How to Encrypt Data in SaaS Applications: FIPS 140-2, FIPS 140-3, and the Need for Visibility

Martin Snyder
Jul 9
3 min read

Encryption should be the default for any SaaS platform handling sensitive or regulated data. But in practice, many SaaS tools fall short—either by relying on outdated encryption methods or skipping proper validation altogether.

Worse, security teams often don’t know which SaaS applications are in use across their organization. And if you can’t see where your data is going, you can’t verify whether it’s being encrypted—or protected—at all.

This is where SaaS visibility tools like Waldo Security become critical: they help uncover unsanctioned apps and identify whether vendors meet encryption and compliance standards such as FIPS 140-2 and FIPS 140-3.

The Encryption Gap in SaaS

Despite growing security concerns, many SaaS providers continue to:

Encrypt data only in transit—not at rest
Use weak cryptographic methods
Skip encryption validation like FIPS certification

These shortcomings leave organizations exposed to unnecessary risks and possible compliance violations. This is especially concerning for industries operating under frameworks like SOC 2, HIPAA, and NIST 800-53.

What Are FIPS 140-2 and 140-3?

FIPS 140-2 and FIPS 140-3 are encryption validation standards developed by NIST (National Institute of Standards and Technology). They are widely used in federal environments and adopted across industries that require validated cryptographic strength.

FIPS 140-2 (2001): Defines four levels of security for cryptographic modules, from basic to highly secure
FIPS 140-3 (2019): Builds on 140-2 with stricter requirements and international alignment (ISO/IEC 19790)

To be listed as FIPS validated, a vendor’s cryptographic module must pass testing under the Cryptographic Module Validation Program (CMVP).

Why FIPS Compliance Matters in SaaS

For any SaaS vendor storing sensitive data—especially in healthcare, finance, or government—FIPS validation is a powerful assurance that strong encryption practices are in place. Yet many SaaS tools used in daily operations do not hold this certification.

Relying on them puts your organization at risk of:

Failing audits or compliance checks
Losing control of sensitive information
Facing reputational or legal consequences from preventable breaches

The Visibility Problem: You Can’t Secure What You Can’t See

Even with strong internal policies, security teams face a growing challenge: shadow IT.

Employees often adopt new SaaS tools without IT involvement—sometimes with just a credit card and a company email. These apps may be missing critical security features, including FIPS-level encryption.

To manage this risk, organizations need to:

Discover all SaaS applications in use (not just approved ones)
Assess risk posture, including encryption practices
Track usage over time to catch high-risk trends before they become security events

You can read more about this challenge in our post on why SaaS sprawl is a problem you can no longer ignore.

Best Practices to Protect Data in SaaS

To improve data protection and encryption governance in your SaaS environment:

1. Discover and Classify SaaS Usage

Use a discovery tool to identify all apps—especially shadow SaaS.See how to detect shadow SaaS and manage risk.

2. Prioritize Vendors That Support FIPS 140-2 or 140-3

Verify FIPS status using the NIST CMVP validation list.

3. Enforce Encryption Policies

Require that all SaaS providers encrypt data both in transit and at rest.

4. Educate Employees

Help teams understand why unsanctioned tools—especially ones lacking encryption—put data and compliance at risk.

5. Monitor Continuously

Regularly audit SaaS usage and access to ensure compliance standards are upheld.

Conclusion: Visibility Enables Encryption

Encryption alone isn’t enough. Without visibility, your organization can’t verify encryption quality, assess SaaS risk, or enforce compliance standards like FIPS 140-2 and 140-3.

Waldo Security helps close that gap by providing: