The Federal Information Processing Standards (FIPS) are a set of benchmarks and guidance established by the U.S. National Institute of Standards and Technology (NIST) to govern document processing, encryption algorithms, and other technology in use by U.S. government agencies at the federal, state, and local levels, the military, and contractors in the public sector. They are also used as the basis for policies in healthcare, finance, and other private industries.
FIPS 140 is probably the most well-known among these standards, designed to detail the requirements for, and procedures for testing and certifying, cryptographic modules. This validation process is necessary to maintain the confidentiality and integrity of the module for use in the most sensitive of deployments. Currently in its second generation, hence the “-2” suffix, NIST will begin accepting test reports for FIPS 140-3, the third iteration of the standard, in the fall of 2020.
Among the experts in this crucial niche is the CEO and co-founder of SafeLogic, Ray Potter. Ray brings over 15 years of security and compliance experience to lead SafeLogic’s strategic efforts. Previously he ran Apex Assurance Group, providing security and compliance consulting, growing top-line revenue at 47% CAGR with 75% net profit margin before productizing and spinning out SafeLogic.
SafeLogic provides strong encryption products for solutions in mobile, server, Cloud, appliance, wearable, and IoT environments that are pursuing compliance to strict regulatory requirements, simplifying, offloading, and accelerating FIPS 140 validation for clients of all sizes.
SafeLogic was established in 2012 as a spin-out from Apex Assurance Group, which provided seed funding to bootstrap operations and NRE costs. Apex Assurance Group provided FIPS 140 and Common Criteria consulting services to top-tier companies for years, conducting consulting and advisory, certification management and knowledge transfer services. CryptoComply is the flagship product, developed by SafeLogic experts to leverage Apex Assurance Group’s knowledge and experience of the typical customer journey and real-world vendor problems encountered on the path to FIPS 140 validation.
As a mandated requirement for the U.S. Public Sector and other regulated industries, the esoteric standard for the technical aspects and testing protocols for cryptography poses a significant roadblock for tech vendors. SafeLogic reinvented the delivery, packaging crypto modules to make them compatible and easily dropped into popular open source architectures and bundling them with matched certification services. This allowed clients to completely offload their encryption dependencies to SafeLogic, a classic example of specialization yielding time and cost savings.
Nothing though is as easy as it seems to be. As a start-up in a heavily regulated space, the single biggest initial challenge was establishing the reputation of SafeLogic. There are many hoops to jump through and many hurdles to jump over when you are providing sensitive and mission critical capabilities to Fortune 100 companies and the U.S. Federal Government.
“We grew our business in what is now the old fashioned way”
The company launched with a solution they knew the market needed, and then grew organically from their own work and from selling to hungry customers. There were no typical “throw something out there and see what sticks” and burning through a bunch of venture capital trying to find product-market fit that’s so common with companies today. SafeLogic was bootstrapped and profitable from Day 1.
The Products and Services:
SafeLogic provides CryptoComply, a family of encryption modules available for a variety of use cases and architectures, and RapidCert, their push-to-start FIPS 140 validation program. There are companies that sell crypto, and there are companies that do consulting work on the certification side, but SafeLogic bundles them together to maximize the effect. By building their modules with FIPS in mind, and tailoring the validation services to the modules, the company is able to save clients significant time and money – sometimes as much as a full year and hundreds of thousands of dollars!
Their flagship product, CryptoComply, provides drop-in FIPS 140-2 compliance with a common API across platforms as well as drop-in compatibility options for OpenSSL, BoringSSL, and Bouncy Castle. CryptoComply has been FIPS 140-2 validated on iOS, Android, Windows, Mac OS X, Linux and other platforms, and delivers accelerated validation for customers with the RapidCert service. As a FIPS 140-2 validated module already, CryptoComply can be deployed quickly to meet various needs and requirements and provide instant compliance when installed.
Benefits and Strategy of CryptoComply:
CryptoComply delivers a single code library to support cross-operating system platforms. The same library can be used in applications across a variety of operating system platforms with the same programmatic interface while maintaining the FIPS 140-2 certification. CryptoComply accomplishes this by maintaining the same code base across multiple FIPS 140-2 validations.
Open Source Compatibility
CryptoComply is now also available as a direct, drop-in replacement for OpenSSL, BoringSSL/BoringCrypto, and JCE (Java Cryptographic Extension) providers such as Bouncy Castle, SunJCE, and RSA J-SAFE.
