mar 2019
Blog Casa

What level of FIPS 140 do you need for your Encrypted USB flash drive?

Security features aren’t free. It’s somewhat counter-intuitive, but the right security level for you is the lowest one which meets your needs. So it’s important for you to identify those needs before you investigate products.

You need to consider security for just about every buying decision. Like everything else, security is a cost/benefit trade-off, and few types of data need top-of-the-line security features.

In the case of simple devices, like a USB drive, the only practical concern is that the drive could be lost or stolen and the data on it exposed. The best way to deal with this is by making sure that the drive uses hardware-based encryption and enforces the use of strong passwords. Another consideration is to set up a device-level central management program. Drilling down on the Secure USB drives, often times buyers place a high level of importance on the FIPS (Federal Information Processing Standards) certification level without having a clear understanding what these levels actually mean.

FIPS 140-2 describes security requirements for all types of hardware cryptographic modules. The specification defines four different security levels which may be met by conforming products, from level one to level four. Level one is the lowest, and it provides a moderate set of security features. Level four is the highest level, with the most stringent requirements for self-defense and other security characteristics. Levels two and three provide gradations of these requirements and form an often appealing middle ground. A For many device types, including USB Flash drives, the effective differences between levels are small and often irrelevant. Few users need security features which meet level 3 and many don’t need level 2. Many government contracts require certification of specific FIPS levels, for instance for wireless devices or encrypted hard drives. But if there is no requirement there may also be no need. In fact, many users’ security needs are satisfied by devices which don’t even have a FIPS certification. USB drives, for example, may not have a FIPS certification, but may still have enterprise-grade hardware encryption, central management and hardening against physical tampering.

Let us take a look at what FIPs certification levels are for USB drives. For drives that are certified at level two, if someone tries to physically open the drive, it will show evidence of tampering. In level three drives, this goes one step further and requires that the encryption “keys” to unlock the data are destroyed if someone tries to physically get into the drive.

What do you really get with the higher level of FIPS certification? The first thing you’re guaranteed to get is added cost, if only because the product has required additional in-company and outside testing. You may also pay for high-end security features that your users do not require. For level 3, your device may have different internal wiring to prevent someone from using special hardware to try and identify passwords being passed. Is this really a problem you need to pay extra to prevent? Level 3 will also assure you of a higher level of protection against electromagnetic interference (EMI) and compatibility. These standards are mostly designed to prevent interference with radio-frequency equipment like wireless networks and cordless phones, but as a security matter emissions from such devices can sometimes be used to read the data in use on them; hence the more stringent EMI standard required by higher FIPS levels. Should you pay anything extra for such protection?

Cracking the data out of even a non-certified encrypted drive is hard, and within the capabilities of few people. It would take considerable effort, more than anyone would expend to read a drive they found on the street.

Is your data worth that kind of effort? If you are storing high-value, highly-confidential data then perhaps it is. If not, and if you’re not mandated to buy a certain level of security features, then paying for additional protection is unwarranted.