Storage for spies: How the FIPS standard makes data extremely hard to steal

Encrypted. Tamper-proof. When you need seriously secure digital storage, check the device's FIPS rating. Here's everything you need to know.

Keep it secret, keep it safe. When you want your digital storage to be encrypted, tamper-proof, and very hard to steal, you want the drive to have FIPS certification. The FIPS label means it complies with the Federal Information Processing Standards that delineate everything concerning government data security.

FIPS covers everything from access to buildings to personnel IDs, but we're going to focus on its application to digital storage--more specifically, the security standards that storage manufacturers must adhere to in order to sell their products to the U.S. government. FIPS is relevant to the corporate market, where data security is a major issue. FIPS certification also appeals to a certain segment of the consumer market. Why? Because spy stuff sells.

Narrow a FIPS discussion to data storage and you're talking mostly about FIPS 140 (the current version of which is 140-2, with 140-3 in the works). FIPS 140 lays down the guidelines and requirements for the physical security of cryptographic modules, such as those used in secure flash and mechanical hard drives. It's split into four levels to address security scenarios from the mild to the extreme. Some storage devices merely claim to meet FIPS 140 standards.

To avoid buying a product whose manufacturer has simply co-opted the name for marketing purposes, look for the phrase "FIPS 140-2 Level N Certified" that indicates that the product has undergone the rigorous and somewhat expensive certification process at an accredited testing lab.

Security Strata

FIPS 140-2 Level 1 specifies that a storage unit's cryptographic module can't be absurdly easy to access. That is, it can't be sitting on top of the device with an arrow pointing to it, or hidden beneath a panel that's secured by a single screw.

FIPS 140-2 Level 2 adds another layer of security: It specifies that role-based authentication be added to the access mix. There must be an administrator (a "crypto officer" in FIPS parlance) who is allowed full access to the configuration functions of the cryptographic module, restricted users who can use the device only for storage, and then maintenance access for IT admins who might be allowed only to format the drive.

Devices certified for this level must also provide a means for making it abundantly apparent that someone has physically tampered with a secure device's cryptographic module. By its very design, the device must show evidence that someone was mucking about with it. That could be by means of a cracked case, stripped fasteners, bent hinges, or what have you.

Most vendors shoot for Level 3 when FIPS-certifying their storage devices. This level of security requires measures to prevent any tampering with the device's cryptographic module, and rendering it inoperable if it's breached (thus making it impossible for anyone to access the data stored on the device). This can be accomplished by encasing the crypto module in epoxy, a welded metal case with intrusion detection, or something similar. Achieving Level-3 certification is generally enough to qualify a product for sale to most government agencies, and it easily meets the needs of the average consumer or corporation.

Level 4 adds the ability to withstand environmental attacks, such as in high temperatures and voltages that might be used in an attempt to compromise the crypto module. It's not meant to protect the device from monsoons or tornadoes. Staring down heat and high voltage is tough work, and achieving that level of protection adds a great deal of cost. FIPS 140-2 Level 4 is extreme overkill for consumers and even most businesses.


The FIPS standards we've covered so far apply to the protection of the device's cryptographic module. FIPS 197 describes the actual means of encryption. You don't hear much about FIPS 197 because it morphed into the Advanced Encryption Standard (AES). AES-128, AES-192, and AES-256. The numbers identify the length of the encryption key in bits: The longer the key, the stronger the encryption.

If you see AES listed as an encryption method on the storage device you're considering, you're looking at a FIPS 197 product. A host of other encryption algorithms are available, and with the NSA known to have supported many open source security projects (SSL, PGP, etc.) it's conceivable that a FIPS 197 device might be your better option. Just sayin'.

Do you need FIPS-certified storage?

As I mentioned earlier, most vendors get FIPS 140 certification so they can sell their products to the government. Unless you're protecting extremely sensitive information that a sophisticated criminal would go to great lengths to obtain, you'll be well served by a plain ol' hard drive and one of the free and readily available encryption programs such as... well, I was going to say TrueCrypt, but controversy has swirled around the limited version released by its developers before shutting down the project. That said, by all reports the 7.1a and older versions work as well as they ever did.

Tempests in teapots aside, Microsoft's BitLocker drive encryption (included with the Pro and Ultimate versions of Windows 7, and the Pro and Enterprise versions of Windows 8) will do the trick, and most non-FIPS-certified drives come with viable encryption software. Though pricey, Jetico's BestCrypt is the real deal, and the choice of many governments.

But if you must have (or simply want) something that's relatively hassle-free and basically un-hackable in the real world, go with FIPS 140-2 Level 3-certified hardware.

Join the CSO newsletter!

Error: Please check your email address.

Tags storagesecuritybecaencryption

More about AdvancedAdvanced Encryption StandardMicrosoftNSAPGPStrata

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jon L. Jacobi

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place