Canonical, Ubuntu Linux‘s parent company, claims to be the most popular operating system on private and public clouds. They’ve a reason for that boast. In the last Cloud Market’s latest analysis of cloud operating systems, Ubuntu dominated the Amazon Elastic Compute Cloud (EC2) Linux market-share numbers. And, as we all know, Amazon Web Services, with 40.8% of the public cloud market, according to Gartner, has the lion’s share of the public cloud. Now with FIPS 140-2, Level 1 certification for its cryptographic modules, Ubuntu seems destined to get more customers.
Why? Because FIPS 140-2, for those of you who aren’t big on security or haven’t chased after government contracts, is a National Institute of Standards and Technology (NIST) standard for software and hardware cryptographic modules. If you want to sell a service or servers to United States federal government departments and agencies or their contractors that work with secure data, you must have FIPS certification. All of these are required to run workloads with FIPS 140 validated cryptography.
FIPS is also required by many other governments. It’s also been adopted outside of the public sector in industries where data security is heavily regulated, such as financial services (PCI-DSS) and healthcare (HIPAA).
Now, Level 1 is the lowest level of security. It means that basic security requirements for a cryptographic module have been met. Operating systems that meet this criterion are suitable for low-level security applications even when other security controls, such as physical security, network security, and administrative procedures aren’t present.
It may not sound like much, but it is. It takes a minimum of 6 to 9 months to earn a FIPS 140-2 certification. And, if there’s any failure in the testing along the way, too bad. You must start all over again from the beginning. The vast majority of users require only FIPS 140-2 Level 1 security.
Specifically, Ubuntu has received the FIPS 140-2, Level 1 certification for its cryptographic modules in Ubuntu 20.04 LTS, including OpenSSL 1.1.1. This certification is built both on Canonical’s track record in designing Ubuntu for high security and regulated workloads and for passing the certification tests.
To obtain FIPS status, the NIST and third-party labs don’t merely test the code. They test only approved combinations of hardware and Ubuntu. That means you’ll need an Ubuntu Pro or Ubuntu Advantage account to get the FIPS 140 certified cryptographic packages. The Ubuntu Pro and Ubuntu Advantage packages are validated on common CPU types and are also available for use on the public cloud with Ubuntu Pro FIPS. The packages, without the hardware clearances, aren’t, in and of themselves, FIPS 140 compliant.
Of course, you could do it yourself, but becoming FIPS140 compliant is a challenging task. Validating the cryptography involves a long and expensive process that requires cryptography expertise and involves reviews from a third-party lab and NIST. All these introduce costs and complexity that may delay your launch. Thus, for almost all software developers, it makes more sense if you want to ship on time and reduce validation costs and time by using the Ubuntu validated standard open source packages.
Dr. Nikos Mavrogiannopoulos, Canonical’s Product Manager for security, said in a statement that “With the new FIPS 140-2 validation, we can continue to deliver the security requirements that our government, finance, and healthcare clients trust to implement the most secure open-source software to power their infrastructure.”
What all this means for you as a developer or a company owner is if you want to deploy a solution to a security-conscious customer, this new FIPS 140 approved Ubuntu Linux may be just what you need.
Amazon Web Services is a sponsor of The New Stack.