U.S. government agencies and other organizations that require higher levels of security now have another green light on the road to open source. The Cryptographic Module Validation Program (CMVP), operated by the National Institute of Standards and Technology (NIST), has awarded a coveted FIPS 140-2 certification* to the EnterpriseDB Cryptographic Module, deployed in the EDB Postgres Advanced Server database.
This certification means the encryption in EDB Postgres is in full compliance with the Federal Information Processing Standards (FIPS) 140-2 standard after being tested to meet the benchmark by a laboratory authorized by the government to make such determinations. While the EnterpriseDB Cryptographic Module will provide FIPS 140-2 validated encryption in the distribution of EDB Postgres for Microsoft Windows, Red Hat Enterprise Linux installations will rely upon the RHEL OpenSSL FIPS compliant module.
Having this certification on hand will spare a lot of work for DBAs at government agencies and other organizations who follow the security standards of the U.S. government because they are so stringent. For instance, organizations deploying software in U.S. Department of Defense environments need to ensure that their applications meet information security requirements specified in the Defense Information Systems Agency (DISA) Security Requirements Guides (SRGs). The Database SRG contains several requirements mandating the use of FIPS 140-2 validated cryptographic modules. Until EDB achieved this certification there were no Postgres distributions that could meet these requirements for Postgres database instances deployed on Microsoft Windows.
Now with its cryptographic module FIPS 140-2 validated, the eligibility of EDB Postgres comes at an opportune time as U.S. government agencies, working under multiple mandates, have been adopting open source software in greater numbers. This has included open source-based databases like EDB Postgres, and EDB has seen a sharp increase in recent years in government customers. In the United States alone, EDB works with over 400 Civilian, Defense, and Intelligence customers.
This trend is not limited to the U.S. as open source software mandates are a feature of governments in Europe and Asia as a way to reduce spending, loosen the concentrated power of some vendors, and realize greater freedom from licensing limitations to encourage more innovation. Foreign governments often follow U.S. federal security standards and closely watch official ratings and certifications, as do local and state governments in the U.S.
For the FIPS validation, the lab evaluated the encryption module in EDB Postgres Advanced Server, the Postgres database that EDB enhances with enterprise-class performance, security, manageability, compatibility with Oracle, and developer features. The lab ultimately determined that the encryption module in EDB Postgres met the government’s criteria as set by the National Institute of Standards and Technology (NIST) in the FIPS 140-2 standard. NIST is the organization that established the Cryptographic Module Validation Program (CMVP) and accredits the laboratories charged with doing the evaluations through the National Voluntary Laboratory Accreditation Program (NVLAP).
The FIPS 140-2 certification is the second government green light for EDB Postgres Advanced Server. In July 2016, the Department of Defense (DoD) published a Security Technical Implementation Guide (STIG) for EDB Postgres Advanced Server. This made EDB the first provider of an open source-based database to have a STIG published for its core product offering.
Working with EDB, the DoD’s Defense Information Security Agency (DISA) evaluated EDB Postgres against the US government’s stringent security requirements. The agency developed the guide to define how EDB Postgres could be deployed and configured to meet security requirements for government systems.
Like the STIG, the FIPS 140-2 certification has eliminated a significant amount of legwork an agency would otherwise be required to undergo in order to demonstrate that EDB Postgres meets security requirements. Armed with this latest certification, governments and other security-minded organizations can be certain that EDB Postgres is delivering the government standard for security.
Marc Linster is Senior Vice President, Product Development, at EnterpriseDB.
*A Certification Mark of NIST, which does not imply product endorsement by NIST, the U.S. or Canadian Governments.