How Cloudera Supports Government Data Encryption Standards

As part of our ongoing commitment to supporting Government regulations and standards in our enterprise solutions, including data protection, Cloudera recently introduced a version of our Cloudera Data Platform, Private Cloud Base product (7.1.5 release) that can be configured to use FIPS compliant cryptography. We have accomplished this significant improvement through supporting the deployment of the Cloudera Data Platform (CDP) Private Cloud Base on FIPS mode enabled RedHat Enterprise Linux (RHEL) and CentOS Operating Systems (OS), as well as through the use of FIPS 140-2 validated encryption modules. 

Created by the National Institute of Standards and Technology, FIPS–Federal Information Processing Standards–are a set of standards for document processing, encryption algorithms, and other information technology uses. Adoption of FIPS is typically required for many Federal government agencies, as well as for government contractors and vendors who work with those agencies. As applied, FIPS are leveraged in several stringent government security compliance/accreditation mandates/frameworks, including those such as FISMA, FedRAMP, and DISA Security Technical Implementation Guides (STIG).

While encryption is essential to protect sensitive data, there is no one “right” way to encrypt information. Thus the U.S. Government established FIPS 140 as a certification benchmark for validating the effectiveness of maintaining confidentiality and integrity in protecting government information.  FIPS 140-2 specifies the security requirements that must be satisfied by a cryptographic module utilized within a security system protecting sensitive information.

A More Secure Data Platform

By facilitating use of FIPS 140-2 validated modules in CDP Private Cloud Base (CDP), and operating on an OS enabled for FIPS mode, Cloudera reaffirms its commitment to supporting customers who rely on our solutions to effectively manage public-sector data.

As specified by many of the compliance/accreditation mandates mentioned above, FIPS 140-2 is a core criterion for those who store and process federal data on computer systems. By adding support for CDP deployments on an OS configured for FIPS mode, and use of FIPS 140-2 validated modules, Cloudera seeks to enable our clients to meet fundamental federal requirements, using FIPS 140-2 validated cryptographic algorithms when handling data. It’s a way for our customers to not only operate securely, but to validate to compliance auditors and others that their data solutions meet the highest cryptographic standards.

Simply stated, these significant FIPS 140-2 feature enhancements to CDP Private Cloud Base enable our platform consuming customers to improve conformance with their compliance/accreditation standard within their overarching information systems.

Bringing FIPS 140-2 to CDP Private Cloud

To bring broader FIPS 140-2 support to the CDP Private Cloud Base user community, Cloudera has licensed existing, supported, FIPS 140-2 validated modules from SafeLogic that have been approved through the NIST Cryptographic Module Validation Program (CMVP), and integrated them with the CDP Private Cloud Base platform.

SafeLogic provides strong encryption products for solutions in server, cloud, appliance, and IoT environments that are pursuing compliance to strict regulatory requirements. It offers drop-in FIPS 140-2 compliance with a common API across platforms and drop-in compatibility options for JCE (Java Cryptographic Extension) providers (such as Bouncy Castle), OpenSSL, and other popular open source modules. Its solutions have been FIPS 140-2 validated on Linux and several other platforms.

The Safelogic CryptoComply modules will be bundled (under separate license terms from other Cloudera software) with the CDP Private Cloud Base 7.1.5 release as separate distinct downloads from the Cloudera Manager (CM) or Cloudera Runtime/CDH RPMs/Parcels via Cloudera’s authenticated repositories. 

The Safelogic CryptoComply modules available from Cloudera are as follows:

  • CryptoComply for Server (CCS) – OpenSSL RPMs
  • CryptoComply for Java (CCJ) – Java Cryptography Extension JAR
  • CryptoComply for Libgcrypt RPMs

Cloudera has integrated these FIPS-validated libraries with the CDP Private Cloud Base platform through installation and run-time configuration of the CDP Private Cloud Base platform components, where supported.

By bundling and integrating established FIPS 140-2 validated modules, Cloudera gives government agencies access to the power of an enterprise data cloud, assuring that their data management has already been vetted and validated for compliance with public-sector requirements and standards.

Cloudera for Government

At Cloudera, we recognize the complexities inherent in the government data mission. There are unique challenges involved in adopting a robust data architecture that can store, analyze, and manage massive amounts of government data. As the volume and variety of government data continue to increase, public-sector users need to identify data issues and remediate operational challenges to ensure maximum efficiency and effectiveness.

In this environment, security is a prime concern. By bringing broader FIPS 140-2 support to CDP Private Cloud Base, government agencies will be better able to address their data needs, secure in the knowledge that their efforts are supported by solutions that have been validated across government, and that meet the highest regulatory criteria for data encryption and security.

This is in keeping with our broader public-sector commitment. Through Cloudera Government Support, government customers have access to multiple levels of US-based support along their CDP journey — from initial design through deployment and ongoing maintenance and optimization. 

For public-sector customers and private-sector companies that interact with government data, Cloudera’s adoption of FIPS 140-2 validated cryptographic modules marks a significant opportunity for agencies seeking a data platform with enterprise-class security and governance, multi-function data analytics, an elastic cloud experience, and no silos or lock-in.

To review additional details on the FIPS features included in the CDP Private Cloud Base 7.1.5 release, please see the Installing and Configuring CDP with FIPS section in the Cloudera documentation.

Travis Ruebelmann
Principal Solutions Engineer
More by this author

Leave a comment

Your email address will not be published. Links are not permitted in comments.