Friday, March 27, 2020

FIPS 140-2: Data at Rest Encryption

FIPS 140-2: Data-at-Rest Encryption (D@RE)

No one ever got fired for encrypting their data!

Increasingly organizations are requiring data to be encrypted at rest to prevent data loss and theft.

Data-at-rest refers to data not actively being accessed stored on non-volatile storage such as a disk drive; and encrypting the data means the data is transformed in such a way that a third party cannot translate the data into a usable form.  Encryption is usually accomplished through use of a FIPS encryption module located on a disk drive.  These type of drives are known as self-encrypting drives (SED).  D@RE can also be accomplished by use of encrypting controllers which encrypt data as it is written to drives and decrypts as the data is retrieved.  Encrypting controllers do not require SED drives as they work with non-SED drives.




Data security and encryption is achieved through the use of a data encryption key (DEK).  In addition, the DEK (key) can also be encrypted often through the use of a RSA key for multilayer security.

Encryption can be applied to an entire disk or just to the file system. Because full disk encryption uses symmetric keys, a user will need to enter a passphrase when the system boots.  A pass phrase is not required for file system encryption.  


Benefits of D@RE

*Prevents access to the data on the disk if for some reason the disk is lost, stolen or inadvertenly falls into the wrong hands (via salvage, disk return, etc...)
*Can satisfy security or regulatory requirements
*It can prevent data access under certain circumstances (for example, the OS/boot disk can be unencrypted, but the data stored on different disks can be encrypted thereby preventing access to the actual data)


Limitations of D@RE

*Will not protect against intruders who gain privileged access
*Can reduce I/O performance
*Under some configurations, if a passphrase is lost or a key is lost the data is lost forever.


Posted by at No comments:

Thursday, March 26, 2020

FIPS - An Ounce of Prevention...

An Ounce of Prevention...

 FIPS and Data Storage - What you need to know


(FIPS = Federal Information Processing Standard)

In general FIPS defines cryptographic standards


1995: Modern FIPS Crypto standards are established (FIPS-140-1)

2001: FIPS 140-2 is established replacing FIPS 140-1 with up-to-date crypto standards and is the current standard as of 2020.

Within the FIPS 140-2 there are (4) levels of security requirements:

Level 1: The use of an approved crypto algorithm such as AES, 3DES, Diffie-Hellman, SHA, RSA and secret or public keys

https://docs.oracle.com/cd/E53394_01/html/E54966/fips-refs.html#OSFIPfips-certrefs-1


Level 2: Includes the use of level 1 encryption algorithms plus tamper evidence and role-based access
such that the user is authenticated to a certain role.


Level 3: All of the requirements of Level's 1 and 2 but also add's that tempering will likely result in damage to the device and in particular the crypto module.  Also requires identification of the user as well as key protection schemes such as storing keys in volatile memory.  Finally, these keys must use separate I/O ports from data.

Level 4: All of the Level 1,2,3  requirements plus upon detection of tampering the device is zeroed.  Also, protection against temperature or voltage irregularities  - any anomalies result in device zeroing


Do you really need to implement FIPS 140-2?

 The answer is yes, even if at Level 1.  Look for FIPS 140-2 certification when buying new storage; most OEM's try to certify to Level 3..  Encryption helps protect against data compromise in cases where a disk is accidentally or needs to be returned to support or to reduce the costs of a data breach or even to meet regulatory requirements.











Posted by at No comments:
Subscribe to: Posts (Atom)