FenixPyre On-Prem Secure Sharing Solution: Architecture Overview

1. Overview

The FenixPyre On-Prem Secure Sharing Solution provides organizations with a robust, self-hosted environment for secure file storage and collaboration. Engineered to meet the stringent security and compliance requirements of frameworks like CMMC 2.0, this solution ensures that your organization's most sensitive data, including Controlled Unclassified Information (CUI), remains protected within your own network perimeter at all times.

Why Is This Solution Necessary?

In today's regulatory landscape, organizations that handle sensitive government or enterprise data are required to implement verifiable security controls. For members of the Defense Industrial Base (DIB) and other regulated industries, simply using a cloud service is often not enough. CMMC and other mandates require that CUI be protected with validated cryptography and strict access controls.

This on-premise solution offers the ultimate level of control, allowing you to:

• Maintain Data Sovereignty: All files and metadata are stored on your own infrastructure, within your own network.

• Enforce Strict Security Policies: You retain full control over network access, firewall rules, and physical security.

• Meet and Exceed Compliance Requirements: The solution is purpose-built to provide the FIPS-validated cryptographic foundation required for CMMC 2.0 Level 2 and above.

2. Security and Compliance Posture

The FenixPyre On-Prem Secure Sharing Solution is engineered from the ground up for high-security environments.

CMMC 2.0 Alignment

The solution is designed to be a cornerstone of your CMMC 2.0 compliance strategy. It directly addresses the need to protect CUI by providing a secure, auditable environment for data storage and sharing, separate from public cloud infrastructure. By deploying this solution, you establish a foundational component that helps satisfy numerous CMMC controls related to access control, media protection, and system integrity.

Commitment to FIPS 140 Validated Cryptography

The security of cryptographic modules is governed by the Federal Information Processing Standards (FIPS), issued by NIST. The FenixPyre solution is engineered to meet these exacting standards, which are critical for protecting sensitive government data and achieving compliance with frameworks like CMMC and FedRAMP.

Understanding FIPS 140-2 and FIPS 140-3

• FIPS 140-2: For many years, FIPS 140-2 has been the benchmark for validating the effectiveness of cryptographic hardware and software. It defines four levels of security and ensures that validated modules have been independently tested and verified.

• FIPS 140-3: As of March 2019, FIPS 140-3 is the latest standard, aligning more closely with the international ISO/IEC 19790 standard. It introduces more rigorous security requirements, especially against physical and side-channel attacks. While FIPS 140-2 modules are still accepted during a transition period (until September 2026), FIPS 140-3 represents the current and future benchmark for cryptographic security.

Our solution utilizes FIPS 140-3 validated cryptographic modules to meet the highest security requirements. This includes:

• FIPS-Enabled Components: The solution leverages specific FIPS-validated components to ensure compliance. The core On-Prem Sharing Service utilizes modern FIPS 140-3 validated cryptographic modules, while the Secure Storage Service is powered by a robust Docker image validated against FIPS 140-2.

• Validated Cryptographic Operations: All cryptographic functions—including encryption, hashing, and key generation—are performed by modules that have undergone and passed the rigorous FIPS 140-3 validation process.

• Host Environment Hardening: To achieve end-to-end compliance, the virtual machines hosting the solution must run in a FIPS-enabled mode. This ensures that the underlying operating system also enforces the use of validated cryptographic algorithms, creating a verifiable, defense-in-depth posture.

3. Solution Architecture

The FenixPyre On-Prem Secure Sharing Solution consists of three core services deployed across two dedicated virtual machines, creating a distributed and resilient architecture.

Services to be Deployed

1. FenixPyre On-Prem Sharing Service (VM 2) This is the core application that orchestrates secure sharing and access control. It serves two distinct APIs:

• Private API: Used for communication with internal clients, such as the FenixPyre Windows Agents, within your network. This API is secured with mutual TLS (mTLS) and must only be accessible on your internal network (default port: 8080).

• Public API: Used by external recipients to access shared files. This API is protected by HMAC and other strong authentication methods and must be exposed to the internet (port: 443).

2. Secure Storage Service (VM 1) This service provides a high-performance, S3-compatible object storage layer where all files are securely persisted. It is powered by a FIPS-enabled MinIO Docker image, ensuring that data at rest is handled within a FIPS-compliant boundary.

3. PostgreSQL Database (Deployed on VM 2) A dedicated PostgreSQL instance serves as the backend database for the On-Prem Sharing Service. It stores all critical metadata, including file information, ensuring the integrity and availability of the service.

Setup

For setup instructions, reach out to FenixPyre Support.