As modern society’s reliance on digital services and technologies grows and generates more and more data, the risks associated with keeping personal and sensitive data secure grow as well. Hacking is more prevalent than ever before1, and data security strategies must keep up to protect valuable data in an evolving landscape. Regulations like the General Data Protection Regulation (GDPR) in the European Union, Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and Health Insurance Portability and Accountability Act (HIPAA) in the United States have been put in place by governing bodies around the world to help protect consumers’ data privacy and security and to hold organizations liable for security breaches.
The technologies required to protect data from ever-evolving threat vectors must be robust and adaptable. New security frameworks are constantly emerging to improve the top-to-bottom security of systems. For example, the Distributed Management Task Force (DMFT), Security Protocol and Data Model (SPDM) securely manages authentication between system components at the baseboard management controller (BMC) level, while frameworks like the Commercial National Security Algorithm (CNSA) Suite 2.0 specification counter new and evolving threats by addressing post-quantum security requirements.
There are many layers to a holistic data security strategy, but any strong design has to be built upon a robust and secure foundation. The most basic level of data security is protection of the physical data on storage devices:
- Strong encryption of data at rest so that an attacker with physical access to a storage device cannot access the contents
- A robust authentication mechanism so that only a user with correct credentials can access the contents of a storage device
Enterprise-class solid state drives from KIOXIA are designed to meet a variety of needs in a variety of markets and offer a broad spectrum of security options to do so. Each one has a specific purpose:
- Non-SED: KIOXIA SSDs of the Non-SED type are designed to meet import and export regulations for shipment into countries with strict regulations of encrypted devices. These models have their encryption engine physically disabled, and support no authentication feature-set. These models have the weakest level of data protection, compared to SIE, SED and SED-FIPS.
- Secure Instant Erase (SIE): Also known as “ISE drives,” KIOXIA SSDs of the SIE type are a very common type of SSD in the market today. SIE devices feature an internal encryption engine, which is used as part of the standard data path to scramble the logical data before being programmed to the underlying media. ISE drives do not support authentication features, but do support cryptographic erase: a fast erasure mode that erases the encryption key used by the encryption engine, making all user data unrecoverable.
- Self-Encrypting Drive (SED): The most versatile type of SSD. These devices support the SIE feature-set, and also support a robust authentication framework designed by the Trusted Computing Group, or TCG. KIOXIA PCIe® NVMe™ SED SSDs support TCG-Opal, and SED SSDs using the SAS interface support the TCG-Enterprise framework to provide data at rest protection.
- FIPS Validated: Federal Information Processing Standard (FIPS) validated drives support all of the features found in units of the SED type, but with the added security of an official approval from the National Institute of Standards and Technology (NIST). The design and implementation of all aspects of security are reviewed and evaluated for strict compliance to the guidelines set forth by NIST, and only devices that meet the criteria required by the United States federal government receive this mark.
If you’re evaluating an enterprise-class storage deployment, there is a strong case to select a KIOXIA SED SSD. KIOXIA SED-type SSDs support all of the features found in SIE and Non-SED models, but with the added capability of a robust authentication front-end. These features are completely optional to use – they are not required for basic functionality. KIOXIA SED drives can be used in the same way as non-SED or SIE devices, and the advanced security features can be enabled or disabled as needed. This versatility enables compatibility with many different applications – from basic I/O to securely storing sensitive data – all in one product. Find out more at our SSD security technology here.
Notes
1: (2024, March 13). HHS Office for Civil Rights Issues Letter and Opens Investigation of Change Healthcare Cyberattack. https://www.hhs.gov/about/news/2024/03/13/hhs-office-civil-rights-issues-letter-opens-investigation-change-healthcare-cyberattack.html#:~:text=In%202023%2C%20hacking%20accounted%20for,a%20141%25%20increase%20from%202022.
Sanitize Instant Erase (SIE) and Self-Encrypting Drive (SED) security optional models are available.
SIE optional model supports Crypto Erase, which is a standardized feature defined by the technical committees (T10) of INCITS (the InterNational Committee for Information Technology Standards). The NVMe format command includes support for crypto erase.
SED optional model supports TCG Opal and Ruby SSCs. It has a few unsupported features of TCG Opal SSC.
Security optional models are not available in all countries due to export and local regulations.
PCIe is a registered trademark of PCI-SIG
NVMe is a registered or unregistered mark of NVM Express, Inc. in the United States and other countries
Disclaimer
The views and opinions expressed in this blog are those of the author(s) and do not necessarily reflect those of KIOXIA America, Inc.