FIPS140

Glossary

「FIPS140」

This glossary explains various keywords that will help you understand the mindset necessary for data utilization and successful DX.
This time, let's think about what we need to consider in relation to the "safety and security" required for IT systems that support corporate activities.

What is FIPS140?

FIPS140 (Federal Information Processing Standards Publication 140) is a US federal standard related to security requirements for cryptographic modules established by the National Institute of Standards and Technology (NIST).
This standard compiles requirements that must be met by "cryptographic modules" included in equipment used by various agencies of the U.S. federal government. It is used in a variety of fields where safety and security are essential, such as when private companies procure IT systems.

"FIPS140" for safe and secure IT systems

The need for FIPS140 stems from the need to confirm whether an IT system is secure, which will become increasingly important in the future.

For example, information must be handled carefully in the IT systems of public institutions, government, and local government-related organizations. You wouldn't want your personal information to leak through your city hall's IT system, and there is also data, such as police investigation information, that needs to be managed properly for public institutions' own reasons. The use of IT in society will only continue to grow in the future, and it will become increasingly important for IT systems to be "built safely and securely."

Naturally, the situation here is the same in both Japan and the United States; IT systems in public institutions must be designed to be safe and secure. However, it is not easy to verify whether an IT system is properly designed to be safe and secure. For example, if you were asked to "check and determine whether this IT system is safe," you would probably have a hard time.

When outsourcing the creation of an IT system, it is not easy to determine what requirements to set and how to order so that a safe and secure IT system can be created. Even if you manage to organize the requirements somehow, technology advances every day, so the requirements for the IT system will change over time.

Safe and secure IT systems are needed
However, it is not easy to confirm whether an IT system is safe and secure.
The same is true when ordering an IT system; I don't know what requirements to write when ordering.

The situation is the same in private companies. For example, imagine you are in charge of ordering the development of your company's IT system. If you are told, "This system handles important data, so I want it to be built safely and securely," you will likely have the same concerns.

What tends to happen in such cases? You might consult with a major vendor that you think you can trust, but since you don't understand the complicated details, you might end up essentially leaving it to them. However, in this day and age, even major companies' IT systems are prone to accidents. If the IT system then experiences trouble, you might complain, only to be told that they cannot help you because the development was done within the scope of the contract (there was no such requirement in the development request), which can be a real problem.

What's wrong with this is that this tends to happen without some kind of objective "safety and security standard." This is why "FIPS 140" was established, which specifically clarifies what a safe and secure IT system (and its cryptographic module) must meet.

What is FIPS 140?

FIPS 140 was developed by the National Institute of Standards and Technology (NIST), a public research institute in the United States, in other words, by real experts. Rather than addressing the security of the entire IT system, it defines the parts of an IT system that handle encrypted data as "cryptographic modules" and specifies the requirements that these parts must meet.

It covers functions such as encrypting data to make it protected (converting plaintext data to ciphertext), restoring protected data to make it usable (reverting ciphertext to plaintext), and securely storing secret keys such as passwords for these purposes, as well as the encryption algorithms used in these functions.

In other words, FIPS 140 does not directly address other safety and security issues (such as preventing data from being leaked for other reasons, such as operator error during use). It also specifies requirements that must be met not only for software but also for hardware, and specifies the level of protection. Roughly speaking, these are as follows:

Level 1

It is required that specified secure encryption technology is used.

Examples of insecure technologies include cryptographic technologies for which attacks have been discovered and which no longer have the required strength (such as DES encryption), hash algorithms for which vulnerabilities have been discovered (such as SHA-1), and the use of encryption with key lengths that have become insecure due to improvements in computer computing power (such as RSA encryption with a key length of less than 2048 bits).

Highly secure encryption methods include the AES encryption, which is also defined as a standard encryption method by NIST and is the de facto standard for symmetric key encryption worldwide.

Level 2

It is required that systems are in place to detect breaches of security, such as systems that detect unauthorized access to protected areas, such as passwords and the data itself.

For example, by making it impossible to access the inside of the hardware without breaking a physical seal, it is possible to detect the possibility of data being read directly by checking the seal.In addition, even when accessing data through software, it is required to go through role-based authentication and to operate on an authenticated and secure OS.

Level 3

It is required to have a mechanism to prevent unauthorized access to protected areas.

For example, if there is a mechanism to automatically erase the confidential data stored on the hardware once the seal is broken and access is gained to the inside of the hardware, data breaches can be prevented.In addition, it is necessary to require ID-based authentication when accessing data, to encrypt and store passwords and encryption keys, and to separate the interface for inputting and outputting such important data from the interface for data input and output.

Level 4

Level 4 goes further than level 3, requiring systems to detect various potential attacks and automatically erase data.

How FIPS 140 can help

FIPS140 is of course useful if you want your company's IT system to be adopted by a US public institution, but it can also be useful in other ways.

This may be a requirement for system implementation in other fields as well.

FIPS 140 has also become the de facto standard in some private sectors. This is because, although there is a need for safety and security in each sector, it is difficult to establish safety and security standards independently for each sector. Instead, FIPS 140, which is already in use, is sometimes adopted. For example, compliance with FIPS 140 may be required in the financial and medical sectors.

It can be used as a means to promote your company's products and as a means to procure safe and secure IT.