SafeLogic reduces the time required for FIPS 140 validation by as much as 90% when the CryptoComply module is deployed as a replacement for non-validated software. FIPS 140-2 validations can take over 12 months, but with CryptoComply and the RapidCert process, time-to-compliance can be dramatically reduced. Our target is 8 weeks from start to finish with zero additional effort required from the customer.
Meet Compliance Requirements Instantly
CryptoComply modules are drop-in replacements for the low-level cryptographic libraries underlying TLS/SSL functions. Developers merely have to build their code to point to the CryptoComply APIs, so that the calls made by the TLS/SSL stack code are handled by CryptoComply. Because CryptoComply has already completed FIPS 140-2 validation, products that deploy CryptoComply can accurately claim FIPS 140-2 compliance immediately.
Manage Costs and Time
FIPS 140-2 validations can take well over a year to complete and costs have escalated dramatically, especially as the number of supported platforms increases. In the dynamic IT security business, these delays and costs can magnify competitive and customer demand pressures. CryptoComply provides instant FIPS 140-2 compliance because the modules have already undergone the validation process.
Licensing other third-party modules can cost hundreds of thousands of dollars per year and don’t even include validation. With SafeLogic, customers will enjoy greatly reduced licensing and maintenance costs.
Eliminate Wasted Effort
Validations on a per product basis wastes time, money and effort. Save valuable resources by incorporating CryptoComply into multiple products or multiple product lines. Moreover, because CryptoComply is centrally maintained by SafeLogic, on-going support costs are greatly reduced and duplication of effort is eliminated.
CryptoComply validations support a wide variety of operating system platforms and SafeLogic’s aggressive certification roadmap ensures that as new operating system versions are made available, CryptoComply FIPS validations will be kept up-to-date.
Maintain Validation Status
With FIPS 140-2 validations, any changes to a traditional module may force re-validation. Additional platform support may also require a re-validation. Discovered vulnerabilities in the module code could force a re-validation. CryptoComply contains only the core cryptographic functions, ensuring that only the most critical, security-relevant changes will necessitate re-validation.
While CryptoComply has been designed to isolate the validation to only the key functions, SafeLogic will continue to stringently maintain validations to support technology changes and new security threats.
“SafeLogic is constantly building and evaluating new versions of CryptoComply for feasibility and opportunity, so if you have a particular use case, definitely reach out. We might have something in testing that fits perfectly for you!”
Ray Potter is a very result-oriented CEO. He has a successful track record in building start-ups and bringing product to market.
“Making things happen and solving painful problems. I love this stuff.”
His experience is based on identifying problems and developing solutions to fix them. As a management consultant, as a program manager, and now as an entrepreneur, the essence of “problem solving” encapsulates his career.
He says that there are no particular key achievements in the entrepreneurial journey; in fact, the journey is itself an achievement. As the company develops and matures, it means hiring the right people, fostering a flexible but driven work environment, and making sure that everyone has what they need to be successful.
Ray notes that it takes a long time to learn the value of balancing health, wealth, loved ones, and fun, and he tries to tune into if someone on the team seems anxious or overwhelmed or distracted by issues outside of work. He encourages them to take a day off, or several, or alleviates stress by bringing more resources to a challenging project. Burn-out is both real and avoidable.
“We have a very open culture here. Everyone speaks their mind, and dissenting opinions are embraced.”
Nobody is immune from alternative points of view. SafeLogic’s team is the best in the business and their ability to see problems from a variety of positions is second to none. As a CEO and a result oriented leader, Ray says he would take this team over any ex-GooFaceUber team out there. So when they disagree with him, he listens, and when they find , he feels confident.
“We pride ourselves on working quickly to solve problems, and that sense of urgency really resonates with our customers.”
Ray on Competitive Differentiation:
“Don’t think about it, just do it. We need to be keenly aware of what’s happening around us, and be ready, either reactively or proactively. I’ve seen too many people get so immersed in strategy that stuff hits the fan when an action or event doesn’t go as planned.
I used to adopt the philosophy of “work harder and more hours than anyone else” and I did just that. However, I really think that “balance” is the key to being successful in the long-term. Work hard, definitely, but balance that with hobbies, relaxation, or family time. Find a creative outlet, like music or art or whatever interests you as a person. It’s too easy to be defined by one’s job, and we simply cannot let that happen.”
“With hard work, dedication, focus, time, and a little bit of luck, the impossible can become possible