- Uses an approved algorithm,
- Handles the encryption keys appropriately, and
- Always handles the data to be encrypted in a certain way, in a certain block size, with a certain amount of padding, and with some amount of randomness so the ciphertext can’t be searched.
Can Strong Encryption Work in the Cloud?
Earlier this year, NIST (the National Institute of Standards and Technology) released a new publication, entitled Cloud Computing Synopsis and Recommendations, which describes in detail the current cloud-computing environment. It explains the economic opportunities and risks associated with cloud adoption and openly addresses the security and data privacy challenges involved with cloud use. NIST makes numerous recommendations for commercial organizations and government agencies considering the move to the cloud—including delivering a strong case for uniform management practices in the data security and governance arenas. The report highlights several reasons why cloud-based SaaS applications present heightened security risks. As a means to offset the threats, NIST’s recommendation on cloud encryption is clear-cut: organizations should require FIPS 140-2 compliant encryption to protect their sensitive data assets. This should apply to stored data as well as application data, and for federal agencies, it’s a firm requirement, not simply a best practice or recommended guideline. What does FIPS 140-2 validation mean? An encryption vendor whose cryptographic module attains this validation attests that its solution: