FIPS 140-2 Compliance

Alloy Navigator family of products uses cryptographic modules and data transmissions protocols that have been validated to meet the FIPS 140-2 standards.

FIPS Background

The FIPS (Federal Information Processing Standard Publication 140-2) is a series of standards specified by the United States Government for approving cryptographic software.

The FIPS standards specify the best practices and security requirements for implementing crypto algorithms, encryption schemes, handling important data, and working with various operating systems and hardware, whenever cryptographic-based security systems have to be used to protect sensitive, valuable data. FIPS defines specific methods for encryption and specific methods for generating encryption keys that can be used.

FIPS Compliance is mandatory for US government computers, which means that all computers used for government work must be FIPS compliant. Government/federal organizations, subsidiaries, and its contractors must ensure FIPS compliance as they deal with information protected by federal government rules.

Alloy Navigator and Information Security

The following sections explain the specific details of security provisions implemented in Alloy Navigator.

Installation

  • All system components can be installed on FIPS enabled systems.
  • All web modules can be installed on Microsoft IIS (Internet Information Services)  with FIPS enabled group policy, along with the appropriate digital certificates and ciphers.

Encryption

For protecting sensitive information used  FIPS compliant cryptographic ciphers.

Data storage and database server

  • All data can be encrypted using FIPS compliant ciphers (SQL Server)
  • Data transmission between the database server and client applications supports FIPS compliant SSL/TLS ciphers, e.g. RSA_3DES_SHA1.
  • Additionally, Alloy Navigator uses FIPS compliant AES-256 ciphers for protecting account credentials.

Communication with external systems

Email – Communication with IMAP, SMTP servers supports FIPS compliant TLS 1.2 protocol

API  – For access to API HTTPS  protocol using FIPS compliant ciphers can be used.

User access

Alloy Navigator employs role-based user  permission system to prevent access to sensitive information.

Alloy Navigator support Windows Authentication. When hosting the Alloy Navigator’s components on a FIPS enabled system, SQL authentication mode must be disabled. FIPS compliant Windows Authorization must be used.

Data transmissions between web consoles and the back-end supports HTTPS  protocol with FIPS compliant ciphers.

Specific protocols and data encryption methods

Protocol, data typePersistent StorageCypher
User account passwords for remote computer auditDatabaseAES-256
Access Key for Desktop Console user authenticationDatabase, system registryAES-256
SQL Server connectionUp to TLS 1.2
SMTP, POP3, IMAP4 for email communicationTLS 1.1, possible TLS 1.2
MAPI for email communicationUp to the newest TLS
EWS for email communicationUp to the newest TLS
Database connection string for web modulesweb.configAES-256
Account credentials for various automated jobs and email accessDatabaseAES-256
Import Wizard: Login and Password for ADO sourceProfile fileAES-256
Encrypted data fieldsDatabaseAES-256
Active Directory authenticationKerberos, and possibly NTLM
Active Directory channel encryptionSSL/TLS

Please feel free to contact us if you have any questions or concerns regarding using Alloy Navigator family of products in a FIPS-compliant environment.