If you ask most people to define the term "cyberattack," they may talk about viruses, malware, and ransomware threats. If you ask who the attackers are, they may attribute them to individual or nation state hackers. If you inquire about the goals of the attacks, answers may include destroying/corrupting data or exfiltrating data. And, if you ask how to defeat cyberattacks, typical suggestions are firewalls and antivirus software.
Of course, all of this is true. But, the problem is that these answers leave a gaping hole when it comes to the continuum of attack surfaces and corresponding cybersecurity responses. As a result, it’s becoming increasingly common to describe cyber targets that rely only on perimeter defenses, like firewalls, antivirus, and anti-malware software, as “hard and crunchy on the outside, soft and chewy on the inside” — these are not desirable attributes for a cybersecurity solution.
Data in Transit, In Use, and At Rest
A key aspect of securing digital data is understanding that it may exist in different states at different times. For example, the term “data in transit,” also known as data in flight or data in motion, refers to data flowing through a network. These may be private intranets and public networks like the internet. By comparison, the term “data in use” refers to information being actively accessed and manipulated by a software program. This data is stored in a nonpersistent digital state, typically in a computer’s random-access memory (RAM) or the caches and registers associated with the central processing unit (CPU).
Another distinct type of data, data at rest (DAR), refers to data that is physically housed in a storage device, like a hard disk drive (HDD) or a solid-state drive (SSD). This article will focus on SDDs, since there may be differences between HDD and SDD cybersecurity implementations and because the deployment of SDDs has overtaken that of HDDs. Cybersecurity solutions like firewalls, antivirus, and anti-malware software predominantly focus on external threats by protecting data in transit and data in use. However, in addition to external attack vectors, many security breaches and data loss incidents can be traced to insider threats, such as unauthorized access to sensitive information or computers and/or drives being mislaid or stolen. If left unprotected, DAR becomes the “soft and chewy” treat upon which hackers love to feast.
Never Trust, Always Verify
A good way to protect DAR is to store it on a removable drive, separate the drive from the host computer, and lock it in a safe. Of course, this does not prevent theft from the safe. In addition, at some stage, the drive will have to be removed from the safe to be reinstalled on a computer or transported to another location. At that point any unprotected data becomes vulnerable to attack.
The need to secure DAR, whether resident on a computer, stored in a safe, or in transit from one location to another, is essential. The potential impact of data breaches, hacking, and lost or stolen computers (including notepads, laptops, and PCs) is a matter of national security and may potentially be the difference between life and death. The challenge in our highly mobile world is ensuring data is easily accessible while simultaneously secure to prevent intrusions and unauthorized access.
The “zero trust” security model is one of the more recent responses to cyberthreats. The central concept behind zero trust is “never trust, always verify.” This precept means that devices should not be trusted by default, even when connected to a managed network, such as a military local area network (LAN), and even if they have been verified previously. Today, protecting DAR is understood to be a critical piece of a zero-trust solution.
Full Disk Encryption
The term “disk encryption” refers to using cryptographic techniques to convert data stored on an SSD into an unreadable form that cannot be easily deciphered by unauthorized personnel. In addition to encrypting data as it’s written onto the drive, it’s necessary to decrypt the data as it’s read from the drive. Both encryption and decryption are computationally intensive activities.
Users can perform encryption selectively by encrypting individual files or using full disk encryption (FDE), which encrypts everything on the disk. In some cases, FDE may exclude the portion of the disk containing the boot code that initiates the operating system (OS) loading sequence. However, FDE systems that truly encrypt the entire disk, including any OS boot code, afford the highest level of protection.
Irrespective of whether FDE is performed in software (SWFDE) or hardware (HWFDE), the data is automatically encrypted as it’s written to the disk and decrypted when it’s read from the disk in a manner that is transparent to the user.
A key aspect to FDE is for the drive itself to be cyber-locked with a data encryption key (DEK) so that authorization acquisition (AA) is required to access the data on the drive. In a standard deployment environment where the SSD carrying the data is mounted in a client computer, such as a notepad, laptop, or desktop machine, AA may be achieved by the user entering a password. The preferred scenario is for AA to occur before booting the OS, which is referred to as pre-boot authentication (PBA). A higher confidence level is provided by employing multifactor authorization (MFA), such as a common access card (CAC) or a USB security key.
Software or Hardware?
SWFDE and HWFDE are both highly effective. One consideration with SWFDE is that high-grade encryption requires a significant amount of computation, which can load the host computer and slow down performance. SWFDE also provides a larger attack surface for potential hackers. Another consideration is that SWFDE is OS-dependent, so organizations that employ multiple Oss, like Linux and Windows, will be obliged to deploy variants of their SWFDE.
In the case of HWFDE, when the hardware encryption engine (EE) is located on the drive, it is referred to as a self-encrypting drive. In addition to providing encryption and decryption at hardware speeds while offloading the host computer, HWFDE provides a smaller attack surface to hackers. In addition, some HDFDE solutions are OS-agnostic, which means they will work with any OS, including the use of virtual machine (VM) environments.
Cyberthreats are on the rise, and fielding comprehensive cybersecurity solutions is a complicated business. In addition to protecting data in use and data in flight by using tools, like firewalls, antivirus, and anti-malware software, protecting DAR is now understood to be a critical piece of a zero-trust solution.
The best way to protect DAR is with FDE, implemented in either software or hardware. Many users prefer HWFDE because it offloads the host computer and reduces the attack surface. However, many self-encrypting drives, especially consumer-grade devices, are delivered with empty master passwords and have other potential security failures, including substandard encryption.
In order to be acceptable for use by the Federal Government, a HWFDE DAR solution must be validated by the National Institute of Standards and Technology (NIST) and Federal Information Processing Standards (FIPS) certified. FIPS are guidelines for federal computer systems, developed by NIST per the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. This ensures self-encrypting drives meet the highest levels of cryptographic security and give users confidence that their valuable DAR is secure against cyberattacks.
Anyone considering cybersecurity solutions is strongly urged to engage with domain experts in order to fully secure their data in use, their data in flight, and DAR.