Can Azure Push Notications be FIPS 140-2 Compliant?

Marc George 171 Reputation points
2021-07-02T11:04:29.323+00:00

I am currently sending raw push notifications via an Azure Notifications Hub to a Xamarin app. What is necessary to implement FIPS encryption for the messages?

Azure Notification Hubs
Azure Notification Hubs
An Azure service that is used to send push notifications to all major platforms from the cloud or on-premises environments.
295 questions
Xamarin
Xamarin
A Microsoft open-source app platform for building Android and iOS apps with .NET and C#.
5,320 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. brtrach-MSFT 15,786 Reputation points Microsoft Employee
    2021-07-04T21:45:27.81+00:00

    @Marc George Thank you for your question. The short answer is that individual cloud services are not FIPS compliant due to the nature of FIPS.

    Also, Azure Notification Hubs likely have many additional product dependencies and library dependencies, which will each all require FIPS compliance. As a result, this message cannot be viewed as declaring your service as compliant. You ultimately should talk to a security compliance officer to ensure your service meets the necessary requirements for your compliance.

    Regarding FIPS 140-2 and Azure in general, please start here. This article calls out the below question.

    Are applications or cloud services validated through FIPS 140?

    No. The scope for a FIPS 140 validation is a cryptographic module. Microsoft submits the cryptographic modules used by Windows for FIPS 140 validation, not individual applications or cloud services. Applications that leverage the Windows cryptographic modules may be considered compliant when the operating system is configured to operate according to the security policy for the module. You can find more information, including links to the security policy for each module validated through the Cryptographic Module Validation Program, in our FIPS 140 online documentation.

    For this reason, I believe this is why there is no internal or external documentation on how to make your Notification Hub messages FIPS compliant.

    With that being said, Azure Notification Hubs encrypts all customer data at rest with the exception of registration tags. For this reason, you should not store personal or confidential data using tags. Source

    Azure Notification Hubs does support TLS 1.2 and disabled support of the insecure versions of TLS 1.0 and 1.1. Full implementation is dependent upon registered devices running at least Android 5 or greater or iOS 5 or greater. For more information on TLS 1.2 support and Azure Notification Hubs, please see here.

    Finally, please review the below information.

    How should I handle sensitive payload in push notifications?
    All notifications are delivered to target devices by the platform's PNS. When a notification is sent to Azure Notification Hubs, it is processed and passed to the respective PNS.

    All connections, from the sender to the Azure Notification Hubs to the PNS, use HTTPS.

    Note: Azure Notification Hubs does not log the payload of messages.

    To send sensitive payloads, we recommend using a Secure Push pattern. The sender delivers a ping notification with a message identifier to the device without the sensitive payload. When the app on the device receives the payload, the app calls a secure API directly to fetch the message details. For a guide on how to implement this pattern, go to the Notification Hubs Secure Push tutorial page.

    Source

    The last paragraph essentially answers your question. The recommended method is to use a secure push pattern, which does not send a sensitive payload.

    Lastly, assuming you're using the PNS and not sending RAW messages, all messages are sent over HTTPS.

    If you have any further questions or concerns, please let us know.