten a high five, or asked if they had ‘lost that loving feeling’ and gotten serenaded.  Forget that Maverick and Goose first inverted to ‘keep up foreign relations’ years before this generation’s hotshot pilots drove a car, let alone flew a plane; Top Gun is still the most effective two hour recruiting tool in the Navy.

Bottom line – the air show was awesome.  My son had a blast (the Shockwave jet truck was a big hit) and I was left with the same patriotic awe and inspiration as years past.  I’m still thunderstruck by the engineering feats that we have achieved, as a country and as a species.

I’m also equally blown away by our continually jaw-dropping idiocy.  Chatting with one of the aforementioned millennial pilots (I’m no senior citizen, but this kid was definitely born during the Clinton administration), he told me that while some of his superiors had received iPads for flight plans, he had not.  When I pressed him, he admitted that he used his own personal iPad… with a handy app that he had downloaded from the App Store, of course.  I was flummoxed.  Yes, the app (which shall remain nameless) has an excellent reputation and yes, it has a specific setup for military usage, including a worldwide library of Department of Defense Digital Flight Information Publications (D-FLIP) terminal procedures, airport diagrams, enroute charts and publications.  Very handy.

But who is authorizing this?  Or rather, who is looking the other way on this?  I’m not suggesting that the app is corrupt (although they fail to include FIPS 140-2 validation).  I recognize that the pilots are supposed to download their relevant data before takeoff and disable cellular signal while in flight.  Good rules of thumb.  But how about that GPS chip in the tablet?  That’s a major tracking beacon that has not been officially sanctioned. Or what if someone has hacked the app and is enjoying a MITM attack, collecting all user destination data?  In that case, they could theoretically isolate the military users, even the type of plane and originating location.  Gee, that wouldn’t be helpful information at all.

top-gun-2iPads have been a huge boost to efficiency and modernizing the habits of pilots, both the military and civilian.  I’m not disputing that.  In fact, I’ve been a major advocate.  That doesn’t mean that unbridled BYOD is okay, let alone encouraged.  It’s a tight margin for error and it’s shrinking.  We need to address it, because it’s not just the 20-something pilots that want it yesterday already, it’s every customer, big and small.

New solutions are a balancing act and always have been.  We constantly have to be vigilant, weighing the advantages of the technology with the compromises that we recognize in the current version before we can feel comfortable deploying it in sensitive environments such as the military.  This is a recurring theme in our CEO’s talks nationwide at security and technology conferences.  It’s just not enough to build something better – it has to be secure.  And it’s not enough to build something secure – it has to be ready faster.  And if it’s secure and fast?  Yes, it’s gotta be better than what’s already out there.

As a technology vendor, you need to enter production faster.  Getting bogged down in the FIPS 140-2 process is a fools’ errand, but we definitely have it figured it out.  Build your product, add CryptoComply, move fast, beat your competitors, and win market share.

If you’ve got the need for speed, then you need RapidCert.

P.S. – Top Gun 2 is in the works, bringing back Tom Cruise as Maverick.  Seriously.

BlogFooterWalt2