Glossary of Terms
Glossary of Computer and Data Security Terms
The following list contains abbreviations and terms related to cybersecurity and computing.
2FA (Two-Factor Authentication): See MFA.
3DES: 3DES involves applying the DES algorithm three times to each block of data.
AA (Authorization Acquisition): The process by which the user confirms his or her credentials, which results in the release of the data encryption key (DEK) to the SED’s encryption engine (EE). AA typically involves the combination of a username and password, but it may also include other techniques such as a CAC card (see also MFA).
AES (Advanced Encryption System): This is the most widely used symmetric key algorithm at the time of this writing. It became a standard when it was approved by NIST in 2001. When you see references to AES-128 and AES-256, the last three digits refer to the length of the key. The longer the key, the harder it is to crack using a brute force attack.
BIOS: BIOS stands for basic input/output service. It is a program a computer’s microprocessor uses to start the computer system after it is powered on. It also manages data flow between the computer’s operating system (OS) and attached devices, such as the hard disk, video adapter, keyboard, mouse, and printer. In a system equipped with a DIGISTOR Citadel SSD, the Citadel SSD needs to be compatible with the BIOS. This is so the BIOS can begin the operating system boot sequence when a user is authorized via the Citadel PBA.
Brute Force Attack: In a brute force attack, an attacker submits many passwords with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. To prevent against brute force attacks, systems or applications can lock users out after a defined number of invalid attempts.
Bus: A bus communicates with (i.e., transfers data between) computer components, including external devices, such as the CPU, memory (RAM), storage, printers, networks, etc. Computer systems generally contain several buses. Examples of buses that communicate with external devices include USB, Ethernet, and PCIe.
CAC (Common Access Card): A smart card about the size of a credit card that is the standard identification for active-duty U.S. DoD personnel, including civilian employees and eligible contractor personnel. It is the principal card used to enable physical access to buildings and controlled spaces, and it also provides access to defense computer networks and systems. CAC card readers are often integrated into a laptop or other computer
CC (Common Criteria): More formally known as the “Common Criteria for Information Technology Security Evaluation,” the CC is an international standard (ISO/IEC 15408) for computer and IT product security certification that was developed by the governments of Canada, France, Germany, the Netherlands, the UK, and the U.S.
CPU (Central Processing Unit): The electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, and input/output operations specified by instructions in the SW.
CIS (Center for Internet Security): Formed in 2000, CIS is a community-driven nonprofit organization with a mission to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyberthreats. CIS plays an important role in forming security policies and decisions at national and international levels.
CISA (Cybersecurity and Infrastructure Security Agency): CISA is an agency of the United States Department of Homeland Security (DHS) that is responsible for strengthening cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government’s cybersecurity protections against private and nation-state hackers.
CSfC (Commercial Solutions for Classified): CSfC is a program of the United States National Security Agency (NSA) that allows government agencies to use commercial technologies to protect classified information. The program establishes a set of guidelines and requirements for the secure implementation of commercial off-the-shelf (COTS) products, which can be combined to create secure solutions that meet the specific security needs of government agencies. CSfC enables government agencies to take advantage of the latest technologies while maintaining the security of their classified information.
DAR (Data at Rest): This refers to data that is physically housed in a storage device such as a hard disk drive (HDD) or solid-state drive (SSD). To In order to be acceptable for use by the Federal Government, a DAR solution must be TAA-compliant, NIST-validated and FIPS-certified.
DEK (Data Encryption Key): An encryption key whose function it is to encrypt and decrypt data. A SED must be cyber-locked with a DEK, thereby protecting it from bad actors who gain access to the drive, either on its own or while residing in a computer or other system. Legitimately accessing the data involves AA, which releases the DEK to the drive’s EE.
DES (Data Encryption Standard): A symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes DES too insecure for today’s applications, it has been highly influential in the advancement of cryptography.
DoD (Department of Defense): An executive branch department of the U.S. federal government charged with coordinating and supervising all agencies and functions of the government directly related to national security and the United States Armed Forces.
ECC (Elliptic Curve Cryptography): One of the two main asymmetric key algorithms (see also RSA).
EE (Encryption Engine): A function that automatically encrypts data as it is written and automatically decrypts the data as it is read. With DIGISTOR self-encrypting drives, the EE is contained on the SSD itself.
