Chainguard’s FIPS-compliant Cassandra addresses security demand of federal and regulated markets
Open-source software security firm Chainguard announced Wednesday that it is now building FIPS-validated images for Apache Cassandra, achieving what it describes as a first-of-its-kind accomplishment in the open-source community.
The project enables organizations in regulated industries — including government, health care, and finance — to deploy Cassandra with cryptographic libraries compliant with the National Institute of Standards and Technology’s Federal Information Processing Standards (FIPS). Previously deemed unfeasible due to incompatibilities between Cassandra’s upstream code and FIPS-approved libraries, the development responds to persistent customer demand for compliance-ready solutions.
According to Chainguard, customer demand drove this initiative. Companies selling software to federal government agencies through FedRAMP authorization are required to meet certain FIPS compliance to access government contracts. Similarly, businesses handling sensitive consumer data in regulated industries consider FIPS encryption an important security practice. Many of these organizations could not feasibly redesign their products to avoid using Cassandra, a widely used open-source, distributed NoSQL database management system designed to handle large volumes of data.
Some of the biggest companies in the world use Apache Cassandra in their technology stack. According to the Apache Foundation website, companies like Apple, Netflix, Spotify, Target and Uber all use the software.
Dustin Kirkland, Chainguard’s VP of engineering, told CyberScoop that the product “guarantees that the cryptography and data protections are implemented and used correctly,” which is important for organizations that are looking to embrace secure-by-design principles.
“While many open-source binaries can be compiled in a FIPS-compliant mode, there are many that can’t — and we have customers every day requesting more FIPS-compliant builds of heavily utilized open-source projects, such as Apache Cassandra,” Kirkland said. “Users within federal agencies understand and appreciate and value that we’re helping them enforce strict security standards at the code level, and doing so without adding risk or complexity.”
To make this offering possible, Chainguard forked Cassandra’s source code, introducing modular changes that allow users to toggle between default Java cryptography and FIPS-approved alternatives. These modifications were applied to three supported versions of Cassandra: 4.0, 4.1, and 5.0.
The company is in the process of contributing its code forks and patches back to the upstream project maintainers for review and acceptance. If users are satisfied with the product, the company says it will look to achieve something similar with Apache Spark (data analytics engine), Apache Kafka (stream processing platform), and Apache ZooKeeper (library that enables coordination in distributed systems).
You can read more about the project on Chainguard’s website.
