I'm managing a server that handles health and medical data, and it's running Debian 11, which is nearing its end of life. A colleague mentioned that I need FIPS 140-3 certification for this type of data. Since Debian doesn't offer FIPS 140-3, I'm considering either AlmaLinux 9.2 with TuxCare's FIPS 140-3 or Ubuntu LTS 22.04 with PRO and FIPS support. I live in Italy, and I'm wondering if I should go with Canonical, which seems more EU-friendly, or choose AlmaLinux, which has U.S. origins. Does it really matter if the distro is from the U.S. or the EU? Also, I'm curious about whether my backup server that stores health data should also have FIPS 140-3 certification. Any insights would be appreciated!
5 Answers
Absolutely verify local regulations. From my experience, only EL FIPS-enabled systems have been on my radar. I haven’t worked with Debian or Ubuntu in FIPS mode, and trust me, FIPS can bring some unexpected challenges—it’s not always straightforward to resolve issues that arise in FIPS mode.
It’s crucial to check with your local regulatory bodies about these requirements. You’ll surely need to follow GDPR regulations. FIPS is primarily an American standard, so its relevance in Italy or the EU isn't clear-cut. A quick search didn’t show any mandate for FIPS certification in Italy, but I recommend consulting with legal counsel or your regulatory authority to ensure full compliance regarding personal health information.
Thanks for the clarification!
FIPS is specific to the U.S., so you might want to look into EU-specific standards if they exist. Generally speaking, I find dealing with FIPS can be burdensome. The Ubuntu Pro FIPS support isn’t as reliable as standard Ubuntu, and I've experienced several bugs in that setup, so keep that in mind.
You should reach out to your backup software provider. In my past experience, the FIPS 140-3 aspects can get tricky. For example, my backup software had both TLS encryption in transit and encryption at rest, but they had different decryption requirements based on the client and server setup, which was bizarre. In short, FIPS certification needs to be relevant to the specific backup application since the OS libraries might not be directly influencing it in some cases.
That’s so true! Sometimes the requirements can actually lead to less effective security.