FIPS Validated TSB

Tetrate Service Bridge (TSB) is now available as a FIPS-validated build. This build is designed for organizations seeking to enhance their security posture in alignment with U.S. federal government cryptographic standards.

Who Benefits from TSB FIPS?

The FIPS-validated build of TSB is particularly beneficial for:

1. U.S. Federal Government Agencies: Organizations that are required to comply with federal information security standards.
2. Government Contractors: Companies working on government projects that mandate FIPS compliance.
3. Highly Regulated Industries: Sectors such as finance, healthcare, and defense that prioritize stringent security standards.
4. Organizations with Strict Security Requirements: Any enterprise that aims to align its cryptographic practices with federal standards.

External Storage

The FIPS-validated build of TSB does not include external storage components like Elasticsearch, PostgreSQL and Redis. You need to bring FIPS-validated versions of these components to your environment. This is because Tetrate cannot distribute FIPS validated versions of these components.

Getting Started

To begin using the FIPS-validated build of TSB:

1. Obtain the FIPS-validated build of tctl
2. Use the FIPS-validated tctl to sync TSB FIPS images.
3. Follow the installation guide specific to your chosen method: Helm or tctl.
4. Configure any additional components as needed to ensure FIPS-compliant operation.
5. For excluded components like Elasticsearch and PostgreSQL, bring FIPS-validated versions to your environment or use managed services that are FIPS-compliant.

Enabling Istio Strict FIPS Compliance Policy

You can enable Istio's strict FIPS compliance policy by setting the COMPLIANCE_POLICY environment variable to fips-140-2 in the Istio control plane deployment. Under this setting, the TLS version is restricted to v1.2 and the cipher suites suites are narrowed down to ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, and ECDH curves is set to P-256. This ensures that all Istio gateways and proxies operate in a FIPS-compliant manner.

To enable the COMPLIANCE_POLICY environment variable in the Istio control plane deployment, add overlay to TSB control plane CR or Helm chart values file.

tip

If you use Isolation Boundary, you need to set IstioOperator name to xcp-iop-<revision-name>

spec:
  components:
    istio:
      kubeSpec:
        overlays:
        - apiVersion: install.istio.io/v1alpha1
          kind: IstioOperator
          name: tsb-istiocontrolplane
          patches:
          - path: spec.components.pilot.k8s.env[-1]
            value:
              name: COMPLIANCE_POLICY
              value: fips-140-2

Conclusion

The FIPS-validated build of TSB provides significant benefits for organizations with strict security requirements, particularly those needing to comply with U.S. federal government standards.

When implementing the FIPS-validated TSB:

• Ensure your entire infrastructure, including external components and the underlying system, supports FIPS-validated operations.
• Consider the Istio Strict FIPS Compliance Policy to maintain a consistent security posture across your service mesh.
• Regularly audit and update your deployment to maintain FIPS compliance as standards and threats evolve.

Always assess your specific compliance needs and consult with your security team when implementing FIPS-validated solutions. For any questions or support needs, please contact our technical support team.