GUEST BLOG: Five Steps to Securing Your Data with Multi-Factor Authentication
06 September 2022
Computer data exists in different states at different times: data in transit (information flowing over a network); data in use (active data accessed and manipulated by a computer program); and data at rest, called DAR, or data that is physically housed in a storage device like an SSD. Many cybersecurity solutions focus on securing data in transit and data in use, but neglect securing the DAR.
President Biden’s “Enhancing the Nation’s Cybersecurity Executive Order”, signed into law on May 12, 2021, directs all branches of the federal government to improve their resilience to cybersecurity threats. This command directly highlights the need to secure data at rest (DAR) with encryption and multi-factor authentication (MFA).
MFA requires a user to provide multiple pieces of evidence that combine to verify a user’s identity. Depending on the application, MFA authentication may be required during login or perhaps when trying to access an application or even a particular folder or file. MFA combines two or more independent credentials: what the user knows (such as a password), what the user has (such as an authenticator app), and what the user is (biometric analysis of palm veins, for example). Since most MFA implementations use two factors, it is often referred to as two-factor authentication, or 2FA.
There are five important considerations when protecting your data with MFA.
1. Understand the sensitivity of your data: First, note that not all data is subject to the same levels of protection. In the United States, since all federal departments are part of the executive branch, the data classification system is governed by executive order rather than statute. As of 2009, information can currently be classified at one of three levels: confidential, secret and top secret. Subsequent executive orders may modify these classifications and the levels of protection associated with each classification.
2. Use self-encrypting drives: Sensitive data should be encrypted, notwithstanding executive orders. Self-encrypting drives (SEDs) encrypt data as it is written to the drive, which has a self-contained disk encryption key (DEK). The key and the encryption process are transparent to users.
SED disks encrypt everything on the disk, called full disk encryption (FDE), including the operating system (OS), applications, and data. On-disk encryption is called hardware FDE (HWFDE) and uses an embedded encryption engine (EE), which should provide 256-bit AES encryption.
An SED must adhere to the TCG Opal standard, a secure standard for managing encryption and decryption in the SED. SEDs are often certified to Federal Information Processing Standards (FIPS), developed by the National Institute of Standards and Technology (NIST). For example, a FIPS 140-2 L2 certification ensures that the SED EE has been properly designed and secured; the L2 ensures that there is visible evidence of any attempt to physically tamper with the drive.
The National Information Assurance Partnership (NIAP) is responsible for the United States’ implementation of Common Criteria (CC), an international standard (ISO/IEC 15408) for certifying the security of information technology products. The CC is a framework that forms the basis of a government certification system required by federal agencies and critical infrastructure.
3. Use pre-boot authentication: A designated security officer or administrator will define the user roles and identity management used to authenticate access to the SED. Password security that is part of an operating system is notoriously weak and prone to hacking, so the first level of authorization acquisition (AA) must take place before the operating system boots. , in which case it is called pre-boot authentication (PBA).
Each user must have an individually assigned password, which authorizes the SED to use their cryptographic key to unlock the data. The security officer should have the ability to add new users and revoke access to existing users. When a user’s access is revoked, that user will not even be able to start the operating system.
A more robust implementation of PBA will include MFA.
4. Multi-factor authentication methods: In addition to a username/password, MFA requires another form of authentication. One approach is to use a security dongle, such as a YubiKey, containing a license key or other cryptographic protection mechanism that the user plugs into a USB port on the device. The United States Department of Defense (DoD), including civilian employees and contractor personnel, uses a smart card called a Common Access Card (CAC), in which case the computer must be equipped with a reader physical card.
Other MFA methods include apps, often on smartphones, that provide a one-time code synchronized with the device or system requesting authentication. Also taking advantage of the ubiquity of smartphones, an SMS-based system will include a one-time code in a text message.
5. Provide the ability to destroy data: There are various scenarios in which it may be necessary to destroy all data stored on the SED. A mild case is when an organization decides to upgrade its computers and/or disks, transfer computers and/or disks within the organization, or dispose of or recycle computers and/or drives outside the organization. In the worst case, an unauthorized entity takes control of the drive with the intention of accessing the data.
Using the operating system’s standard “delete” functions to remove files and folders is not sufficient, as experienced hackers can still recover some or all of the data. SEDs used to store confidential data must support special hardware functions to perform secure erase (write zeros in each area where data is stored on the disk) and cryptographic erase (erase all cryptographic keys stored on the disk, thus rendering all encrypted data stored on the drive unreadable and useless to a bad actor).
To deal with the worst-case scenario, the organization’s designated security officer must have the ability to define erasure procedures to be initiated automatically by the reader himself; for example, failing AA a certain number of times should cause the disk to self-erase.
In the case of an SED equipped with a proper PBA, all data stored on the disk will be essentially invisible until the AA has taken place, thus preventing bad actors from cloning the disk to circumvent the restricted number number of AA attempts allowed.
To summarize …
Some organizations mistakenly assume that using MFA, such as fingerprint scans or facial recognition after the operating system boots, provides a high level of trust. However, once the operating system has booted, all data on its disks is exposed to sophisticated hackers or potentially state-owned malicious actors.
The highest levels of trust and security are achieved by using MFA as part of a PBA environment implemented using HWFDE performed on a FIPS+ CC certified and validated SED. (Figure 1.)
[Figure 1 | An example of a secure solid-state drive, part of the Citadel family of secure data storage. Photo courtesy CDSG.]
CDSG’s Chief Marketing Officer, Chris Kruell, leads the sphere of marketing activities, including corporate branding, corporate and marketing communications, product marketing, marketing programs and marketing strategy. Chris was previously VP of Marketing at ERP-Link and hardware startup Lightfleet. He was marketing director at Sun Microsystems and held several marketing positions in the high technology industry. Chris holds a BS from Cornell University and an MA from Hamline University.
CDSG (CRU Data Security Group) • https://cdsg.com/