Keep it secret, keep it safe. When you want your digital storage to be encrypted, tamper-proof, and very hard to steal, you want the drive to have FIPS certification. The FIPS label means it complies with the Federal Information Processing Standards that delineate everything concerning government data security.
FIPS covers everything from access to buildings to personnel IDs, but we're going to focus on its application to digital storage — more specifically, the security standards that storage manufacturers must adhere to in order to sell their products to the U.S. government. FIPS is relevant to the corporate market, where data security is a major issue. FIPS certification also appeals to a certain segment of the consumer market. Why? Because spy stuff sells.
Narrow a FIPS discussion to data storage and you're talking mostly about FIPS 140 (the current version of which is 140-2, with 140-3 in the works). FIPS 140 lays down the guidelines and requirements for the physical security of cryptographic modules, such as those used in secure flash and mechanical hard drives. It's split into four levels to address security scenarios from the mild to the extreme. Some storage devices merely claim to meet FIPS 140 standards.
To avoid buying a product whose manufacturer has simply co-opted the name for marketing purposes, look for the phrase "FIPS 140-2 Level N Certified" that indicates that the product has undergone the rigorous and somewhat expensive certification process at an accredited testing lab.
FIPS 140-2 Level 1 specifies that a storage unit's cryptographic module can't be absurdly easy to access. That is, it can't be sitting on top of the device with an arrow pointing to it, or hidden beneath a panel that's secured by a single screw.
FIPS 140-2 Level 2 adds another layer of security: It specifies that role-based authentication be added to the access mix. There must be an administrator (a "crypto officer" in FIPS parlance) who is allowed full access to the configuration functions of the cryptographic module, restricted users who can use the device only for storage, and then maintenance access for IT admins who might be allowed only to format the drive.
Devices certified for this level must also provide a means for making it abundantly apparent that someone has physically tampered with a secure device's cryptographic module. By its very design, the device must show evidence that someone was mucking about with it. That could be by means of a cracked case, stripped fasteners, bent hinges, or what have you.
Most vendors shoot for Level 3 when FIPS-certifying their storage devices. This level of security requires measures to prevent any tampering with the device's cryptographic module, and rendering it inoperable if it's breached (thus making it impossible for anyone to access the data stored on the device). This can be accomplished by encasing the crypto module in epoxy, a welded metal case with intrusion detection, or something similar. Achieving Level-3 certification is generally enough to qualify a product for sale to most government agencies, and it easily meets the needs of the average consumer or corporation.
Sign up for Computerworld eNewsletters.