Online backup software maker Asigra announced that it has attained Federal Information Protection Standard (FIPS) 140-2 certification, a security bar set higher than normal for the rapidly evolving cloud computing industry. FIPS primarily certifies that an application or software component is using a secure cryptography system.
Asigra said the certification was a rare bird in cloud computing, where security and privacy remain huge concerns. The certification of its "agent-less" backup application was intended to be a hedge against the booming cloud market and give it a leg up on competitors.
"It's an important feature for Asigra to deliver to their partners and their partners' customers," said Lauren Whitehouse, senior analyst for Enterprise Strategy Group.
She said it would help partners sell into compliance-heavy markets and let users point to something concrete. "End-users can demonstrate that they are, in fact, compliant with security and privacy regulations," Whitehouse said.
Will FIPS 140-2 make a difference?
Users in general, however, may not be terribly impressed by the credential.
Jonathan Ezor, professor of law, director of the Institute for Business, Law and Technology (IBLT) at the Touro Law Center in New York and a practicing lawyer, said he's always concerned about security but doesn't put much stock in a certification.
"Certification itself can only go so far: I find some value in it, but unless I know the certifying agency and its reputation well, it's little more helpful than the statements of the vendor itself," he said in an email.
Ezor said that he relies instead on common sense and proven track records to trust a product's security.
He said flaws in encryption schemes were usually brought to light the hard way, and he'd prefer to watch the kinks get worked out rather than be a guinea pig.
"I am also concerned and skeptical when I see a new product or service that claims to provide safety via encryption, especially when it comes to online backup services," he said.
Gartner says certification has substance
According to Dave Russell, a vice president of research at Gartner, the certification has teeth. He said it was more meaningful than a hoster or cloud provider passing a SAS70 II audit since FIPS 140 certifies the function of certain parts of an application, rather than just certifying a checklist of security measures once in a while.
"There's no question that this is an expensive and time consuming and hopefully fairly accurate assessment," he said.
Asigra passed the first level of FIPS 140-2, which guarantees that the software's encryption technology functions as advertised but does not preclude any other kind of security flaw. The certification is common throughout the software industry -- Microsoft maintains FIPS 140-2 for many of its core cryptographic elements, for instance -- but it's not a silver bullet for security.
Finding holes in FIPS 140-2
Heise Security researcher Juergen Schmidt recently highlighted a FIPS 140-2-certified encryption module in use on many "secure" USB flash drives that was essentially worthless. He uncovered that while the data was encrypted, any query to the drive that used a mechanism that was easy to decode. The drives were FIPS 140-2 Level 2, more stringent than Asigra's certification.
Russell said that it's more about having a quantifiable "proof point" for Asigra that the company can use to put its software on a higher level than its competitors in the cloud computing marketplace. General backup and storage competitors routinely get the FIPS 140 seal of approval; CommVault obtained one in the middle of last year. But in the freewheeling cloud computing space, it's rare. That's partly because it's not trivial.
"It costs a pretty penny and it takes a couple of years to get your [software] application approved and validated," said Eran Farajun, executive vice president for Asigra. He called the process byzantine and like a "black box."
Farajun said Asigra turned over a good deal of intellectual property to Security Industry Automation Corp. (SIAC), including encryption keys, the source code for a full code review and so on, and SIAC kept much of the process a secret.
"It's very Soviet-like: you send stuff in, you don't know exactly what they're doing," he said.
Even so, he thinks it was worth it, and said with the near total lack of security benchmarks for cloud computing, FIPS 140 was a solid first step. He also expects to see other providers follow suit as they try to coax wary enterprises out into the cloud.
"[Enterprises] want a third-party vetting process and they don't want to be guinea pigs," he said.
Farajun cautioned that the certification, any certification, was no substitute for real security. He didn't want to make more of Asigra's certification than necessary. All it really means is that their software properly secures traffic in and out of its application. That's a nice talking point, but a far cry from complete cloud security.
"[Users] will always have this sense of a lack of security no matter what certificates [are presented]," he said. "There's a larger puzzle here and there will always be pieces in the middle that are unknown."
Carl Brooks is the Technology Writer at SearchCloudComputing.com. Contact him at firstname.lastname@example.org.