RapidCert Archives | SafeLogic

All posts in RapidCert

29 Aug 2017

Introducing CryptoComply for Libgcrypt

The last entry to our SafeLogic blog announced CryptoComply for NSS. A little more than a week later and that is already old news.

I have the honor of sharing two items:
First, SafeLogic scored a Gold medal win at the Golden Bridge Awards. Awesome job, team!
And second, the FIPS 140-2 validation is complete for CryptoComply for Libgcrypt and RapidCert is available immediately!

As Ray said last week, we have been hard at work expanding our product line to provide more compatibility options for our customers, based on the most common architectures that we encounter. Please check out the new product page and don’t hesitate to reach out if you have questions. We’ll be ready when you are.

 

CryptoComply for Libgcrypt blog footer

21 Aug 2017

Introducing CryptoComply for NSS

Last week, if you regularly read NIST’s list of Validated FIPS 140-2 Cryptographic Modules, you would have noticed a new addition. (If you don’t regularly read the list, I highly recommend it as a panacea for insomnia, but that’s a different story.)

I’m proud to announce that SafeLogic has completed the validation process for our CryptoComply for NSS module, the latest addition to our stable of encryption engines and now eligible for RapidCert.

This is a valuable piece to the puzzle as the SafeLogic team pursues universal compatibility options for our customers’ needs, and there is much more to come. Stay tuned as we unveil more cryptographic modules as they become available for licensing and RapidCert. If you have specific questions or requests, please contact us!

CryptoComply for NSS blog footer

23 Mar 2017

FedRAMP Kicks It Up a Notch

FedRAMPHave you been following the evolution of the FedRAMP program lately? They are proving to be as nimble as any other group in federal, and even better – they are putting an emphasis on transparency. Check out their blog Focus on FedRAMP for example. After we gave kudos to the CMVP for their recent renewed efforts, it wouldn’t feel right to forget the folks at FedRAMP.

Last month, FedRAMP rolled out an update to their 3PAO Requirements. 3PAOs, Third Party Assessment Organizations, play a huge role in the process, just like the testing labs certified by NVLAP, the National Voluntary Laboratory Accreditation Program, do for FIPS 140-2. For each certification procedure to move smoothly, the 3PAOs and FIPS labs must meet an ongoing standard of excellence. In this case, FedRAMP worked with A2LA, the American Association for Laboratory Accreditation, and determined that they “need to strengthen the 3PAO accreditation requirements to provide for greater 3PAO oversight to ensure that a FedRAMP Accredited 3PAO provides the highest quality, most technically accurate assessments for the Cloud Service Providers (CSPs) who participate in the FedRAMP Program.”

FedRAMP-RAR-768x806An even bigger step forward was taken when FedRAMP unveiled the FedRAMP Readiness Assessment Report (RAR) Template as part of their FedRAMP Accelerated Process initiative in the summer of 2016. Their primary goal was to give Cloud Service Providers a pre-audit tool to self-assess and prepare themselves for scrutiny. But even more importantly in my opinion, the RAR was created as a living document, intended to be updated as needed to shed light on areas that need further interpretation. (Pro tip – make sure that you download the latest version of the RAR when you are prepping and doing due diligence. 3PAOs must use the most current RAR template that is available on the FedRAMP website at the time of submission.) This has been a huge help for CSPs hoping to secure FedRAMP approval. We have had more than a few frantic phone calls from CSPs that were suddenly faced with a mandate for FIPS 140-2 validation and they didn’t have a strategy. This should assist folks plan ahead and develop a more comprehensive plan in advance.

Despite our efforts to raise awareness about the requirement for FIPS 140 in FedRAMP over the last few years, it had still been a subject of debate. So it’s great that FedRAMP has finally made it more explicit in the RAR. For example, Section 4. Capability Readiness, subsection 4.1 Federal Mandates, bluntly asks “Are FIPS 140-2 Validated or National Security Agency (NSA)-Approved cryptographic modules consistently used where cryptography is required?” This should be no surprise, of course. A federal program requiring the crypto to be federally approved. That makes more sense than many bureaucratic requirements, doesn’t it? More below about the NSA caveat.

