Are your Remote Access Tools FIPS 140-2 Validated? Here’s Why it Matters

The Federal Information Processing Standard (FIPS) 140-2 is an important IT security benchmark and U.S. government standard issued by the National Institute of Standards and Technology (NIST). FIPS 140-2 validation is required for the sale of products with cryptography modules to the federal government.

With workers becoming increasingly distributed and operating outside a corporate office, it’s more important than ever to improve security and manageability around remote access. In a typical week, government/public sector organizations, on average, have 124 third-party vendors logging into their systems/network. With so many remote access points, and often, sub-optimal visibility, auditing, and security controls over this access, it’s only a matter of time before a weak link in remote access is compromised—either via an employee, or a third-party vendor. The world has been shaken by a number of cyberattacks and breaches involving the government sector and remote access, including one brazen attack that attempted to poison a community’s water supply by leveraging a consumer-grade remote support tool. This trend has only continued to increase as attackers become more sophisticated, targeting even more high-profile organizations.

BeyondTrust’s Secure Remote Access solution, comprised of our Remote Support and Privileged Remote Access products, has been awarded a Level 1 Federal Information Processing Standards Publication (FIPS) 140-2 validation for our Remote Support and Privileged Remote Access B300 appliance (physical or virtual). BeyondTrust has the only Secure Remote Access solution that meet the rigorous requirements of FIPS 140-2 Level 1. We believe this validation should give government agencies and other organizations further confidence in our ability to help them address there most challenging security and access needs.

In this blog, we will elaborate a bit more on why this validation is important, and what differentiates BeyondTrust’s Secure Remote Access solution versus alternative tools.

Background on FIPS 140-1 and How it Applies

To help address the increasing cybersecurity demands of the Federal sector and other critical sectors, the Federal Information Processing Standards Publication (FIPS) 140-2 validation became a requirement for cryptographic products/software used in a U.S. government agency network and other industries to establish a strong baseline for encryption to better protect sensitive data. As a result, programs such as FedRAMP, FISMA, DoDIN APL, Common Criteria, HIPAA and HITECH healthcare regulations inherit the dependency on FIPS 140-2 validation.

In 1995, NIST (the U.S. National Institute of Standards and Technology) and their Canadian counterpart CSE (Communications Security Establishment) teamed up to establish the mechanisms for testing and certifying that the FIPS 140 benchmark had been met. NIST and CSE employees staff the CMVP (Cryptographic Module Validation Program) and CAVP (Cryptographic Algorithm Validation Program), which cooperate with independent third-party testing labs. While the labs conduct functional testing, it is the CMVP that ultimately reviews the results and issues the FIPS 140 validation. This is the formalized certification/validation process adhered to today.

FIPS Compliance is mandatory for US government endpoints, which means that all computers used for government work must be FIPS compliant. Government/federal organizations, subsidiaries, and their contractors must ensure FIPS compliance as they handle information protected by federal government rules.

Highly regulated federal agencies are certainly not alone in seeking secure products they can trust to keep their data safe in accordance with the highest, and most modern standards and benchmarks. Thus, FIPS 140-2 has been widely adopted around the world in both the public and private spheres.

FIPS Validation vs FIPS Compliance – What’s the Difference?

FIPS compliant is the minimum standard that must be met for government endpoints. FIPS validated or certified demonstrates security that goes beyond that minimum. To be FIPS 140-2 certified or validated, the software (and hardware) must be independently validated by one of 13 NIST specified laboratories.

On the other hand, FIPS compliant means that some, but not all of the product, has been FIPS validated. Therefore, you can have products on the market that might have some third-party FIPS validated software and components, but the entire product is itself not FIPS validated.

FIPS Validation provides the highest level of confidence that the product meets the government’s rigorous security standards. It demonstrates a product has gone that last mile in working to truly harden the product’s security and eliminate risks.

As any highly security-conscious organization appreciates, we should never strive to just meet the minimum standards, the most impactful security comes from going beyond to truly address risk.

