What FIPS 140-2 Compliant Protocol for Azure App Service Communications?

Marc George 171

From a Xamarin app, what component(s) should be used to enable FIPS compliant communications with an Azure App Service?

ajkuma 25,791 Reputation points Microsoft Employee

2021-07-05T08:29:07.95+00:00

@Marc George , Apologies for the delay in responding here from over the weekend.
I'm checking on this internally and will get back to you shortly.

Thanks for your patience!

1 answer

ajkuma 25,791 Reputation points Microsoft Employee

2021-07-06T08:38:25.77+00:00

@Marc George ,

FIPS 140 Level 2 generally needs:

1) Chain of trust using an approved cipher (like AES-256) and
2) Tamper evidence (not resistance).

Typically, for this kind of requirement a standard TLS 1.2+ compatible FIPS 140 cipher will work. Core Azure components like KeyVault HSM should provide tamper evidence capability.

So, you will need to ensure chain of trust and tamper evidence between Xamarin App <> App Service <> ACS.

Once again apologies for the delay on this.
Hope the above information helps. If you have any further questions, please do let us know the intended use of the solution and your requirement.

To benefit the community find the right answers, please do mark the post which was helpful by clicking on ‘Accept Answer’ & ‘Up-Vote’.
Please sign in to rate this answer.
Marc George 21 Reputation points

2021-07-06T13:09:47.57+00:00

Does Microsoft have any development programs / existing components for providing the FIPS 140-2 and 140-3 cipher across the numerous mobile platforms and devices that compliance testing has to be performed for meeting federal deployment requirements.

ajkuma 25,791 Reputation points Microsoft Employee

2021-07-07T21:04:46.26+00:00

Apologies! If I have understood you correct- All Azure services use FIPS 140 approved algorithms for data security because the operating system uses FIPS 140 approved algorithms while operating at a hyper scale cloud. Moreover, Azure customers can store their own cryptographic keys and other secrets in FIPS 140 validated hardware security modules (HSM). Please check out the Federal Information Processing Standard (FIPS) 140 (for US Government) docs for additional info.
Encryption in the Microsoft Cloud

If you have further questions on this, I'll reach out to privately, to understand your scenario better and share/connect appropriate resource.

Thanks for your patience!

Marc George 171 Reputation points

2021-07-08T11:22:00.89+00:00

I have a Xamarin application, operating external to Azure, that needs to do two things, use Azure databases and use a Azure App Service. The communications channels for both need to meet FIPS requirements. That would entail there be components(originally I was asking about for the app service; I asked a second question about SQL) in the app to be FIPS certified. FIPS certification requires an ongoing certification testing program for new device groups and OS changes.

I was asking if Microsoft had such a component and testing program.

ajkuma 25,791 Reputation points Microsoft Employee

2021-07-09T21:24:06.583+00:00

This article provides a detailed list of in-scope cloud services across Azure Public and Azure Government for FedRAMP and DoD CC SRG compliance offerings.
Azure public services by audit scope

"Azure and Azure Government rely on FIPS 140-2 validated cryptographic modules in the underlying operating system, and provide customers with a wide range of options for encrypting data in transit and at rest."

https://aka.ms/AzureCompliance /Whitepaper, which covers all these information.

Additionally,
Federal Information Processing Standard (FIPS) Publication 140-2

Federal Information Processing Standard (FIPS) 140

If you have further question on this, I wish to engage with you offline.

Thanks for your patience!

Marc George 21 Reputation points

2021-07-10T10:17:21.97+00:00

@ajkuma Thanks for the pointers. However, my question is simply asking for actual known Microsoft components to be used to implement FIPS between a Azure App Service web API and a Xamarin application; not what the standards are or what Azure systems meet them.

Please share this message chain as needed to determine an answer. I am available for offline engagement.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

What FIPS 140-2 Compliant Protocol for Azure App Service Communications?

1 answer

Your answer