Further, check out subsection 4.2.1. Approved Cryptographic Modules [SC-13]:

The 3PAO must ensure FIPS 140-2 Validated or NSA-Approved algorithms are used for all encryption modules. FIPS 140-2 Compliant is not sufficient. The 3PAO may add rows to the table if appropriate, but must not remove the original rows. The 3PAO must identify all non-compliant cryptographic modules in use.

Table 4-2. Cryptographic Modules

  Cryptographic Module Type FIPS 140-2 Validated? NSA Approved? Describe Any Alternative Implementation
(if applicable)
Describe Missing Elements or N/A Justification
Yes No Yes No    
1 Data at Rest [SC-28]
2 Transmission [SC-8 (1), SC-12, SC-12(2, 3) ]
3 Remote Access [AC-17 (2)]
4 Authentication [IA-5 (1), IA-7]
5 Digital Signatures/Hash [CM-5 (3)]

As you can see from the Cryptographic Module planning matrix above in Table 4.2, FedRAMP is taking extra care to highlight the need for a FIPS validated module. They clearly had more than a handful of conversations with CSPs trying to argue for the use of a selection of algorithms from the CAVP list as ‘good enough’ and wanted to nip that in the bud. In fact, those were their bolded terms, not mine! The distinction is very important and the clarification was clearly needed.

I almost forgot. Circling back for those of you eyeballing the ‘NSA Approved’ verbiage as a potential loophole to bypass FIPS 140, I have just two words: Good. Luck.

That ubiquitous AES-256 implementation that you’re hoping will satisfy this requirement, because, after all, it is an included component for NSA Suite B… yes, well, it’s also included in FIPS 140-2 and therefore governed by CMVP/CAVP. So if there’s no CAVP certificate, and it’s not implemented as part of a CMVP validated FIPS 140-2 cryptographic module… well, let’s just say that you already missed St. Patrick’s Day and you’re going to need a whole truckload of four-leaf clovers for that to pass muster.

FedRAMP is taking great steps to take the mystery out of the process, and one of those major clarifications is the explicit reliance on the CMVP and FIPS 140-2 validation. If you’re reading this blog, you probably already know it, but nobody handles FIPS 140-2 requirements as quickly, easily, or effectively as SafeLogic. For more information, please explore our products and services at your leisure. They are designed to work in tandem and remove the hassle for your team. As always, contact us with any questions.

 

BlogFooterWalt3

7 Mar 2017

The CMVP Historical Validation List Is Here with a Vengeance

SunsetEditor’s note: This post was updated on March 14, 2017 to reflect a distinction that came to light in dialogue with CMVP – validations moved to the Historical List have not been revoked outright. The validation still exists, but are not for Federal Agencies to include in a new procurement. Agencies are recommended to conduct a risk determination on whether to continue using existing deployments that include modules on the Historical List.

Over a year ago, our blog featured posts about the RNG issue that was leading to certain FIPS 140-2 validations moving to the Historical List and the 5 year sunset policy that CMVP was adopting. [Geez, was that really more than a year ago? Crazy.]

Now the hammer has dropped, and the industry is seeing modules routinely relegated to the Historical List each month. The sunset policy created a waterfall in January 2017, and as of today, there are 1,914 modules on the Historical List, representing approximately 2/3rds of the total validations completed in the history of the CMVP.

Let me repeat that for emphasis. 1,914 modules.
Approximately 2/3rds of all modules ever validated by NIST to meet the FIPS 140 standard are no longer on the active validation list.

This includes some modules that were updated in 2016, and a few were even just revised in 2017! Many of these are hardware, so they are often more static and harder to update, but certainly not all. Check out the entire Historical Validation List for yourself. It’s a veritable “Who’s Who” of once-proudly validated companies. Big names, hot startups, none are immune. Between the sunset timeline and the active removal of modules that are no longer compliant, the herd has been severely thinned.

