When it comes to self-encrypting drives (SEDs), SSDs that automatically perform encryption and decryption as data moves to and from the drive, a buyer should take into account certain considerations.
A secure drive should include pre-boot authentication (PBA), which doesn’t let the computer see (let alone boot) the SED unless proper credentials have been presented. Such an SED should include multi-factor authentication (MFA) as part of the PBA process.
Full disk encryption (FDE) is often preferred to simple file-level encryption because everything on the drive will be automatically encrypted, including the OS and applications. Hardware FDE (HWFDE) solutions use encryption engine hardware located on the drive itself. Hardware encryption will be faster than software-based methods, not to mention the encryption key will be stored on the drive instead of in attack-prone software on the computer.
OS-agnostic PBA/SED solutions make it easier to ensure that the drive image, once tested and validated, remains consistent across deployments. Making changes to drive images to accommodate OSes creates another test and validation cycle—and security headache.
“FIPS Compliant” is a No-No
Beware of vendors who advertise their SSDs as “FIPS Compliant.” FIPS Compliant drives may well be built to National Institute of Standards and Technology (NIST) standards, but who’s to say? A FIPS-certified solution as credentialed by NIST is the only way to be sure that your SED meets security standards.
DIGISTOR FIPS 140-2 certified SEDs also meet the Level 2 qualification. To meet the L2 standard, we add a conformal coating. The conformal coating lets users know whether a drive has been tampered with in an attempt to gain physical access to its NAND flash chips (i.e., our SEDs are “tamper-evident”).
Does your FIPS SED Meet Common Criteria (CC)?
There are even more layers to the secure storage onion. With the ever-increasing risk of cyberthreats and cyberattacks, we believe that a FIPS drive is not truly a FIPS drive unless it also meets the international Common Criteria (CC) standard. The National Information Assurance Partnership (NIAP) is responsible for the U.S. implementation of the CC, which is an international standard (ISO/IEC 15408) for IT product security certification. The CC is a framework that provides criteria for independent, scalable, and globally recognized security inspections for IT products. CC also forms the basis for a government-driven certification scheme required by federal agencies and critical infrastructure.
You Want FIPS + CC SEDs
DIGISTOR is in the validation process with Lightship Security, an accredited CC and FIPS 140 laboratory that specializes in accelerating Protection Profile conformance for the NIAP Product Compliant List (PCL). As a result, DIGISTOR FIPS SEDs are really DIGSITOR FIPS + CC drives. These SEDs provide assurance backed by NIST and NIAP that they are highly secure SEDs.
In fact, DIGISTOR has the only COTS NVMe M.2 SEDs to meet both FIPS 140-2 and CC standards. They easily integrate into popular laptops, desktops, removable drives, and other devices, and they are ideal for securing data at rest (DAR) and for building zero trust (ZT) solutions and environments.
The bottom line is that you shouldn’t settle for any old FIPS drive, especially one that is said to be “FIPS Compliant.” Instead, you should choose ultra-secure COTS-priced FIPS 140-2 L2 SEDs with CC validation/NIAP-listed credentials from DIGISTOR.
At DIGISTOR, we specialize in helping military and government agencies and commercial entities of all sizes find the right encrypted storage solution to secure their data. With a wide range of secure storage offerings, from bare drives to removable solutions to Commercial Solutions for Classified (CSfC)-ready SSDs, we can assist you with specifying the appropriate storage devices to secure your important data. If you have any questions as to how securing DAR might apply to your own data security requirements, please feel free to contact us.
NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization (Published February 5, 2015)
Whitepaper: Is Your Data at Rest (DAR) Truly Secure?