Previously, we discussed why you should buy FIPS-certified SSDs. In a nutshell, FIPS certification assures you that the SSDs meet federal cryptography standards for securing your data at rest (DAR). They’re also a starting point for secure data storage in many cybersecurity solutions.
As a reminder, full disk encryption (FDE), also known as whole disk encryption, encrypts everything on a drive. Data is automatically encrypted when written to the disk and decrypted when it’s read from the disk. FDE can be performed by software (SWFDE) or by specialized hardware (HWFDE). Either way, the encryption process is transparent to the end user.
The process of encryption and decryption requires significant computation. SWFDE uses the host computer to perform the encryption and decryption. As a result, users may experience slower application performance. By comparison, HWFDE uses a hardware encryption engine located in the drive itself, resulting in what is known as a self-encrypting drive (SED). As a result of offloading the host computer, HWFDE is faster than SWFDE.
Unfortunately, many consumer-grade SEDs have empty master passwords and other potential security failures, including–in some cases–sub-standard encryption and sub-standard protection against information leakage. So, when evaluating SEDs, how do you know you aren’t about to buy something that barely encrypts your data and leaks like a sieve security-wise? Well, one approach is to look for SEDs that are either FIPS-certified or if your data security policies allow it, SSDs that support the Trusted Computing Group (TCG) Opal specification.
Trusted Computing Group and TCG Opal
The Trusted Computing Group is a non-profit consortium of technology companies that promotes and implements vendor-neutral trusted computing concepts. The TCG’s Opal Storage Specification defines the Opal Security Subsystem Class (SSC). The Opal SSC is an implementation profile designed to protect data confidentiality once the storage device, an SSD for example, leaves the owner’s control. It also enables interoperability between storage device vendors.
The TCG Opal specification allows flexibility in implementation methods yet any storage device claiming Opal compatibility shall conform to the TCG Opal SSC.
First published in 2009, TCG Opal manages the encryption and decryption of information within the storage device itself, thereby enabling fast encryption/decryption and minimizing the risk of data leakage without undermining system performance. The Opal standard also defines a locking mechanism that prevents the SSD from being replicated. The current version is 2.0.1, published in 2015.
Are TCG Opal SSDs Sufficient?
By the way, if TCG Opal and FIPS 140 certification are not robust enough for your solution, talk to us about Common Criteria (CC). CC is an international standard (ISO/IEC 15408) for IT product security certification. CC is a framework that provides criteria for independent, scalable, and globally recognized security inspections for IT products, and it forms the basis for a government-driven certification scheme required by Federal agencies and critical infrastructure. Adhering to the CC standard assures that the SED’s authorization acquisition (AA) and encryption engine (EE) functions have been properly engineered and that any interfaces between the AA and EE are free from information leakage. In the United States, the National Information Assurance Partnership (NIAP) is responsible for the U.S. implementation of the Common Criteria. NIAP and CC will be the topic for another day, so stay tuned.
Regardless, to encrypt and secure your data, see if TCG Opal SSDs will meet your requirements. For further data protection, look for FIPS or NIAP/CC SSDs.
Additional Resources
Building a Citadel of Trust in a Zero Trust World
Is Your Data at Rest (DAR) Truly Secure?
Classified Information and Data at Rest (DAR)
An Overview of Encryption Standards and Technologies
Hardware-Based Full Disk Encryption vs. Software-Based Full Disk Encryption
Recent Comments