The takeaway? Maintaining FIPS 140 validation is really hard! It’s not “just one big push” to get on the list anymore. It requires constant vigilance to stay on top of the updates and to keep up with NIST’s reinvigorated policies. A more active CMVP can seem like a pain in the ass at first glance, but it is ultimately better for the industry. Nobody (except for lazy vendors) benefited from old, insecure, ‘grandfathered’ modules remaining on the active validation list. A stringent, active CMVP has embraced their role as a clearing house and it increases the value of the modules that do satisfy current standards. And I think they’re doing a great job.

This underscores the strategic significance of relying upon SafeLogic to complete and maintain FIPS 140-2 validation. As I tell folks every day, this is our focus. Our business is based upon the proper production of FIPS-compliant modules and their subsequent validation. Our customers reap the benefits of our work, and we succeed by scaling it, replicating our effort and leveraging our niche expertise for each client. CryptoComply is smooth and RapidCert accelerates the initial validation, but our customers have really appreciated the value of offloaded maintenance for the certificate. We talk a lot about the time, money, and effort with the traditional process, and the savings realized when using SafeLogic are growing. The delta is getting wider.

I scratch my head when a product manager boasts that they plan to roll their own crypto and get it validated. There are no bonus points for suffering in-house or for reinventing the wheel. When you hire consultants to complete a validation, you’re paying a premium for a single push, when the maintenance really is a constant effort. Consider those costs in time, money, and effort to complete your initial validation – and then add a multiplier for every revalidation you anticipate. It will be at minimum a quinquennial (every five years) project, and that’s if you’re lucky enough to avoid any other pitfall. The math doesn’t lie – the traditional path to FIPS 140-2 validation has become cost prohibitive. And if you’re pursuing Level 2 or Level 3, you still need a solid crypto module at the heart of the product. Using CryptoComply ensures that component meets the necessary requirements, again saving time, money, and effort.

CryptoComply is proven, again and again, to continually meet standards and retain its validated status with NIST. This is one of those situations where you don’t need to be creative. Choose SafeLogic, let us take care of the crypto, and you can get back to doing what you do best.

Written by Ray Potter

13 Dec 2016

RapidCert for CryptoComply | Java 3.0 Is Available!

CryptoComply | Java 3.0 is here!You may have noticed – SafeLogic has a new FIPS 140-2 certificate posted by NIST. Published on December 8th, it’s our CryptoComply | Java module, version 3.0! Fully compatible with Bouncy Castle’s recent FIPS API revisions and with a nice helping of SafeLogic’s secret sauce (yes, it’s orange), customers with Java deployments now have a natural upgrade path available with CryptoComply | Java 3.0.

Technical improvements over CryptoComply | Java 2.2 include a variety of bugfixes, a significant simplification of deployment, a single JAR that includes both approved FIPS mode and non-approved mode, and the promise of greater forward compatibility. Many of you are already aware of the technical benefits of Bouncy Castle’s latest release, and now SafeLogic’s CryptoComply offering includes RapidCert, which delivers your own FIPS certificate quickly. With a validation in your name and support from our technical staff, CryptoComply is a clear upgrade. See our Top 10 Reasons to Choose SafeLogic Over Open Source Encryption for more!

RapidCert is available NOW for CryptoComply | Java 3.0
License the software today and have a certificate in your name in 8 weeks.
It really is that easy.

Contact us immediately for a quote.

 

BlogFooterWalt3

2 Aug 2016

Why Should We Get Our Own FIPS Certificate?

Why Should We Get Our Own FIPS Certificate?After our big announcement with OpenSSL last week, we’ve had some interesting conversations with possible future SafeLogic clients. Several have asked pointed questions, like “Why should we get our own FIPS certificate, if OpenSSL will get one after all?” and “Why buy the cow when we can get the milk for free with open source?”

I love these questions. It tells me that our potential partners have a healthy dose of skepticism and really understand the need to extract value from their capital expenditures.

In a nutshell, the answer is: because your customers also have a healthy dose of skepticism and need to extract maximum value from their expenditures!

