Join Log in
Score:4
JohnAndrews avatar Crypto

Why did Google Cloud accept a lower FIPS 140-2 Level compared to IBM Cloud?

th flag
JohnAndrews

FIPS 140-2 is a standard which handles cryptographic modules and the ones that organizations use to encrypt data-at-rest and data-in-motion. FIPS 140-2 has 4 levels of security, with level 1 being the least secure, and level 4 being the most secure.

Google Cloud has a lower level (level 3) compared to IBM Cloud (level 4). I wonder why Google choose to accept this lower level? I am assuming that Google made this decision consciously, and that the difference should not pose too much risk, as Google makes well informed decisions. But if that is so, what could have been the reasoning?

More importantly, if you were running a SaaS business in Finance that stores sensitive data, is this difference something you should consider whether to choose to move to IBM Cloud or Google Cloud?

Resources:

3144
0 + 0
Score:23
fgrieu avatar Crypto
ng flag
fgrieu

The question does an apple-to-orange comparison: Google's level-1 Certificate #3318 is for a "software library" , IBM's level-4 certificate #3410 is for a "PCIe Cryptographic Coprocessor Hardware Security Module". Software just can't get a level-3 or level-4 FIPS 140-2 certificate, because some boxes in the checklist (e.g. about detecting physical intrusion) just are not applicable to software.

And then the question takes these certificates for what they are not: certificates about the security of a cloud service. E.g. IBM Cloud is positively not certified to FIPS 140-2 level 4: perhaps it uses a gizmo that is, somewhere. Use of a gizmo (software or hardware) in a cloud service is not a satisfactory indicator of the security of said service anyway.

The rest of the question boils down to architectural choices of IT solutions, and perception of their security by decision makers on the basis of misapplied technical arguments. It's thus off-topic.

0 + 0
poncho avatar
my flag
poncho
Actually, it is impossible for a software library to get anything higher than 'FIPS level 1'; Google did the best that NIST rules allowed them to...
10
Reply
Swashbuckler avatar
mc flag
Swashbuckler
@poncho, actually, it's not. You can get level 2 with software (weird but true!). There's only one active one today: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3453, however there have been others in the past.
8
Reply
us flag
Sam Ginrich
"apple-to-orange", are there common agreed security measures like "risk in $"?
0
Reply
Score:7
Swashbuckler avatar Crypto
mc flag
Swashbuckler

Google (GCP) does provide level 3 with HSMs, see https://cloud.google.com/kms/docs/hsm. They apparently didn't get the validation in their own name.

0 + 0
Score:7
avatar Crypto
cn flag
A B

I wouldn't assume that a difference in chosen FIPS 140-2 levels tells you anything at all about the relative security of two systems.

FIPS 140-2 validation is controversial in the cryptography community. Generally people only implement it if they want to sell to U.S. Government customers who are required by law to comply with it.

Critics would say that FIPS 140-2 at best is redundant with modern security analysis, and at worst it actively harms security by making it more difficult to fix bugs or refactor cryptography libraries with improvements. (Any changes trigger revalidation, which costs time and money.)

From Matthew Green, a cryptographer at Johns Hopkins:

https://blog.cryptographyengineering.com/2012/01/02/openssl-and-nss-are-fips-140-certified/

Now, to be fair, nobody in either the OpenSSL project or Mozilla is claiming that FIPS compliance makes these libraries magically secure. I’m sure they not only know better, but they curse FIPS privately behind closed doors because it requires a whole lot of extra code in exchange for a dubious security benefit.

From Darren Moffat, who worked on implementing FIPS 140-2 validation for Solaris:

https://blogs.oracle.com/solaris/post/is-fips-140-2-actively-harmful-to-software

So should I run Solaris 11 with FIPS 140-2 mode enabled ?

My personal opinion is that unless you have a very hard requirement to do so I wouldn't...

0 + 0
Swashbuckler avatar
mc flag
Swashbuckler
A couple of points: 1) Actually, a lot of orgs like to hear that a product is FIPS compliant besides the US government. It's generally big players that do business with or are regulated by government, so states, big financials, etc. 2) Most customers will accept that the module in use isn't the one that was validated, so you can effectively fix bugs without revalidating - which is costly and time consuming (especially these days with COVID). Also, it's possible to construct a module where fixes don't have to be revalidated. See OpenSSL as an example.
1
Reply
Score:0
MAB avatar Crypto
us flag
MAB

GCP is using a third party OEM for their Cloud HSM, but they don;t provide any information publicly on who that vendor is (or at least not that I have found). That's how they can claim FIPS 140-2 level 3, without them actually being on the NIST list for certifications under their own name.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.