Compliance is a primary consideration for the enterprise. From privacy to corporate governance to business practices and standards, regulation impacts so many aspects of corporate activity that it is a challenge for businesses just to keep up. Many organizations, such as those in the healthcare and financial sectors, are subject to so many types of regulation on so many levels, that selection of IT infrastructure – with both the flexibility and security to fully meet requirements – has become crucially important. As such, Array products and solutions are designed to both enable and maintain compliance across a broad range of industry and governmental regulations.
Federal Information Processing Standards (FIPS) Compliance
Federal Information Processing Standard 140-2 (FIPS 140-2) is a standard that describes US federal government requirements that IT products should meet for sensitive, but unclassified (SBU) use. The standard was published by the National Institute of Standards and Technology (NIST), has been adopted by the Canadian government's Communication Security Establishment (CSE), and is likely to be adopted by the financial community through the American National Standards Institute (ANSI).
The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. There are four levels of security: from the lowest Level 1 to the highest Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC) and self-testing.
The lowest level of security. No physical security mechanisms are required in the module beyond the requirement for production-grade equipment.
Tamper evident physical security or pick resistant locks. Level 2 provides for role-based authentication. It allows software cryptography in multi-user time-shared systems when used in conjunction with a C2 or equivalent trusted operating system.
Tamper resistant physical security. Level 3 provides for identity-based authentication.
Physical security provides an envelope of protection around the cryptographic module. Also protects against fluctuations in the production environment.
Array Networks uses the highest performing NIST FIPS 140-2 level 2 certified cards in the APV6600FIPS application delivery controller as well as for the AG1500FIPS secure access gateway.