Let’s start at the beginning. Building early versions of your product with open source encryption, whether it’s OpenSSL or Bouncy Castle, is a smart move. Open source crypto provides functional, widely compatible, peer-reviewed cryptography and leaves your options open for future replacements. Locking into a proprietary module early in the development phase has proven to be problematic when it requires unique architecture. (RSA BSAFE is now defunct, of course.)

The problems begin when you leverage open source for FIPS 140-2. In order to properly deploy an open source FIPS module within conformance standards, you need to follow the exact recipe. That means having to follow the 221 page User Guide for the OpenSSL FIPS Object Module v2.0, for example. That’s a lot of work, only to be questioned by your own prospective customers. “Where is your FIPS certificate? Don’t you have one with your name on it?”

Luckily, that’s exactly what SafeLogic provides. You’re not dealing with a DIY effort with directions from the worst Ikea bookshelf you’ve ever built. You get strong technical support from the SafeLogic team, standing behind our CryptoComply modules. (No, we don’t just send you a massive PDF of directions.) And that elusive FIPS 140-2 certificate? RapidCert delivers it in just 8 weeks, explicitly displaying your company name and operating environments. “Just trust me” doesn’t belong in your salespeople’s vocabulary.

So when you’re selling to the federal government, financial institutions, healthcare providers, or other regulated industries, expect your customers to be skeptical of your open source usage. You also need to be cognizant of the competitive landscape. You do not want to be cutting off your nose to spite your face, saving a few bucks by skating on FIPS validation, only to lose deals to rivals carrying certificates. Invest in your product and win those head-to-head opportunities! We even have a Top 10 list of reasons to choose SafeLogic over open source.

The comic below is a humorous dramatization of a sales call going wrong, but your target customers (in the green cube) really just want confirmation that your company carries a FIPS 140-2 validation. No tricks, no technicalities, just a certificate on the NIST website. Real, valid, honest-to-goodness, easy to cross-reference and confirm.

Open source FIPS validations are important for the community to have. It’s a good starting point, and for some small companies it’s the best that they can access. Maybe it’s enough for you right now. But customers can’t nitpick if you have your own certificate, and that’s where SafeLogic knocks it out of the park. You won’t find an easier or faster way to add that FIPS 140-2 validation to your salespeople’s arsenal. We’ll be ready when you are.

[Click to enlarge.]Why Should We Get Our Own FIPS Certificate?

BlogFooterWalt3

19 Jan 2016

The CMVP Legacy List Returns

Last week, our blog featured information about the RNG issue identified for removal by NIST. It was written by Mark Minnoch, our new Technical Account Manager, and I’m totally pumped he’s joined the SafeLogic team. If his name is familiar, it’s because he used to lead the lab at Infogard and he’s a regular at the International Cryptographic Module Conference (ICMC) and other industry events. He also contributes to our company quota for follicle-challenged white guys over 6’5”, which is a severely under-represented demographic for us.

This week, I’d like to talk a bit about the other category of FIPS 140-2 certificates that have been slated for relocation to the archive list. These validations are doomed to begin expiring in January of 2017 and annually going forward for the most grave of offenses. Has a backdoor been discovered? No… Improper entropy seeding? Use of a non-approved algorithm? No, not those either. It’s because they hadn’t received an update within the last five years.

That’s right. The CMVP is now taking action and their plan is to simply chuck every certificate that doesn’t carry a validation date from recently enough. For reference, “quinquennial” is the official term which means “every five years”. I’m adding it to my list of relevant jargon for 2016.

twitter-graphic_Lock2This is the part where I remind you that SafeLogic doesn’t just provide a fantastic crypto module. We don’t just complete FIPS 140-2 validations in 8 weeks with RapidCert. We stick around! We offer free support for the first year, which includes integration, strategy and marketing assistance. Then we encourage customers to renew their support on an annual basis to take advantage of the patches that we provide upstream of our modules. Even better, smart clients opt for RapidCert Premium, which adds annual certificate updates. These reflect the newest release of iOS, for example, so that the validation is always in full compliance for the current version.

