White Paper

Demystifying Hardware Full Disk Encryption Technology for Military Data Storage

Issue link: https://read.uberflip.com/i/1173418

Contents of this Issue

Navigation

Page 1 of 7

w w w. m r c y. c o m WHITE PAPER 2 Securing Classified Data Historically, classified, secret, and top secret data storage could only be accomplished through the implementation of a Government-Off-the- Shelf (GOTS) Type 1 security solution. Following government protocols, the desired end result -- data at rest (DAR) protection – is achieved. Although the detailed steps required for practical implementation of a Type 1 security solution are beyond the scope of this white paper, Type 1 security solutions are broadly associated with lengthy implementation times and significant development costs. For clarity, we do not question the integrity or suitability of a Type 1 security solution for data at rest protection. Commercial Solutions for Classified (CSfC) Programs Recognizing that US government customers have an increasing need for the most advanced and highly agile commercial technologies, the National Security Agency (NSA) and the Central Security Service (CSS) launched the Commercial Solutions for Classified (CSfC) Program. A key aspect of the CSfC program is the ability to deploy a security solution in months instead of years 1 . According to the NSA 2, "Instead of building government owned and operated solutions, whenever possible, NSA is moving to a defense-in- depth approach using properly configured, layered solutions to provide adequate protection of classified data for a variety of different capabili- ties." [emphasis added] CSfC implementation requirements are defined by Capability Packages published by the NSA. As emphasized in the prior reference, each layer of security technology must be properly configured per the specifications outlined in the appropriate Capability Package. Four Capability Packages are available at the time of this writing: Mobile Access, Campus WLAN, Multi-Site Connectivity, and the subject of this white paper – Data at Rest. Capability Packages serve as detailed sources of information for those who may benefit from the proper implementation of a CSfC solu- tion. These detailed documentation sets allow the reader to make in- formed decisions about the suitability of a particular CSfC solution for a specific security implementation scenario. Detailed information is avail- able in the appropriate Capability Packages published by the NSA. The discussion material in this paper is applicable at the time of writing. Readers seeking to implement a CSfC solution must refer to and abide by the latest documents posted on the NSA website as the single source of truth. For the reader's benefit, NSA web page references are provided at the end of this paper. Data Storage for Military Applications Moore's Law has enabled high-density NAND flash to be mass-produced at price points appropriate for adoption in commodity applications like solid-state drives (SSD) deployed in consumer PCs, enterprise servers, and automotive vehicles. Unlike conventional hard disk drives with ro- tating magnetic media, SSDs offer substantially higher sustained read and write speeds with lower power consumption. NAND flash media reliability concerns have largely been addressed through (1) advances in error correction code (ECC) and wear leveling algorithms and (2) NAND flash over-provisioning. For the typical person in the 21 st century, modern SSDs are nearly the holy grail of long-term consumer data storage. Few of us experience the failure of a SSD in a computer; in the event of such a failure we simply replace the failed drive or use the opportunity to upgrade to the latest device model featuring a faster processor or higher-resolution display, in addition to taking advantage of the latest developments in NAND flash technology. To most consumers, the un- common SSD failure is of little long-term consequence thanks to the advances discussed above. Secure SSDs While the consumer market promotes rapid adoption of new micro- electronics with ever-shortening product life cycles, the military market demands risk mitigation and long-term supply continuity -- even for com- mercial-off-the-shelf (COTS) parts modified or screened to military re- quirements. Given the advantages of SSD devices that consumers take for granted today, it is not surprising to see SSD devices adopted for military applications. Our previous white paper, Safeguarding Mission Critical Data with Secure Solid State Drives, described the requirements for a military grade SSD with embedded security. In particular, we main- tain that security cannot simply be "bolted on" to a commercial- or even an automotive-grade SSD. Security must be rooted in the design of the military-grade SSD from the early concept stages of development. In this particular use case, design references not only the mechanical and elec- trical specifications, but also the security of the manufacturing location and the judicious selection of components and supply chain partners. As such, we refer to an SSD engineered to military grade standards and manufactured in a secure and trusted environment as a Secure Military Grade SSD, or simply Secure SSD. Having defined the parameters used for the design and manufacturabil- ity of a Secure Military Grade SSD, the next logical subject matter for discussion is the practical implementation of this new class of device for a military application. This white paper discusses the implementation of a commercially available Secure SSD for the storage of classified, se- cret, and top secret data in accordance with government requirements. Before opening this discussion, however, some additional background is required.

Articles in this issue

view archives of White Paper - Demystifying Hardware Full Disk Encryption Technology for Military Data Storage