Score:4

Why did Google Cloud accept a lower FIPS 140-2 Level compared to IBM Cloud?

th flag

FIPS 140-2 is a standard which handles cryptographic modules and the ones that organizations use to encrypt data-at-rest and data-in-motion. FIPS 140-2 has 4 levels of security, with level 1 being the least secure, and level 4 being the most secure.

Google Cloud has a lower level (level 3) compared to IBM Cloud (level 4). I wonder why Google choose to accept this lower level? I am assuming that Google made this decision consciously, and that the difference should not pose too much risk, as Google makes well informed decisions. But if that is so, what could have been the reasoning?

More importantly, if you were running a SaaS business in Finance that stores sensitive data, is this difference something you should consider whether to choose to move to IBM Cloud or Google Cloud?

Resources:

Score:23
ng flag

The question does an apple-to-orange comparison: Google's level-1 Certificate #3318 is for a "software library" , IBM's level-4 certificate #3410 is for a "PCIe Cryptographic Coprocessor Hardware Security Module". Software just can't get a level-3 or level-4 FIPS 140-2 certificate, because some boxes in the checklist (e.g. about detecting physical intrusion) just are not applicable to software.

And then the question takes these certificates for what they are not: certificates about the security of a cloud service. E.g. IBM Cloud is positively not certified to FIPS 140-2 level 4: perhaps it uses a gizmo that is, somewhere. Use of a gizmo (software or hardware) in a cloud service is not a satisfactory indicator of the security of said service anyway.

The rest of the question boils down to architectural choices of IT solutions, and perception of their security by decision makers on the basis of misapplied technical arguments. It's thus off-topic.

poncho avatar
my flag
Actually, it is impossible for a software library to get anything higher than 'FIPS level 1'; Google did the best that NIST rules allowed them to...
Swashbuckler avatar
mc flag
@poncho, actually, it's not. You can get level 2 with software (weird but true!). There's only one active one today: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3453, however there have been others in the past.
us flag
"apple-to-orange", are there common agreed security measures like "risk in $"?
Score:7
mc flag

Google (GCP) does provide level 3 with HSMs, see https://cloud.google.com/kms/docs/hsm. They apparently didn't get the validation in their own name.

Score:7
cn flag
A B

I wouldn't assume that a difference in chosen FIPS 140-2 levels tells you anything at all about the relative security of two systems.

FIPS 140-2 validation is controversial in the cryptography community. Generally people only implement it if they want to sell to U.S. Government customers who are required by law to comply with it.

Critics would say that FIPS 140-2 at best is redundant with modern security analysis, and at worst it actively harms security by making it more difficult to fix bugs or refactor cryptography libraries with improvements. (Any changes trigger revalidation, which costs time and money.)

From Matthew Green, a cryptographer at Johns Hopkins:

https://blog.cryptographyengineering.com/2012/01/02/openssl-and-nss-are-fips-140-certified/

Now, to be fair, nobody in either the OpenSSL project or Mozilla is claiming that FIPS compliance makes these libraries magically secure. I’m sure they not only know better, but they curse FIPS privately behind closed doors because it requires a whole lot of extra code in exchange for a dubious security benefit.

From Darren Moffat, who worked on implementing FIPS 140-2 validation for Solaris:

https://blogs.oracle.com/solaris/post/is-fips-140-2-actively-harmful-to-software

So should I run Solaris 11 with FIPS 140-2 mode enabled ?

My personal opinion is that unless you have a very hard requirement to do so I wouldn't...

Swashbuckler avatar
mc flag
A couple of points: 1) Actually, a lot of orgs like to hear that a product is FIPS compliant besides the US government. It's generally big players that do business with or are regulated by government, so states, big financials, etc. 2) Most customers will accept that the module in use isn't the one that was validated, so you can effectively fix bugs without revalidating - which is costly and time consuming (especially these days with COVID). Also, it's possible to construct a module where fixes don't have to be revalidated. See OpenSSL as an example.
Score:0
us flag
MAB

GCP is using a third party OEM for their Cloud HSM, but they don;t provide any information publicly on who that vendor is (or at least not that I have found). That's how they can claim FIPS 140-2 level 3, without them actually being on the NIST list for certifications under their own name.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.