FIPS is for Private Enterprise, Too
September 23, 2008 Alex Woodie
It used to be that the collection of data security and interoperability standards known as the Federal Information Processing Standards (FIPS) was used primarily by companies holding contracts with the federal government. Not anymore. According to host emulation and integration software provider Attachmate, which recently obtained FIPS validation for a new release of its Verastream Host Integration product, private enterprises without government contracts are also looking for the FIPS seal of approval.
The federal government created the FIPS program in the late 1960s to ensure that governmental agencies and contractors doing business with the government adhere to a set of standards with their computer systems and software products. The standards were hashed out and published when there were no other wider industry standards to apply to a particular problem or situation. As industry standards catch up or technologies change, the FIPS are withdrawn.
The FIPS rolls are like a timeline of the advance of technology. Take one of the first, FIPS 13, for example. Titled “Rectangular Holes in Twelve-Row Punched Cards,” it was first published in 1971 and eliminated as a requirement in 1996 (presumably when the last punch card machine was retired from operation). In 2001, the government added FIPS 197, or the Advanced Encryption Standard (AES), which has become the standard-bearer for strong computer encryption. Along the way, FIPS standards have dictated standards for everything from dimensions of magnetic tape; syntaxes for COBOL, BASIC, and FORTRAN; and the functioning of optical character recognition (OCR).
FIPS validation has long been a required hurdle for the vendors that make the computer components and software programs used by federal agencies and companies holding government contracts. However, in this day and age of information insecurity and increased regulation, companies doing no business with the government are seeking out FIPS-certified products as a way of protecting their data and their reputations.
Ron Nunan, senior product manager for Attachmate, says he was surprised at the warm reception for Verastream Host Integrator version 6.6, which achieved FIPS validation for the first time. Verastream enables organizations to expose legacy business logic in S/390s, AS/400s, and other host systems using the latest .NET, Java, and SOA Web services standards.
According to Nunan, FIPS validation in Verastream’s cryptographic libraries could end up boosting the product’s sales. “Surprisingly enough, I was traveling through Europe in June and talking with several large clients over there. I mentioned that this is one of the upcoming capabilities of the product, thinking it didn’t have a lot of play in Europe,” he says. “But the response I got was quite the opposite.”
Not only are companies without U.S. government contracts looking to the FIPS validation as a good indication of strong security capabilities, but European companies see the value in it, too. The surprising finding makes sense when viewed through the lens of today’s security concerns.
“Large firms around the globe are very sensitive to making sure their data is secure,” Nunan says. “There’s a lot of liability with letting data out unintentionally. Many of these companies do business with the U.S. in some form or another. And having validation and a certain cryptographic and security level is tremendously important to large enterprise shops, which is demographically who we target for this product.”
It wasn’t easy to get the FIPS validation, but it was worth it, says Tom Bice, Attachmate’s director of product marketing. “It’s a pretty strenuous, time-consuming, extensive process to go through. But it’s a door you have to go through,” he says. “Not to belittle Windows Server 2008 validation (another new feature in Verastream 6.6), but compared to FIPS it’s night and day.”
Bice adds that, with the exception of IBM, none of the host integration software vendors that compete with Verastream have achieved FIPS validation. “To our knowledge,” he says.
Another important new feature in Verastream 6.6 is the team modeling capability. This enhancement will make it easier for larger groups of developers to work together on Verastream projects in two ways, including multiple developers working on the same project simultaneously, and reusing elements of older projects in new integration projects.
Nunan says these two features reflect the growing maturity of the service oriented architecture (SOA) approach to application integration and modernization at larger organizations. “Now that the projects are becoming more enterprise in nature, they’re having teams of developers,” he says. “And the amount of work that goes into a single project can be so large that you need to salvage pieces of it. Just one part of a project today might be the size an entire project used to be three years ago.”
Version 6.6 also brings deeper support for pertinent Web services standards, including the group controlled by the Web Services Interoperability Organization, or WS-I. Meeting these standards is important for customers utilizing Verastream as part of a larger SOA strategy.
For example, one of Attachmate’s customers, the Los Angeles Times, is using Verastream to expose business processes on a S/390 mainframe as Web services, which are then coordinated and managed using IBM’s Business Process Execution Language (BPEL) server products and other WebSphere-branded business process management (BPM) products. “That handoff between the Verastream and IBM environments is transparent,” Nunan says. “Interoperability standards are being met.”
Attachmate is perfectly happy to let IBM get all the BPM and BPEL glory, Bice says. “We are very committed and will continue to be on providing integration solutions for mainframe host systems,” he says. “We have no intention or desire to broaden beyond that into ESBs [enterprise service busses] or EAI [enterprise application integration] or other middleware solutions. Our goal is to continue to do what we do best, which is focused on where we have built up our experience and skills set over last 27 years now.”
Verastream Host Integrator version 6.6 also gains support for 32-bit and 64-bit .NET clients. Licenses for the software, which was officially launched yesterday, start at about $55,000. For more information visit www.attachmate.com.
This article has been corrected. Ron Nunan’s correct titlte is senior product manager. IT Jungle regrets the error.