July 2013 | SafeLogic

Archive for July, 2013

30 Jul 2013

Don’t Let Lightning Strike Twice: FIPS 140-2 Re-Validation

What’s tougher than completing a FIPS 140-2 validation?  How about completing TWO validations?

Please compose yourself and return to your seats. This is hypothetical, but you should know that sometimes lightning does strike twice, if your strategy and execution do not factor in these potential situations.  NIST’s Implementation Guidance publication for FIPS 140 and the CMVP offers five main scenarios in which re-validation becomes a concern.



Scenario 1: Modifications are made to hardware, software or firmware components that do not affect any FIPS 140-1 or FIPS 140-2 security relevant items.

Impact: While this may not seem like a big deal, there is time and cost involved. A laboratory will need to vouch for the fact that no changes are required. Not only does that take money, but it will take time for your development team to spin up a list of diffs… Or time and money if you hire a consultant to facilitate the effort.


Scenario 2: No modifications are made to any hardware, software or firmware components of the cryptographic module. All version information is unchanged. Post validation, approved security relevant functions or services for which testing was not available at the time of validation, or security relevant functions or services that were not tested during the original validation, are now tested and are being submitted for inclusion as a FIPS Approved function or service.

Impact: Adding new functions and/or services will require testing and incur costs.  Think of this as a mini-validation, as only the new features will be processed.  It will cost money and take time from development, just like taking a full validation through the traditional process.


Scenario 3: Modifications are made to hardware, software or firmware components that affect some of the FIPS 140-2 security relevant items. An updated cryptographic module can be considered in this scenario if it is similar to the original module with only minor changes in the security policy and FSM, and less than 30% of the modules security relevant features.

Impact: This is quite similar to Scenario 1, except with more cost, more time, more testing, and more development involvement.  All modifications must be catalogued and tested.  And watch out for that 30% threshold, otherwise you’ll be stuck in Scenario 5.


Scenario 4: Modifications are made only to the physical enclosure of the cryptographic module that provides its protection and involves no operational changes to the module.

Impact: At Level 1, the physical enclosure is irrelevant.  However, additional physical testing is required at Level 2.  You know what that means – more time, more money, and more aggravation.


Scenario 5: If modifications are made to hardware, software, or firmware components that do not meet the above criteria, then the cryptographic module shall be considered a new module and shall undergo a full validation testing by a CST laboratory.

Impact: This is like hitting Bankrupt in Wheel of Fortune.  You’re basically starting over.  Whether you barely exceeded the 30% threshold in Scenario 3, or you revamped your entire product, your FIPS 140-2 validation is no longer in effect and you are starting from scratch… and at the back of the queue.


One key note to remember – in each of these scenarios, if you require re-validation, your product will not be in full compliance during the waiting period.  Re-validation queues are not as impacted as they are for new validations, but it will definitely be in the magnitude of months, not days.  Can you afford to be out of compliance for that long?

If you’re already familiar with CryptoComply products, you’re probably smiling right now. For the rest of you, read on. I promise it gets better.

By implementing CryptoComply for Mobile or CryptoComply for Server, you leverage our expertise and strategy, so that your product never falls out of validation.

One of the key features of CryptoComply is the strict boundary drawn around the cryptographic module itself. Inexperienced certification managers and overzealous consultants will often embark on a quest to have a product validated from end-to-end. Not only is this unnecessary, it’s a fool’s errand. Drawing a deliberate and accurate boundary for validation provides excellent protection against re-validations. CryptoComply, for example, contains only the core cryptographic functions, ensuring that only the most critical, security-relevant changes will necessitate re-validation. In addition, SafeLogic keeps CryptoComply updated and fully validated, insuring that any changes will be reflected immediately and provided to our customers.

So if you are just embarking on your first FIPS 140-2 validation, don’t waste your time on the traditional path.  Not only will it cost you more and take longer initially, it puts you in danger of needing to re-validate.  And if you are facing re-validation, reach out to SafeLogic immediately.  We can save you time and money, and more importantly, we can ensure that this is your last re-validation.

Because really, you just need a lightning rod.  Call SafeLogic.


25 Jul 2013

The Intersection of ‘Perfect and ‘Good Enough’

There’s an old adage often attributed to Voltaire that says “Perfect is the enemy of good enough.”  I’m usually reminded of this when I am revising something for the umpteenth time and notice that I could still polish it further.  Now don’t get me wrong, I’m a big fan of improvement.  Self-improvement and home improvement, in particular.  I’m aware that at some point, you just have to stop and be content.  The trick is to know when is the right time.  When exactly is it “good enough”?

For many product managers, there is rarely an area in which “good enough” exists.  The competitive landscape drives constant pursuit for perfection and the challenge becomes delegating resources and time to the areas in which improvement can be measured and marketed as a differentiator.

When it comes to data encryption, the sweet spot comes somewhere between A=1; B=2; etc., and a randomizing algorithm with no decryption keys.  We must facilitate swift and accurate decryption, but still make it virtually impossible without authorization.  We have spent decades revising and improving our protocols, staying ahead of the malicious hackers.  We seek the tipping point, where we find the most security assurance without expending significant additional time and effort, balancing the law of diminishing returns.

Luckily, the fulcrum is already here.  NIST and the CMVP have done us all a favor and established FIPS 140-2.  By meeting this standard, your customers can count on the independent validation of the cryptographic module in use, and can trust that it is indeed “good enough”.  Without this seal of approval, we would be lost in uncertainty and doubt.

Many companies implement AES 256 encryption and call it a day.  Kudos to those that recognize and embrace the need for cryptographic algorithm protection.  However, this falls on the wrong end of the lever.  Has the algorithm been tested and confirmed?  Who has verified the implementation?  Without answers to these questions, the claim of encryption is only as valuable as the paper it is printed on, and competitors will push ahead.