Now comes the part where I explain why this matters. FIPS 140-2 validation has always been a pain in the ass. The queue length spiked a few years ago due to increased demand, furloughs, agency shutdowns, lack of funding… pretty much everything that could go wrong, did go wrong. The queue has softened somewhat recently, thanks to renewed effort and a few Shark Weeks (you know… act like a predator, take no prisoners…) but it is still pretty diabolical and requires significant effort to survive the process. Now they are tightening the requirements and requiring updates on a five year interval, whether they’re actually necessary or not. The overhead needed to achieve validation has always been high, but now the maintenance needs are rising as well and revalidation is a real and ugly possibility.

It’s time to re-examine the costs associated with handling FIPS 140 validations in-house. Hiring a consultant once to push through the initial certificate has one set of calculations, but the days of “set it and forget it” validations are a thing of the past. Keeping those consultants on retainer for updates every five years (and likely much more often than that, to complete the now-frequent NIST changes) has the potential to destroy a budget. SafeLogic brings significant value to the table as we simply take care of it. We usher the original certificate through the CMVP, we maintain it for full perpetual compliance, and we guarantee that you won’t get removed from the validated list. It’s all part of your contract.

Whether your certificate is headed to the Legacy List or you’re planning a first foray into FIPS 140-2, contact our team immediately. The game has changed and SafeLogic has the answers you need. Whether you want to call it Validation-as-a-Service or Managed Certifications or something else… we call it RapidCert and it will save you time, money, stress and effort. I promise.

BlogFooterRay2

3 Dec 2015

Tackling the Federal Procurement Conundrum

Lt. Col. Scott Trail had a great editorial in National Defense magazine that I read recently. It was titled ‘How to Unlock Innovation at the Defense Department’. Coming from a Defense and Aerospace Acquisition Team Lead, this was an interesting topic to be sure.

He was a young man when he first submitted this proposal to the DoD.

He was a young man when he submitted that proposal to the DoD.

Trail delivered, as he didn’t pull any punches. He emphasized the need for speed and the real urgency of accelerating the schedule for procurement and deployment, lest we fall [arguably further] behind our global rivals. In fact, he asserts an opinion that we are spending too much time trying to make drastic improvements and we need to take a more agile approach.  Deploy and revise on a much shorter lifecycle, he says.  “Speed should be considered as a strategic enabler over fielding full capacity in a single step.”  While Trail uses helicopters and amphibious transports as the examples from his area of expertise, the concept extends to smaller technology and definitely applies to software.

In our sphere, we see engineering teams that are so accustomed to the legacy FIPS 140-2 process that they automatically peg it for a future release barely on the horizon. They expect hundreds of man-hours and months of aggravation. They figure that since it used to take a year to a year-and-a-half, nothing that they build during that waiting period really matters for federal procurement. As a result, we get federal-specific software releases that are obsolete before they even get a SKU assigned, because the supported platforms are so old. Why? Because those were the relevant operating environments when the FIPS effort began.

Bottom line – it’s all too often that the software offered to the public sector is either old or non-compliant. What a conundrum! The product is updated for private use – quickly, frequently and effectively – but hasn’t received the proper testing for federal deployment. Unhelpful. The product earmarked for government has been updated, but slowly, sporadically and it’s frankly irrelevant by the time it has been revved. This is not competitive and it doesn’t help anyone!

FederalGraphicEvery production version of your solution should be ready for federal procurement. That’s our philosophy. You should be able to move at the speed of business, not on a timeline set by testing labs and consultants. The company that will win is the one that is able to sell their current product [yes, the one that marketing has described as “bleeding edge” and “next gen”] in real-time to federal, in full compliance with procurement requirements on the actual operating environments that are being used. We will be in 2016 in the blink of an eye. The fact that this is still being regarded as the stuff of sci-fi is just sad. We can do it today.

