By -

To FIPS or Not to FIPS?

As I was preparing to write this post, I took a nostalgic look at CTERA’s debut announcement from 2009, where we announced the world’s first cloud storage gateway at the Las Vegas Consumer Electronics Show (CES). The gateway back then was a cute plug-like gadget (see image to the right) designed for small businesses and home offices. Never could I imagine that an advanced incarnations of the same technology would be powering some of the world’s largest government and defense organizations.

We’ve come far since then. Today we’re announcing that CTERA has received FIPS 140-2 validation from the U.S. federal government. That’s a great milestone for CTERA, and excites me because it allows us to further expand our presence in the federal and defense sectors.

Let’s take a look at what it means to be FIPS 140-2 certified. In short, it’s a security standard used to approve software and hardware products, ensuring their encryption meets well-defined requirements strong enough for securing sensitive government data. The FIPS 140-2 standard is recognized by the U.S. and Canadian governments as well as the European Union. All U.S. federal government agencies, as well as contractors and service providers who work with the U.S. government, are required to comply with FIPS 140-2. This standard is also widely sought after by regulated industries and a variety of public and private organizations.

Now, notice that I’ve said we received validation. Many vendors say they are FIPS 140-2 compliant. There’s a dirty little secret here:  This is not the same as saying they are FIPS 140-2 certified or validated. Those vendors take a shortcut by saying they are ‘compliant,’ while in fact their products did not pass the rigorous validation by a federally-authorized lab, a process that I can tell you first-hand is expensive, time-consuming, and not so easy to pass. So – if your vendor claims to be FIPS 140-2 verified, ask to see their certificate to ensure you’re really dealing with a federally-trusted organization.

To sum this up, the new certification is further validation (pardon the pun) of the CTERA platform’s ability to stand up to the rigorous data security and privacy requirements of the world’s most secure organizations. While I cannot mention the names of the agencies we are working with today due to federal regulations and security measures, I can tell you that CTERA is now powering the file services of various military/defense, and civilian branches within the U.S. federal government, in addition to some of the world’s most security-conscious organizations in the U.S. and abroad.

As usual, if you have any questions about CTERA’s product or about our FIPS validation, feel free to contact me via the CTERA website.