6 Replies Latest reply on Apr 12, 2012 11:10 AM by mr____

    FIPS 140-2

    taylorsharpe

      I sure hope one of these minor updates brings FileMaker into FIPS 140-2 compliance (as of 11.0 v3 we are not). I know we already have AES-256 cipher and I assume FileMaker is working on SSL to TLS. I know it is a boring subject to most people, but when you have to fill out security plans, it leaves a bit of a hole sometimes and gives reason to the enterprise guys to knock FileMaker. Granted this is a lot better than most "web" solution front ends to SQL databases out there, but it is just one of those hurdles. Then again, maybe I'm one of the few people having this issue with security plans.

        • 1. Re: FIPS 140-2
          Norsult

          Could you please elaborate a little? Or do you want this to be an experts only post? What is FIPS 140-2?

          • 2. Re: FIPS 140-2
            taylorsharpe

            FIPS is Federal Information Processing Standard developed by NIST, the National Institute of Standards and Technology here in the US.  FIPS 140-2 is a particular standard for accrediting cryptographic software.  I understand FileMaker has submitted it's AES 256 bit encryption scheme for accreditation.  My understanding is that FM uses SSL which is being phased out and replaced by TLS and I can only assume FileMaker is making this change to meet the new security standards.  Officially these standards only apply to US Gov't computers, but industry, academia, and other countries often cite or adopt these standards for their own use.  As security continues to grow as a serious concern on the Internet, it becomes all the more important for FileMaker to keep up to be competitive.  FileMaker has done a vast improvement on security since version 6 and version 7+ pretty much uses industry standards for authentication and encryption.  This really helps with my clients when they compare FileMaker to other database software.  Additionally, FileMaker has made encryption implementation really easy....it is just a check box in the server admin.  This is much easier than all of the certificate management work required in most database server software. 

            • 3. Re: FIPS 140-2
              Norsult

              Thank you, Taylor.

              • 4. Re: FIPS 140-2
                mr____

                The last post to this topic was 9/11, today is 4/12. 

                 

                Is FileMaker 11.x or 12.~ - 140.2 security compliant now 6 months later? 

                 

                I just left a meeting where I had to tell the client that I have a redundant, secure, collaborative $10,000 solution (hardware and software) built, sitting right here on the table in FMSA that I have to recommend you do not use, although it is ready now to begin testing and pre-deployment, and instead you really need to spend $500,000+ now to reproduce it in an external virtual SQL Server 2008 R2 and (forgive me) SharePoint 2010 because they are 140.2 compliant, and I need to mention the ongoing maintenance fees and it will take 6-18 months from today.

                 

                With Blowfish 2.x at our disposal, and multi-factor security - is FMSA compliant, has it cleared the NSA certification hurdles?  What momentum is behind pushing that paperwork?  Where do we stand today on this status? 

                 

                There may be valid and market specific reasons why that is not going to happen.  I need to very accurately guide my clients.  I do not want to walk into a room and have to say the above again.  It made everyone in the room look stupid, including myself.

                 

                Mike

                • 5. Re: FIPS 140-2
                  taylorsharpe

                  FileMaker uses a 256 bit AES cypher which mets government specifications including up to top-secret for FIPS 140-2.  But you are only specifically 140-2 compliant if the software company applies to a NIST accredited Cryptographic Module Testing laboratory for testing and receives a certification.  It does mean that a security plan can be amended with lots of extra work to show it is compliant.  But it is much easier on the federal dept/agency to have the product listed as FIPS 140-2 compliant.  I know there is cost associated with it and it may be that FileMaker has decided the cost isn't worth the benefits.  But I know if they want to exist in the US Government arena, then they really need to get certified.  Lets hope they do. 

                  • 6. Re: FIPS 140-2
                    mr____

                    Update:  I found this which indicates Apple is moving forward on 140.2 certification for the iPhone and iPad.

                     

                    http://searchconsumerization.techtarget.com/Apple-seeks-to-better-iPad-iPhone-security-via-FIPS-140-2-compliance

                     

                    Mike