I’m not saying that SafeLogic is saving America… but I am saying that faster FIPS 140-2 validation yields faster product iterations, faster acquisitions and faster deployments. Soldiers and bureaucrats have the same appetite for current technology. Let’s give it to them as soon as possible. THAT is what will benefit our nation… and your revenue numbers.

Contact us for information on our lightning fast RapidCert FIPS 140-2 validations and how we can keep your certificate perpetually updated.  We’re ready.

 

BlogFooterWalt2

21 Oct 2015

Worse than Frenemies

You’ve heard the term ‘frenemies’ before, right?  You most likely have if you’ve got kids past middle school, unfortunately.  It’s the mash-up of ‘friend’ and ‘enemy’ with the distinction defined in the helpful illustration below.

FrenemiesEnemies

Today’s blog post is a public service announcement – Beware of frenemies.  Many of us forget about this life lesson once we are adults and it can really sting.  Frenemies come in several flavors in the business world, but many are friend/competitors.  Maybe these should be called ‘frempetitors’.

Our prime example is Samsung and Apple.  They have been engaged in litigation since 2011, and yet Tim Cook’s braintrust thought it was a good idea to contract with Samsung to produce A9 processors for the iPhone 6S.  Samsung was even accused of engaging in corporate espionage to displace TSMC, who had been slated for the full order.  Even the most forgiving folks would have to be a little suspicious, right?

Now the kicker – Samsung’s version of the A9 chip has been benchmarked for worse heat dissipation and shorter battery life than the alternative version by TSMC.  Was this malicious?  Was Samsung actively trying to undermine the reputation of Apple’s new flagship phone?  Popular Apple-centric blog ‘Cult of Mac’ says maybe they are.  The fact that the two corporate giants have been locked in mortal combat in both the courtroom and for market share automatically throws a shadow on the developing situation.  Despite Apple’s public claims that the variance is only 2-3% and it won’t affect typical use, Samsung doesn’t get the benefit of the doubt, since they are the very definition of ‘frempetitors’.  I’d love to hear the internal discussions in Cupertino on the topic.

So why do you care?  Well, we’ve had a spike lately in inquiries from companies in a specific industry that have been using an encryption product from their frempetitor.  Yes, they licensed a crypto module from [company name redacted] even though they are competing head-to-head against that company’s flagship product.  This boggles my mind.  We’re not talking about complementary offerings, we’re talking about the exact same kind of Apple-Samsung clash of the titans but on a smaller battlefield.  Why would you trust this frempetitor?  It’s not like their product is so fantastic that you had no choice. It’s certainly not that their pricing was so incredible that you couldn’t afford to pass it up.  For comparison’s sake, it’s not even like they provide FIPS 140-2 validation services, Rapid or otherwise.  This is just a head-scratcher.

What happens when their module isn’t working properly or if it is proven to be vulnerable?  Will they step up and patch it in a timely manner?  Or will they prioritize their own products and customers first, and you’ll have to wait until they get around to it?

What if your crypto provider pulls your license in an effort to sidetrack your engineering team and cripple your momentum, because you’ve been taking market share from their primary offering?  Are you prepared to pivot quickly on your competitor’s whim?

Would you be concerned that you are relying upon an internal component that was designed by a competitor?  What if it slows down your product’s performance?  What if it includes tracking capabilities so that they can monitor your install base?

Paranoid?  Sure, but definitely within the realm of possible.

If you ran a restaurant, you would never purchase your ingredients from a competitive restaurant.  You’d rightfully assume that they would cherrypick the best produce, the best cuts of meat, the proverbial cream of the crop, and leave you the rest.

Would your boss/investors/shareholders/customers give you the benefit of the doubt in these scenarios?  Is choosing to work with a frempetitor ever a justifiable position in retrospect?

Skip the heartache and paranoia.  Don’t get stabbed in the back and don’t give a competitor the opportunity to be a part of your supply chain.