Entropy: In cybersecurity, entropy is the randomness or diversity of a data-generating function. Data with full entropy is completely random and no meaningful patterns can be found. As entropy increases, encryption keys become more difficult to decipher, and encryption improves.
FDE (Full Disk Encryption): Also known as whole disk encryption, this refers to everything on the drive being encrypted. In some cases, this excludes the MBR, or similar area of a bootable disk, with codes that initiates the OS loading sequence. However, the highest level of protection is afforded by FDE systems that can truly encrypt the entire disk, including the MBR and any boot code. (See also HWFDE and SWHDE.)
FIPS (Federal Information Processing Standards): Standards and guidelines for federal computer systems that are developed by NIST in accordance with FISMA and that are approved by the Secretary of Commerce.
FIPS 197: This certification guarantees that the AES cryptographic algorithm has been implemented correctly and has sufficient entropy. In cybersecurity, entropy is the randomness or diversity of a data-generating function. Data with full entropy is completely random and no meaningful patterns can be found. As entropy increases, encryption keys become more difficult to decipher, and encryption improves.
FIPS 140-2: This certification assures that a software or hardware encryption engine (EE) meets security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. in a SED has been properly designed and secured.
FIPS 140-2 L2: The L2 (“Level 2”) qualifier to a FIPS 140-2 certification is required for most DAR applications. This ensures that there is visible evidence of any attempt to physically tamper with the drive.
FIPS 140-3: This certification details updated federal security requirements for cryptographic modules and supersedes FIPS 140-2. The FIPS 140-3 standard took effect in September 2019 with submissions beginning in September 2020. The FIPS 140-3 standard now aligns better with international ISO/IEC standards and includes newer cryptographic modules, among other updates.
Note that our FIPS 140-2 validations are still effective and will remain in force until September 21, 2026. We will begin the FIPS 140-3 certification process in 2023 with the goal of obtaining our NIST certificate within 18-24 months after we begin.
FISMA (Federal Information Security Management Act): Enacted in 2002, this act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
GSA (General Services Administration): An independent agency of the United States government established in 1949 to help manage and support the basic functioning of federal agencies. GSA supplies products and communications for U.S. government offices, provides transportation and office space to federal employees, and develops government-wide cost-minimizing policies and other management tasks.
HDD (Hard Disk Drive): An electro-mechanical data storage device that stores and retrieves digital data using magnetic storage and one or more rigid rapidly rotating platters coated with magnetic material.
HW (Hardware): The physical parts of a computer, such as the case, central processing unit (CPU), random access memory (RAM), monitor, mouse, keyboard, computer data storage, graphics card, sound card, speakers, and motherboard.
HWFDE (Hardware FDE): This refers to FDE that is performed using hardware (HW). The encryption is transparent to the end user as data is automatically encrypted as it’s written to the disk and decrypted when it’s read from the disk. In the case of HWFDE, the hardware EE is located on the drive itself, in which case the drive is referred to as a SED. In addition to offloading the host-computer and providing encryption and decryption at hardware speeds, HWFDE provides a smaller attack surface to hackers.
IT (Information Technology): The use of computers to create, process, store, retrieve, and exchange all kinds of electronic data and information.
KEK (Key Encryption Key): An encryption key whose function it is to encrypt and decrypt the DEK.
MBR (Master Boot Record): A special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems. The MBR holds the information on how the logical partitions, containing file systems, are organized on that medium. The MBR also contains executable code to function as a loader for the installed operating system. This MBR code is usually referred to as a “boot loader.”
MFA (Multi-Factor Authentication): Unfortunately, even with PBA, relying on only a single user-password combo does not provide the extreme-level of security required for things like classified data and the data associated with critical infrastructure. An additional level of security with respect to protecting DAR is to use MFA, which is also known as two-factor authentication or 2FA, in which the username-password combo is augmented with some other form of credential. Such credentials include USB dongles or smartcards like CACs.
NIAP (National Information Assurance Partnership): Operated by the NSA, this is a United States government initiative to meet the security testing needs of both information technology consumers and producers. The NIAP is responsible for the implementation of the of the Common Criteria (CC), which forms the basis for a government-driven certification scheme required by federal agencies and critical infrastructure.
NIST (National Institute of Standards and Technology): A physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. Its mission is to promote American innovation and industrial competitiveness. NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies, and the broader public.
