The announcement of Veeam Kasten for Kubernetes V7.0 at Red Hat Summit 2024 brings over 30 new features and enhancements, including the addition of Federal Information Protection Standard (FIPS) for federal sector customers. Kasten also adds Azure Sentinel support.
Understanding FIPS Compliance
When implemented properly, FIPS can lock your data up tighter than Fort Knox. With the latest release, Veeam Kasten can be installed in FIPS mode, which was designed to comply with the latest FIPS standards. Customers can activate FIPS mode by using a set of Helm configuration values (specified below) during installation. To learn more about FIPS 140-3, please refer to to the NIST website.
Think of FIPS 140-3 as the most recent version of a rule book for keeping digital secrets safe. This rule book is meant to help U.S., Canadian, and other governmental organizations ensure that their secure technologies used are up to the task. But what does that mean, exactly?
Imagine sending a top-secret message to a friend. You wouldn’t want anyone else to be able to read that secret message, right? FIPS outlines the requirements needed for cryptographic modules to maintain the confidentiality and integrity of information and data both in transit and at rest. Think of cryptographic modules as an unbreakable code that only you and your friend can decipher. This means using robust data encryption and secure key management practices, which is particularly important for organizations that operate in highly regulated industries or governmental sectors. To learn more, visit NIST’s Compliance FAQs.
Technical Implications of FIPS
For those interested in the technical details, let’s take a closer look at the modules Kasten uses. Security is not just about Kasten; it’s about your entire Kubernetes environment. You would not want to share a secret with a friend on the main stage at a concert in pig Latin, because everyone would be able to try and decode it. Someone in the audience is likely going to understand the cypher and figure out your secret. Instead, you would want to ensure that your secret is only shared in a private room where just you and your friend are present, with no one else listening. Kasten utilizes OpenSSL for its implementation of cryptographic primitives and algorithms, provided by Red Hat’s Universal Base Image (UBI). This cryptographic module is currently listed as being “in review” by NIST’s Cryptographic Module Validation Program. By incorporating OpenSSL, the Red Hat UBI, and aligning its implementation with Red Hat Compliance recommendations, Kasten can ensure compliance to FIPS 140-3 security requirements.
Kasten has been extensively tested and verified with Red Hat OpenShift, ensuring seamless integration between the two platforms. By using Kasten with Red Hat OpenShift, customers can benefit from enhanced security and compliance features that are necessary to protect critical data in FIPS-compliant environments. While Kasten’s FIPS mode can be activated in other environments, it may necessitate additional testing and configuration to ensure your cryptographic module’s compliance. However, Kasten is continuously exploring opportunities to support additional Kubernetes distributions in the future.
Enabling FIPS Mode for Kasten
Alright, now that you have some background on what FIPS is and why it is important, let’s discuss how to enable Kasten in FIPS-compliant mode. It’s quite simple to do this with the Helm installation of Kasten. You just need to include a new argument with all the necessary values set in a file. The main addition is fips.enabled = true, along with some other settings that turn off non-compliant features. Don’t worry, this can be simplified by specifying a reference to our fips-values.yaml file. During initialization, Kasten generates encryption keys through configured encryption algorithms. This means that FIPS algorithms must be enabled during the initial installation. For a more detailed walkthrough of the installation process, please refer to our documentation.
helm install k10 kasten/k10 \
--namespace=kasten-io \
--values=https://docs.kasten.io/latest/fips/fips-values.yaml
By adhering to FIPS 140-3 standards, Kasten is not only a market leader in Kubernetes data protection but is also leading the way for cloud native data security. Veeam Kasten is the first Kubernetes-native data protection solution that supports FIPS-enabled clusters. In addition to Kasten’s availability on Platform One Iron Bank and published Software Bill Of Materials (SBOM), FIPS 140-3-compliant support ensures rigorous compliance standards for federal and public sector environments, but can also be leveraged by enterprises to ensure they have the highest level of security for their implementation. Next time you hear about FIPS and cryptography, hopefully you can speak to why it’s important to keeping data (and secrets) safe. (And perhaps while useful, maybe consider a stronger cryptographic cypher than pig Latin when discussing secrets with your friend.)
Stay secure, stay savvy, and keep exploring the exciting world of data protection, friends! Feel free to reach out to me on LinkedIn if you would like to talk about data security or anything security.