There’s an old adage often attributed to Voltaire that says “Perfect is the enemy of good enough.” I’m usually reminded of this when I am revising something for the umpteenth time and notice that I could still polish it further. Now don’t get me wrong, I’m a big fan of improvement. Self-improvement and home improvement, in particular. I’m aware that at some point, you just have to stop and be content. The trick is to know when is the right time. When exactly is it “good enough”?
For many product managers, there is rarely an area in which “good enough” exists. The competitive landscape drives constant pursuit for perfection and the challenge becomes delegating resources and time to the areas in which improvement can be measured and marketed as a differentiator.
When it comes to data encryption, the sweet spot comes somewhere between A=1; B=2; etc., and a randomizing algorithm with no decryption keys. We must facilitate swift and accurate decryption, but still make it virtually impossible without authorization. We have spent decades revising and improving our protocols, staying ahead of the malicious hackers. We seek the tipping point, where we find the most security assurance without expending significant additional time and effort, balancing the law of diminishing returns.
Luckily, the fulcrum is already here. NIST and the CMVP have done us all a favor and established FIPS 140-2. By meeting this standard, your customers can count on the independent validation of the cryptographic module in use, and can trust that it is indeed "good enough". Without this seal of approval, we would be lost in uncertainty and doubt.
Many companies implement AES 256 encryption and call it a day. Kudos to those that recognize and embrace the need for cryptographic algorithm protection. However, this falls on the wrong end of the lever. Has the algorithm been tested and confirmed? Who has verified the implementation? Without answers to these questions, the claim of encryption is only as valuable as the paper it is printed on, and competitors will push ahead.
In opportunities to bid for US Government contracts, the requirements are extremely blunt. Without validated encryption, a product is considered to not have any encryption at all.
Take that to heart. Encryption is one place where we are lucky enough to have the bar already set. There is no advantage to cut corners, or spend endless hours trying to make iterative improvements. The requirements are clear and the competitive field is flat. FIPS 140-2 is no longer just a restriction set by the US Government for purchase orders, it’s the very definition of "perfect" for cryptographic solutions worldwide.