NSA (National Security Agency): A national-level intelligence agency of the United States Department of Defense (DoD), the NSA is responsible for global monitoring, collection, and processing of information and data for foreign and domestic intelligence and counterintelligence purposes. The NSA is also tasked with the protection of U.S. communications networks and information systems.
OS (Operating System): System software that manages computer hardware, software resources, and provides common services for computer programs.
PBA (Pre-Boot Authentication): PBA requires that a computer user enter approved credentials before the computer boots the OS. This has the effect of the computer not seeing the SSD before an authorized boot sequence takes place. All DIGISTOR Citadel drives contain the PBA function.
PCIe (Peripheral Component Interconnect Express): PCIe is a high-speed bus that connects various components in a computer, including graphics cards, hard disk drive host adapters, SSDs, Wi-Fi, and Ethernet hardware connections. PCIe has been the standard interface for connecting high-speed peripheral components to computer motherboards for quite some time. The PCIe standard has gone through several revisions, referred to as a “Gen”. The following table contains the theoretical data throughput speeds for various PCIe generations.
|Version||Theoretical throughput for a x4 (four-lane) SSD|
|Gen 3||16 GB/s|
|Gen 4||32 GB/s|
|Gen 5||64 GB/s|
RAM (Random-Access Memory): A form of computer memory that can be read and changed in any order, typically used to store working data and machine code. A RAM allows data items to be read or written in almost the same amount of time irrespective of the physical location of data inside the device.
RSA: One of the two main asymmetric key algorithms (see also ECC). The name RSA was derived from the first letters of the family names of its inventors: Ron Rivest, Adi Shamir, and Leonard Adleman. At the time of this writing, RSA is the most widely used asymmetric encryption algorithm.
SED (Self-Encrypting Drive): An HDD or SDD that contains a hardware encryption engine (EE) and performs hardware full-disk encryption (HWFDE). Note a self-encrypting drive can be read by unauthorized people unless it is somehow protected—for example, by the PBA function in DIGISTOR Citadel drives.
SSD (Solid-State Drive): A semiconductor-based data storage device that uses integrated circuit assemblies to store data persistently, typically using flash memory, and functioning as secondary storage in the hierarchy of computer storage. Compared with HDDs, SSDs are typically more resistant to physical shock, run silently, and have higher input/output operations per second and lower latency.
SWFDE (Software FDE): This refers to FDE that is performed using software (SW). The encryption is transparent to the end user as data is automatically encrypted as it’s written to the disk and decrypted when it’s read from the disk. One of the downsides to SWFDE is that high-grade encryption requires a significant amount of computation. When this computation is performed in software, it can load the host computer and, especially in the case of large files, slow things down as seen by the user. As compared to its hardware equivalent, SWFDE also provides a larger attack surface for potential hackers.
TAA (Trade Agreements Act): Enacted July 26, 1979, the TAA is an Act of Congress that governs trade agreements negotiated between the United States and other countries under the Trade Act of 1974. The TAA includes the requirement that the GSA must acquire only U.S.-made or TAA-compliant products. This means that products such as computers and SSDs cannot originate in a non-TAA-compliant country, such as China, India, Iran, Pakistan, and Russia. Although this may appear to be a self-evident requirement when it comes to implementing a secure DAR solution, it can sometimes be difficult to determine a product’s true origin. Hence the requirement that the drive is certified to be TAA-compliant by an approved authority.
TCG (Trusted Computing Group): A consortium of technology companies whose goal is to promote and implement trusted computing concepts.
TCG Opal: The TCG’s Opal Storage Specification defines features of data storage devices (such as SSDs) that enhance their security. TCG Opal manages the encryption and decryption of information within the storage device itself, thereby enabling fast encryption/decryption and minimizing the risk of data leakage without undermining system performance.
ZT (Zero Trust): A term coined in 1994, the notion of zero trust models and architectures started to gain traction around 2010. This model grew in response to recognizing the limitations of perimeter defenses. Zero Trust is also known as Zero Trust Architecture (ZTA) and Zero Trust Network Architecture (ZTNA), drives the design and implementation of IT systems. The main concept behind zero trust is “never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a managed corporate network and even if they have been verified previously.
For more information, see the 2018 NIST Special Publication 800-207.
ZTA (Zero Trust Architecture): See ZT (Zero Trust).
ZTNA (Zero Trust Network Architecture): See ZT (Zero Trust).