If your company's products are FIPS 140 certified, you may be able to reduce the need to explain safety and security individually. If you use it as a selection criterion when ordering and procuring IT systems, you may be able to reduce the need to determine and check detailed requirements yourself. In other words, it can reduce the amount of work for both those who create IT systems and those who procure them.

It is regularly updated to keep up with the times

FIPS 140 is regularly revised and its requirements are revised to reflect changes in technology.

As of this writing, there are two versions of FIPS 140: FIPS 140-2 and the new FIPS 140-3, which came into effect in September 2019. FIPS 140-3 includes the exclusion of cryptographic algorithms for which vulnerabilities have since been discovered. It can be used as a standard to check whether your organization is keeping up with the times.

It can serve as a guide for developing secure systems.

FIPS140 is a document that specifically outlines what should be considered in order to create a safe and secure system, so you can use the detailed "things to do" as a guideline for your own system development.

Even if you try to develop a highly secure system in-house, it can be difficult to know what to do. We have briefly introduced what needs to be met at each level above, but those who have never thought of it before should find it instructive to learn about the perspective of being able to confirm that security is maintained by detecting intrusions, and the idea of automatically erasing data to prevent damage.

FIPS140 provides detailed descriptions of what must be met, so it can be used as a means to consider what you need to do to ensure a high level of security.

HULFT can be used as a means of explaining "safety and security" in Japan

There is something that could be used in Japan as a way to explain and achieve the same "safety and security" concept. The explanation is that we use the file sharing middleware "HULFT "as the underlying technology.

All Japanese financial institutions use it

Naturally, financial institutions' IT systems require a very high level of safety, security, and reliability. HULFT has a proven track record of being used by all Japanese financial institutions (all member companies of the Japan Bankers Association).

HULFT has been the de facto standard for file integration platforms in Japan's mission-critical system, core system for many years, with an overwhelming track record in fields that require safety, security, and reliability. Explaining that "we use HULFT" can be a way to convince customers that their systems are being built safely and securely.

Additionally, HULFT 's AES encryption function uses an AES encryption module that complies with FIPS140.

It now supports the latest IT and smoothly "connects" old and new IT.

HULFT has a long track record and is trusted. In other words, because it is a product that has been around for a long time, it may have the impression of being an old technology. However, it is now being adapted to the latest technologies, such as integration with the cloud and operation using containers in a microservices architecture.

As a result, it is also used as a means of freely combining new and old technologies, such as linking data on a mainframe with Amazon S3 on AWS.It also has a solid ability to handle mutual conversion processing with Japanese data on a mainframe (such as EBCDIC data including external characters), which is difficult to handle.

Furthermore, HULFT allows the old and new systems to be loosely coupled, allowing the data to be linked while the IT systems remain separate and operational.In terms of engineer skill sets, even in the common situation where mainframe engineers only know mainframes and engineers in charge of cloud services such as AWS have no knowledge of mainframes, data integration between the old and new IT systems can be achieved without any problems.

Related keywords (for further understanding)

File Linkage
- It is a means of communication that serves as the foundation for IT systems that support various corporate activities. When it comes to data handled in relation to business, especially when it comes to utilizing IT related to administrative processing and accounting, exchanging data in file format is very common.
MFT（Managed File Transfer）
- This is a collaboration platform that realizes file-based collaboration processing with a high level of "safety, security, and reliability" that can support business activities. It can be used as a means of realizing IT systems that require a high level of reliability, such as error-free operations and audit responses.
PCI DSS
- This is a security standard that the credit card industry requires to be adhered to in IT systems that handle cardholder information such as credit card numbers.
GDPR (General Data Protection Regulation)
- This is a regulation that stipulates what must be considered when handling "personal data" in the European Union (EU). It sets out what must be done to handle data in a way that respects human rights, as the EU sees it.

Are you interested in HULFT and file transfer (MFT)?

If you are interested, please try out the product that brings the world of file sharing to life.

The definitive MFT "HULFT"

Please try out HULFT, the pinnacle of domestic MFT products with an overwhelming track record in Japan and the de facto standard for file integration platforms.

It has an overwhelming track record, having been used for many years as the infrastructure for financial institutions that require the highest level of support for their IT systems. A world where all environments are connected by files can be created in an instant.

HULFT is now compatible with the latest IT environments, including integration with cloud services, and is used in situations where high performance is required, such as high-speed transfer of large files and transfer processing of large volumes of files.

The de facto standard for Managed File Transfer (MFT): Latest version

⇒ Learn about the mechanisms of file transfer through HULFT product introduction and online seminars

"HULFT WebConnect" enables safe and secure file transfer via the Internet

HULFT WebConnect is a cloud service that allows you to use HULFT 's safe, secure and reliable file transfer via the Internet.

You can achieve a solid enterprise-class file sharing method not only between your own company's locations, but also between overseas branches and business partners, all using just a regular Internet connection.

Transfers via HULFT can be made across the Internet.
Low cost as there is no need for costly dedicated lines or VPNs
Because it is a cloud service, you can start using it immediately without having to perform any operational work yourself.
The specifications are designed to be audit-friendly, such as not leaving any information on the transfer path.
There are functions that are designed for cases where communication partners are multiple companies.
- It has functions that can be used as a foundation for securely exchanging invoices, purchase orders, etc. with multiple business partners (including an easy-to-use dedicated client).