This article is part of the TechXchange: Cybersecurity.
What you'll learn:
- Encryption of data at rest (DAR).
- The TCG's Opal Storage Specification and NIST's FIPS standards for self-encrypting drives.
- What is Common Criteria certification?
On May 12, 2021, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity. Maintaining the security of sensitive information has always been important to military and intelligence programs, and this executive order extends security to address a wider audience.
In the wake of several well-known, recent information breaches such as the SolarWinds attack, the theft of Nancy Pelosi’s laptop during the events of January 6, 2021, and the Colonial Pipeline shutdown, cybersecurity has become a more visible, higher priority for government and industry alike. This, in turn, has led to a greater understanding of the need to protect and secure information itself, not just the necessity of deterring and preventing cyberattacks.
Among other precautions, the May 2021 Executive Order calls for encrypting data at rest and data in transit, as well as providing multi-factor authentication to access sensitive data. Data at rest (DAR) is data that’s stored on solid-state drives (SSDs) or hard-disk drives (HDDs) and isn’t actively being used, while data in transit refers to data that’s moving between two points, such as being transmitted across a network.
Solutions to address encrypting and securing DAR often incorporate self-encrypting drives (SEDs), which themselves feature a hardware encryption engine (EE) resident on the storage drive. As the name suggests, SEDs automatically encrypt and decrypt data as it’s written to and read from the SSD or HDD.
In some cases, only the data files themselves are encrypted, leaving the operating system (OS) free to boot up. This increases the potential attack surface, though, as well as increases vulnerability and decreases the security of the drive.
A higher level of security is afforded by using full disk encryption (FDE), in which the entire drive, including the operating system, is encrypted. In this case, which is known as pre-boot authentication (PBA), it isn’t even possible to boot the system without providing appropriate authentication.
Speaking of authentication, access to an SED can be as simple as a single password. However, a higher level of confidence in the security of the data is provided by employing an additional form or factor of authentication.
Multi-factor authentication consists of two or more pieces of information: something the user knows (e.g., password), something the user is (e.g., fingerprint scan or retina scan), something the user has (e.g., a USB dongle or a government-issued CAC card), or somewhere the user is located (e.g., proximity detection or GPS coordinates).
Choosing Secure Data Storage
When looking for SEDs, security solution developers need to consider the sensitivity and classification level of the information, the cost of the solution, whether the DAR needs to be transported (which may necessitate using removable drives), and the complexity of integrating the storage. One can choose from several tiers of encrypted storage devices.
TCG Opal
The Trusted Computing Group (TCG) is a consortium of technology companies whose goal is to promote and implement trusted computing concepts. The TCG’s Opal Storage Specification defines features of data storage devices (such as SSDs) that enhance their security.
TCG Opal manages the encryption and decryption of information within the storage device itself, thereby enabling fast encryption/decryption and minimizing the risk of data leakage without undermining system performance. The Opal standard also defines a locking mechanism that prevents the SSD from being replicated.
While the TCG Opal specification isn’t a certification or credential per se, it’s included here since it’s commonly used when secure data storage is needed for less-sensitive information. To instill confidence that an SED uses secure encryption in conjunction with other protection mechanisms, vendors will pursue two well-known certifications: FIPS and CC.
FIPS-Certified SEDs
The first form of certification is based on the Federal Information Processing Standards (FIPS) standards issued by the National Institute of Standards and Technology (NIST). These standards are developed in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. The FIPS standards applicable to SEDs include FIPS 197 (for AES encryption), along with FIPS 140-2 and FIPS 140-3, both of which apply to the encryption engine used on the SEDs.
A NIST-validated and FIPS-certified SED meets the highest levels of cryptographic security, thereby giving users confidence that their valuable DAR is safe and secure against cyberattack. Solution builders are increasingly turning to FIPS-certified SEDs because FIPS certifications demonstrate to the end-users of a product that its storage devices (for example) are appropriate for usage in solutions that require securing or protecting information.
Common Criteria (CC)
The second form of certification is known as the Common Criteria (CC). The CC is an international standard (ISO/IEC 15408) for computer security certification. There are 31 member nations that participate in CC. In the U.S., the National Information Assurance Partnership (NIAP) is responsible for the country’s implementation of the CC. This includes approving the third-party testing laboratories responsible for conducting evaluations of vendor product claims.
The CC provides a framework for specifying security functional requirements (SFRs) and security assurance requirements (SARs). It defines a Security Target (ST) as an "implementation-dependent statement of security needs for a specific identified target of evaluation (TOE)." In other words, the ST defines the boundary and specifies the details of the TOE.
In a product evaluation process, the ST document is provided by the vendor of the product. By comparison, a Protection Profile (PP)—which is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs), and rationales—is typically created by a user or user community. It provides an implementation-independent specification of information assurance security requirements.
Vendors can use the CC as the basis to implement and make claims about the security attributes of their products. Later, authorized testing laboratories will evaluate these products to determine if they meet vendor claims. In other words, the Common Criteria assures you that the computer/IT security product will perform as specified—in a manner appropriate to the target environment.
In the case of securing DAR, adhering to the CC standard provides assurance that security features such as authentication acquisition (AA) and the device’s encryption engine (EE) have been properly implemented. The crux of the Common Criteria’s value is that it results in products tested to security profiles that meet government requirements.
Zero Trust
One of the more recent responses to cyberthreats is to adopt a zero-trust (ZT) security model. This model, which is also known as zero-trust architecture (ZTA) and zero-trust network architecture (ZTNA), drives the design and implementation of IT systems.
The main concept behind zero trust is “never trust, always verify.” In other words, people and devices should not be trusted by default, even if they’re connected to a managed corporate network such as the corporate LAN, and even if they have been verified previously.
Conclusion
If there’s anything we’ve learned over recent years, it’s that our computer systems in general—particularly the precious data stored on them—are susceptible to attack by hackers. These bad actors can range from independent entities to nation states.
Anyone from individuals to institutions may be targeted, where the latter includes the military, federal agencies, critical infrastructure (power grids, oil pipelines, transportation systems, for example), industrial and manufacturing concerns, banking and financial establishments, and medical facilities.
While federal organizations in the United States have long been concerned about security, the necessity of fully securing their digital assets was brought into sharp focus by the Executive Order on Improving the Nation’s Cybersecurity. In part, this executive order directed all branches of the U.S. Government to improve their efforts to “identify, deter, protect against, detect, and respond” to cybersecurity threats.
While this executive order addresses the U.S. Government, enterprises and businesses of all sizes should also take steps to secure and protect their data.
One of the more recent responses to cyberthreats is to adopt a zero-trust security model. A key aspect of a ZT environment is to secure data at rest. And as discussed in this article, a key aspect of securing DAR is to use SSDs in the form of SEDs that adhere to the TCG Opal specification and are FIPS- and CC-certified.
Read more articles in the TechXchange: Cybersecurity.