In opportunities to bid for US Government contracts, the requirements are extremely blunt.  Without validated encryption, a product is considered to not have any encryption at all.

Take that to heart.  Encryption is one place where we are lucky enough to have the bar already set.  There is no advantage to cut corners, or spend endless hours trying to make iterative improvements.  The requirements are clear and the competitive field is flat.  FIPS 140-2 is no longer just a restriction set by the US Government for purchase orders, it’s the very definition of “perfect” for cryptographic solutions worldwide.


16 Jul 2013

Quantum Dawn 2

Quantum Dawn 2.  It sounds like the newest hit game on Xbox, doesn’t it?

It really is a simulated cyberattack, organized as a training exercise for financial institutions.  It is the brain child of the Securities Industry and Financial Markets Association (SIFMA), a trade group boasting the membership of hundreds of the most recognizable names in banking.  Quantum Dawn 2 will be run this week, on Thursday, July 18th, from 9 AM to 2:30 PM Eastern Time.Not a Real XBox Game

About 40 firms will participate, each supplying three delegates, so the group is relatively large.  Each will be working on platforms linked to simulated markets, so there will be no interference with real-time operations.  This setup was designed by the Department of Homeland Security.  It will also eliminate opportunities for real hackers to run rampant during the drill.  (Yes, that was my first thought as well!)

Some of you may recall Quantum Dawn 1 from November 2011.  In the original, the drill even featured an armed invasion of the New York Stock Exchange in addition to the cyberattack.  The sequel will eschew the masked men and concentrate only on the electronic trading platforms.  (So if you see what appear to be terrorists roaming Wall Street, please do call the authorities.)

The key ingredient to this drill is the real-world application of information sharing protocols.  Each team in isolation has limited data about the attack and limited resources.  By cooperating, they may learn more about the simulated threats and strategy, not only leveraging a greater reach but a greater understanding of what they are up against.

Candidly, the InfoSec community needs more of this.  Drills, sure, but more importantly, cooperation.  Not everyone has the same skill set, experiences, or perspective.  All of us stand to gain if corporations work as a team, instead of trying to remain an island.  If you don’t have the expertise, find someone who does.  We’re all in it together.


5 Jul 2013

The No-Brainer Pricing Model

I’ve blogged in the past about the timeline acceleration that our customers have enjoyed, both from CryptoComply and from the addition of the RapidCert option, and we have discussed the importance of bringing a validated product to market as quickly as possible.  Now let’s talk about the cost.

When Ray and I established SafeLogic, one of our goals was to make working with us as easy as possible.  CryptoComply was built on this premise, streamlining the integration and maintaining simplicity.  It also inspired what we like to call “The No-Brainer Pricing”.

The theory is this.  Since we have utterly destroyed the industry expectations for how long the FIPS 140-2 validation process should take, how difficult it should be, and how much gray hair it should give you, our customers would expect the cost to be proportional.  If we could bring it to market at a price point that undercuts those same traditional methods, we would create a situation where we would be partners in our clients’ success.  And that’s precisely what we accomplished.

SafeLogic is not the ‘lesser of two evils’.  Our clients don’t have to decide whether it’s worthwhile to suffer the traditional path to validation in order to save some money.  Choosing to leverage CryptoComply is a win-win!  You can even add another ‘win’ on there if you want to include soft cost savings.

Recently, an executive told us that their company had calculated roughly 50% savings in hard costs on top of saving literally six months in their product roadmap.  He had received applause from his peers and he hadn’t even related how much they had saved in soft costs, by keeping the development team on track during the process, and in anticipated lost revenue during that six months waiting period.  This has been a recurring, and very satisfying, conversation with our clients.

If your product leverages encryption, please drop us a note.  FIPS 140-2 validation is no longer the domain of large corporations who are already established in their space and have the deep pockets to absorb the costs.  You can enjoy the technical improvements, the marketing differentiation, and the access to federal customers at our “No-Brainer Pricing”, so you don’t have to decide between your budget and the benefits.  Let’s talk.

3 Jul 2013

Happy Fourth from SafeLogic

Stars and StripesIt’s the Fourth of July – a time to celebrate, watch fireworks, grill, and maybe have a cocktail or three.  At least, that’s what I’ll be doing.  One for my family, one for my company, and one for my country.

I’ve been fortunate to have opportunities to travel all over the world, and I’m always happy to come back home.  I love my country!  Sure, there are things that could be better, but from a personal and professional perspective, there is no place I’d rather be.

SafeLogic is thriving, in no small part because we’re here in the US.  We’re in the heart of Silicon Valley where the atmosphere is full of creativity and innovation, driven by freedom.  Where else in the world could we have this opportunity?  The American culture of entrepreneurship was established by the first colonists and reinforced by the settlers of the west.  We work in an industry of security and privacy, in a specialty that would not be embraced or even legally permitted by governments in some other countries.

We’ve got an amazing network of customers, partners, and venture capitalists that support, appreciate, and drive our goals.  When I get positive feedback about what we’re doing, our customers, and our roadmap, I just smile and push harder.  It’s motivating, inspiring, and even a little intimidating.  These folks are trailblazers, exploring tech advances in the same way we are, taking advantage of the opportunities presented here in America.

This Fourth, I’m reflecting on the success of SafeLogic.  We’ve worked unbelievably hard to get here.  It has not been easy, and it certainly did not come overnight or without sacrifice.  But we’re making a difference and doing cool stuff, not unlike the Founding Fathers.  We’re changing the way people think about crypto, compliance, and security.  We are helping people protect their data and preserve their liberty by providing controls for their information.

We’ve only just begun, and it wouldn’t have happened if we weren’t here in America, the land of freedom and opportunity.