FIPS 140-2 Compliance
Alloy Navigator family of products uses cryptographic modules and data transmissions protocols that have been validated to meet the FIPS 140-2 standards.
FIPS Background
The FIPS (Federal Information Processing Standard Publication 140-2) is a series of standards specified by the United States Government for approving cryptographic software.
The FIPS standards specify the best practices and security requirements for implementing crypto algorithms, encryption schemes, handling important data, and working with various operating systems and hardware, whenever cryptographic-based security systems have to be used to protect sensitive, valuable data. FIPS defines specific methods for encryption and specific methods for generating encryption keys that can be used.
FIPS Compliance is mandatory for US government computers, which means that all computers used for government work must be FIPS compliant. Government/federal organizations, subsidiaries, and its contractors must ensure FIPS compliance as they deal with information protected by federal government rules.
Alloy Navigator and Information Security
The following sections explain the specific details of security provisions implemented in Alloy Navigator.
Installation
- All system components can be installed on FIPS enabled systems.
- All web modules can be installed on Microsoft IIS (Internet Information Services) with FIPS enabled group policy, along with the appropriate digital certificates and ciphers.
Encryption
For protecting sensitive information used FIPS compliant cryptographic ciphers.
Data storage and database server
- All data can be encrypted using FIPS compliant ciphers (SQL Server)
- Data transmission between the database server and client applications supports FIPS compliant SSL/TLS ciphers, e.g. RSA_3DES_SHA1.
- Additionally, Alloy Navigator uses FIPS compliant AES-256 ciphers for protecting account credentials.
Communication with external systems
Email – Communication with IMAP, SMTP servers supports FIPS compliant TLS 1.2 protocol
API – For access to API HTTPS protocol using FIPS compliant ciphers can be used.
User access
Alloy Navigator employs role-based user permission system to prevent access to sensitive information.
Alloy Navigator support Windows Authentication. When hosting the Alloy Navigator’s components on a FIPS enabled system, SQL authentication mode must be disabled. FIPS compliant Windows Authorization must be used.
Data transmissions between web consoles and the back-end supports HTTPS protocol with FIPS compliant ciphers.
Specific protocols and data encryption methods
| Protocol, data type | Persistent Storage | Cypher |
|---|---|---|
| User account passwords for remote computer audit | Database | AES-256 |
| Access Key for Desktop Console user authentication | Database, system registry | AES-256 |
| SQL Server connection | Up to TLS 1.2 | |
| SMTP, POP3, IMAP4 for email communication | TLS 1.1, possible TLS 1.2 | |
| MAPI for email communication | Up to the newest TLS | |
| EWS for email communication | Up to the newest TLS | |
| Database connection string for web modules | web.config | AES-256 |
| Account credentials for various automated jobs and email access | Database | AES-256 |
| Import Wizard: Login and Password for ADO source | Profile file | AES-256 |
| Encrypted data fields | Database | AES-256 |
| Active Directory authentication | Kerberos, and possibly NTLM | |
| Active Directory channel encryption | SSL/TLS |
Please feel free to contact us if you have any questions or concerns regarding using Alloy Navigator family of products in a FIPS-compliant environment.
