The three commodities precious to most of us include our time, money, and personal information or data. Of course, these are all intertwined. Whether someone encrypts and ransoms our data, or if they simply corrupt or delete it, the result costs us. And if an unauthorized someone has ongoing access to our private information? Yikes.
Securing data at rest (DAR) is a keystone to protecting private data such as financial records or classified information. (DAR refers to stored data—on an SSD, for example.) You might think the user-password combo used by operating systems is sufficient. But even if your hard drive and/or files and folders are encrypted, breached access through the OS will often expose contents of the hard drive.
A better option is to implement full disk encryption, where everything on the drive–operating system, applications, data–are encrypted. A self-encrypting drive (SED) with an on-board, hardware encryption engine provides the most secure and fastest performing full disk encryption.
Further security adds an authorization acquisition (AA) step into the secure storage solution. On power-up, the drive itself requests a user-password combo, which–if valid–releases the cryptographic key embedded in the drive that’s required to decrypt the contents of the disk. It’s only at this point that the computer sees the SED. The OS now gets to boot up, giving us the term pre-boot authentication (PBA).
Multi-factor Authentication (MFA)
Unfortunately, even with PBA, relying on only a single user-password combo does not provide the extreme-level of security required for classified data and data associated with critical infrastructure. An additional level of security to protect DAR is to use multi-factor authentication (MFA), also known as two-factor authentication or 2FA. With MFA, the username-password combo is augmented with some other credential.
Multi-factor authentication can be described as a combination of
- Something the user has, such as a security token or key.
- Something the user is, such as a fingerprint, voice, or even typing speed.
- Something the user knows, such as a password.
- Somewhere the user is, such as a GPS coordinate.
Depending on your requirements, you may opt for multiple levels of MFA. On powering-up the system, for example, in addition to the user-password combo, the PBA may employ MFA in the form of a hardware security dongle–like a YubiKey–containing a license key or some other cryptographic protection mechanism that the user plugs into a USB port. In the case of Federal agencies and the DoD (including civilian employees and contractor personnel), a common option is to employ a smartcard called a Common Access Card (CAC), which will require the system to be equipped with an appropriate card reader.
Multiple Layers of MFA
Once the system has booted, it’s possible to add one or more additional layers of MFA. Commercial environments, for example, often employ a one-time (and time-limited) authorization code that is sent to the user in the form of an email or a text message to a mobile device. Other options include the use of biometric credentials such as fingerprints, contactless palm prints (based on veins and other structures under the skin), facial recognition, and third-party applications such as Authy.
At DIGISTOR, we specialize in helping military and government agencies and commercial entities of all sizes find the right encrypted storage solution to secure their data. With a wide range of secure storage offerings, from bare drives to removable solutions to Commercial Solutions for Classified (CSfC)-ready SSDs, we can assist you with specifying the appropriate storage devices to secure your important data. If you have any questions as to how securing DAR might apply to your own data security requirements, please feel free to contact us.