If you are currently using encryption provided by a company that would stand to gain from your troubles, contact us immediately and we’ll help you escape from this dysfunctional relationship.  If you are considering them, please think very carefully about it before you move forward.  I don’t promise never to say “I told you so”, but I do promise that SafeLogic will be ready to help when you’re ready.  Plus, we have better modules, greater compatibility and platform coverage, and RapidCert‘s lightning fast validation is just the cherry on top.  Choose wisely!

BlogFooterWalt2

6 Oct 2015

The Need for Speed

TopGunThe Miramar Air Show was this weekend, a highlight of the year for Southern Californians.  Bay Area flight enthusiasts will get their own dose of the Blue Angels this weekend at Fleet Week San Francisco, before the iconic jet team heads to Oahu and then closes their season with dates in Georgia and Florida.  I like to think that our San Diego event holds a special place in the hearts of these naval aviators, since Marine Corps Air Station (MCAS) Miramar was the setting for the film that still reigns #1 among pilots – Top Gun.  I could have walked up to any of the soldiers on the base and asked if they ‘felt the need for speed’ and gotten a high five, or asked if they had ‘lost that loving feeling’ and gotten serenaded.  Forget that Maverick and Goose first inverted to ‘keep up foreign relations’ years before this generation’s hotshot pilots drove a car, let alone flew a plane; Top Gun is still the most effective two hour recruiting tool in the Navy.

Bottom line – the air show was awesome.  My son had a blast (the Shockwave jet truck was a big hit) and I was left with the same patriotic awe and inspiration as years past.  I’m still thunderstruck by the engineering feats that we have achieved, as a country and as a species.

I’m also equally blown away by our continually jaw-dropping idiocy.  Chatting with one of the aforementioned millennial pilots (I’m no senior citizen, but this kid was definitely born during the Clinton administration), he told me that while some of his superiors had received iPads for flight plans, he had not.  When I pressed him, he admitted that he used his own personal iPad… with a handy app that he had downloaded from the App Store, of course.  I was flummoxed.  Yes, the app (which shall remain nameless) has an excellent reputation and yes, it has a specific setup for military usage, including a worldwide library of Department of Defense Digital Flight Information Publications (D-FLIP) terminal procedures, airport diagrams, enroute charts and publications.  Very handy.

But who is authorizing this?  Or rather, who is looking the other way on this?  I’m not suggesting that the app is corrupt (although they fail to include FIPS 140-2 validation).  I recognize that the pilots are supposed to download their relevant data before takeoff and disable cellular signal while in flight.  Good rules of thumb.  But how about that GPS chip in the tablet?  That’s a major tracking beacon that has not been officially sanctioned. Or what if someone has hacked the app and is enjoying a MITM attack, collecting all user destination data?  In that case, they could theoretically isolate the military users, even the type of plane and originating location.  Gee, that wouldn’t be helpful information at all.

top-gun-2iPads have been a huge boost to efficiency and modernizing the habits of pilots, both the military and civilian.  I’m not disputing that.  In fact, I’ve been a major advocate.  That doesn’t mean that unbridled BYOD is okay, let alone encouraged.  It’s a tight margin for error and it’s shrinking.  We need to address it, because it’s not just the 20-something pilots that want it yesterday already, it’s every customer, big and small.

New solutions are a balancing act and always have been.  We constantly have to be vigilant, weighing the advantages of the technology with the compromises that we recognize in the current version before we can feel comfortable deploying it in sensitive environments such as the military.  This is a recurring theme in our CEO’s talks nationwide at security and technology conferences.  It’s just not enough to build something better – it has to be secure.  And it’s not enough to build something secure – it has to be ready faster.  And if it’s secure and fast?  Yes, it’s gotta be better than what’s already out there.

As a technology vendor, you need to enter production faster.  Getting bogged down in the FIPS 140-2 process is a fools’ errand, but we definitely have it figured it out.  Build your product, add CryptoComply, move fast, beat your competitors, and win market share.

If you’ve got the need for speed, then you need RapidCert.

P.S. – Top Gun 2 is in the works, bringing back Tom Cruise as Maverick.  Seriously.

BlogFooterWalt2

12