FIPS Validated TSB

Tetrate Service Bridge (TSB) is now available as a FIPS-validated build. This build is designed for organizations seeking to enhance their security posture in alignment with U.S. federal government cryptographic standards.

Who Benefits from TSB FIPS?

The FIPS-validated build of TSB is particularly beneficial for:

1. U.S. Federal Government Agencies: Organizations that are required to comply with federal information security standards.
2. Government Contractors: Companies working on government projects that mandate FIPS compliance.
3. Highly Regulated Industries: Sectors such as finance, healthcare, and defense that prioritize stringent security standards.
4. Organizations with Strict Security Requirements: Any enterprise that aims to align its cryptographic practices with federal standards.

External Storage

The FIPS-validated build of TSB does not include external storage components like Elasticsearch, PostgreSQL and Redis. You need to bring FIPS-validated versions of these components to your environment. This is because Tetrate cannot distribute FIPS validated versions of these components.

Getting Started

To begin using the FIPS-validated build of TSB:

1. Obtain the FIPS-validated build of tctl
2. Use the FIPS-validated tctl to sync TSB FIPS images.
3. Follow the installation guide specific to your chosen method: Helm or tctl.
4. Configure any additional components as needed to ensure FIPS-compliant operation.
5. For excluded components like Elasticsearch and PostgreSQL, bring FIPS-validated versions to your environment or use managed services that are FIPS-compliant.

Enabling Istio Strict FIPS Compliance Policy

You can enable Istio's strict FIPS compliance policy by setting the COMPLIANCE_POLICY environment variable to fips-140-2 in the Istio control plane deployment. Under this setting, the TLS version is restricted to v1.2 and the cipher suites suites are narrowed down to ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, and ECDH curves is set to P-256. This ensures that all Istio gateways and proxies operate in a FIPS-compliant manner.

To enable the COMPLIANCE_POLICY environment variable in the Istio control plane deployment, add overlay to TSB control plane CR or Helm chart values file.

spec:
  components:
    xcp:
      ...
      isolationBoundaries:
      - name: global
        revisions:
        - name: default
          # istio:
            kubeSpec:
              overlays:
              - apiVersion: install.istio.io/v1alpha1
                kind: IstioOperator
                name: xcp-iop-default  # Format: xcp-iop-<revision-name>
                patches:
                - path: spec.components.pilot.k8s.env[-1]
                  value:
                    name: COMPLIANCE_POLICY
                    value: fips-140-2
              # Add more revisions overlays as needed

Conclusion

The FIPS-validated build of TSB provides significant benefits for organizations with strict security requirements, particularly those needing to comply with U.S. federal government standards.

When implementing the FIPS-validated TSB:

• Ensure your entire infrastructure, including external components and the underlying system, supports FIPS-validated operations.
• Consider the Istio Strict FIPS Compliance Policy to maintain a consistent security posture across your service mesh.
• Regularly audit and update your deployment to maintain FIPS compliance as standards and threats evolve.

Always assess your specific compliance needs and consult with your security team when implementing FIPS-validated solutions. For any questions or support needs, please contact our technical support team.