Locked In: 4 Things to Look for With Data Protection in Storage Devices
-
By
Brad Warbiany
, Director of HDD Technical Marketing at Western Digital - Best Practices,
Western Digital’s Brad Warbiany offers insights on key things to look for with data protection in storage devices. This article originally appeared on Solutions Review’s Insight Jam, an enterprise IT community enabling the human conversation on AI.
Big data is powering an incredible rate of innovation today. Fed into powerful artificial intelligence and machine learning (AI/ML) workloads, huge volumes of raw data are driving advanced applications that are transforming the way we work, live and play – from autonomous vehicles to Industry 4.0.
Given the promise of AI/ML applications, organizations should do everything in their power to secure their investment. Sharing and accessing large volumes of data across pooled resources in the public cloud and in private data centers can pose a security risk if organizations do not put the appropriate safeguards in place. In many cases, this includes encrypting storage drives and protecting them across their entire lifecycle—from factory floor to the recycling center.
The Importance of Encrypted Drives
Any hard disk drive (HDD) or solid-state drive (SSD) can be hardened by encrypting all data written into its storage. Self-encrypting drives automatically convert stored data into a scrambled, unreadable form known as ciphertext, typically by using an encryption algorithm that protects files even before they are physically written onto the device.
While there are many encryption algorithms, the Advanced Encryption Standard (AES) is one of the most widely adopted and recognized modern cryptographic algorithms. AES uses fixed blocks of data, typically 128-bit or 256-bit, and scrambles them using a secret key. As soon as a file is created, the algorithm encrypts fixed blocks of data in a series of cryptographic operations – including substitution, permutation and mixing. Employing multiple rounds of these operations strengthens the level of complexity and security.
Access control is a critical step in ensuring drive security, which consists of configuring the drive to prevent access by unauthenticated users. Storing data in a scrambled, unreadable code ensures that only those with the designated encryption key or passcode have access to the information. Anyone who tries to access the drive without the key will not be able to read the data, effectively protecting it if you lose or misplace the device.
However, encrypting data during the use phase isn’t enough. Threat actors are targeting data at every point in the drive lifecycle – from the moment the device leaves the factory floor to past its decommission date. For this reason, drive security strategies should include data sanitization, ensuring data is securely erased when decommissioning a drive. Multiple points of protection from manufacturer design to customer usage and beyond must be considered to provide the level of security that organizations need in today’s increasingly sophisticated IT landscape. Some storage vendors even integrate security into the firmware, hardware and manufacturing processes to better protect data using industry-standard encryption protocols and data access control.
Critical Areas of Data Protection
Security Throughout Drive Design and Manufacturing
Implementing drive encryption across the development, manufacturing, deployment, use and end of life phases ensures the device itself is protected from unauthorized intrusion.
Organizations need to work with storage providers to ensure that device functionality cannot be maliciously tampered with during the delivery process and take afterlife security seriously when a drive is taken out of use or repurposed for another function.
Some storage vendors have purposeful security-oriented design and features development process in place to help ensure the drive itself is protected from unauthorized intrusion. Here are four drive security capabilities you need to know when working with a storage vendor:
1. Secure Manufacturing
Your storage vendor should protect your drives during manufacturing with commands that can only be authenticated by an in-house Hardware Security Module (HSM). These commands should only be available within the vendor’s manufacturing facility, can only be used one time and be limited to a specific drive serial number.
2. Secure Boot
A secure boot feature verifies that a drive’s firmware is from an authenticated source – every time the drive is booted up. A multi-stage loader system ensures that the appropriate images are verified before transferring control to the next image. This implements a chain-of-trust during the boot process, enabled by a secure enclave.
3. Secure Download
A secure download feature ensures that only the vendor’s signed firmware is accepted by a drive. A digital signature algorithm can be used to verify the firmware signatures, and, to guarantee cryptographic separation, unique keys can be used for different accounts and security modules. Secure rollback prevention and key revocation features should also be made available.
4. Secure Diagnostics
Your storage partner should make sure all physical and logical debug ports are disabled when drives are shipped from the manufacturing facility, and only commands authenticated by the HSM should be allowed while in transit. In addition, documented field failure analysis capabilities that use the same authentication mechanism should be implemented.
Ensure Encryption from Design to Decommission
As data continues to grow exponentially in the AI era, drive security will prove to be a critical part of any organization’s storage strategy. Enterprising threat actors will take any opportunity to hack into a storage device – even during the manufacturing and shipping processes.
Encryption can help shield valuable data from a range of threats, but it’s important to remember that the end-to-end encryption and security process begins with manufacturing and should be implemented every time a drive is booted up. To help protect drives from unwanted intrusion and control, organizations must take a comprehensive approach to drive security. By working with a storage partner that has robust drive encryption and security capabilities, organizations can make sure their data is protected from design to decommission.
- Locked In: 4 Things to Look for With Data Protection in Storage Devices - December 19, 2024
Brad Warbiany
Director of HDD Technical Marketing
Brad Warbiany is the Director of HDD Technical Marketing at Western Digital. Brad has been with Western Digital for over 16 years, having held previous positions at SiliconSystems, Advantech, and Altera. Warbiany holds a Certificate in Management for Technical Professionals from the Paul Merage School of Business at the University of California, Irvine and a bachelor’s degree in electrical engineering from Purdue University.