Defining Secure Remote Access

As a cybersecurity company, BeyondTrust takes a more robust approach to ensuring secure remote access, such as with remote support and privileged remote access solutions, than other vendors. This is readily apparent in both our solution capabilities and in the attainment of certifications and validations, such as FIPS 140-2.

BeyondTrust was the first vendor to introduce an appliance-based approach to remote support, which is also now available for our Privileged Remote Access product. Our patented deployment model - the Secure Remote Access Appliance - is a highly secure option for deploying our Secure Remote solutions. As of 2022, we remain the only remote support and privileged remote access products to obtain FIPS 140-2 Level 1 validation for use in U.S. Government agencies and others, ensuring our customers’ data remains safe from the most sophisticated methods of intrusions.

Some other important security features and capabilities of BeyondTrust Secure Remote Access solutions include:

• Remote connection security: Every remote connection is outbound through Port 443, requiring no firewall changes. You can define permissions for every session, whether for attended or unattended access.
• Enforcement of least privilege: Applies granular permissions to manage teams, users, roles, and session permission settings. This helps ensure users stay productive and on task, while minimizing the threat surface.
• Session recording and auditing: Each BeyondTrust session is logged and auditable, creating a central repository for all remote access activity. The administrator can review every click and keystroke from each session within the organization for both auditing purposes and root cause analysis.
• Session Support & Management: Multiple session and access types are supported, including the BeyondTrust secure agent, RDP, SSH, VNC, BeyondTrust Advanced Web Access, and TCP with Protocol Tunneling.
• Credential Management: Included with Privileged Remote Access and Remote Support at no additional cost, the BeyondTrust Vault protects privileged credentials with discovery, management, rotation, auditing and monitoring for any privileged account. This includes everything from local or domain shared administrator accounts, to a user’s personal admin account, even SSH keys, cloud and social media accounts. The BeyondTrust Vault stores those credentials securely, retrieves them when needed and injects them directly into a session, without exposing them to end users. Users can’t compromise passwords they don’t know! Privileged Remote Access also integrates with BeyondTrust Password Safe to further mitigate the risks associated with credential theft or misuse and unmanaged access from third-party and internal users.
• Secure Advanced Web Access to Applications and Cloud Platforms: It is vital that privileged users (remote workers) have access to the tools and resources they need, regardless of where they are or what device they are using. Organizations can provide an additional layer of security to web/thick applications with our Privileged Remote Access product by providing internal and external remote users a simple, secure method to access their workstations, internal and cloud infrastructure, and web/thick applications from wherever they are. After the job is done, organizations have a detailed and complete audit trail regarding any remote access sessions.

Finally, because BeyondTrust’s Secure Remote Access solution can securely enable such a wide breadth of use cases, organizations can consolidate all their various remote access/support solutions and eliminate the need for VPNs for vendor and remote workers by leverage the BeyondTrust solution enterprise-wide. This consolidation itself yields several security benefits through reduction of tool sprawl, while also eliminating overlapping costs and administrative inefficiencies.

With BeyondTrust remote access security, organizations can confidently connect from anywhere to anywhere, and securely connect to the devices, applications, and networks they need to access.

Addressing Your Remote Access Needs with Secure, FIPS Validated Solutions

Government agency systems throughout the world hold highly confidential information that needs strong protection to ensure it never risks falling into the wrong hands. The FIPS 140-2 Level 1 validation should give agencies, and private sector organizations that support government agencies, confidence that BeyondTrust Secure Remote Access can meet the security needs of the most demanding environments.

Learn More About BeyondTrust Secure Remote Access

BeyondTrust Secure Remote Access solutions enable organizations to apply least privilege and robust audit controls over both inbound and outbound remote access—for employees, vendors, and service desks. With BeyondTrust, service desks can quickly and securely access any remote device, running any platform, located anywhere. The solution also enables organizations to extend privilege management best practices to vendors and remote works accessing its systems.

To learn how BeyondTrust Secure Remote Access solutions can help you address FIPS compliance issues or other secure remote access use cases, contact us today.