When multifactor authentication for data security isn’t enough
Connecting state and local government leaders
Pre-boot authentication denies an attacker access to even a single data point – a viable option for federal agencies and critical infrastructure organizations securing data at rest.
We swim in a vast ocean of data. This data, which comes in many shapes, sizes and types, is amassed from an extensive range of sources, including sensors, surveillance systems, satellites, and databases (both public and private). According to projections from Statista, 97 zettabytes (each a trillion gigabytes) of data will be created, captured, copied and consumed worldwide in 2022 alone. Driving the exponential growth of data is the dramatic increase in computational activities like high-performance computing, artificial intelligence, machine learning, data mining, analytics and many other tasks.
We are also seeing more cross-domain computing and data aggregation. A cross-domain solution allows a trusted network domain to exchange information with other domains, either one-way or bidirectionally, without introducing the potential for security threats that would typically come with network connectivity. Data aggregation is the compiling of information from multiple databases to prepare combined datasets for data processing, analytics and mining.
The proliferation of data -- coupled with cross-domain computing and data aggregation -- in the defense, intelligence and critical infrastructure communities provides a larger attack surface for bad actors ranging from independent entities to nation-states. As a result, protecting data and denying access to cyberattackers is a mission-critical requirement.
There are three basic types of threats. With external threats, hackers attack networks using vulnerabilities in the organization’s firewalls. Supply chain attacks circumvent the firewall by compromising trusted hardware or software before it is installed. Insider threats include unauthorized persons gaining access to sensitive information or lost or stolen computers and their hard drives.
One way to thwart insider threats is to require authentication before granting access to a computer or a network. The most common form of authentication requires a username and password after the operating system has booted. If the data on the drive is not encrypted, anyone can read it by simply booting from some other drive. A self-encrypting drive (SED), automatically encrypts data as it’s written onto the drive and decrypts it when it’s read back off the drive.
The next level up for securing data at rest is to use multifactor authentication, which augments the username-password combination with another credential. Commercial environments often employ a one-time (and time-limited) authorization code that is sent to the user via email or a text to a mobile device. Another option is a hardware security dongle containing a license key or other cryptographic protection mechanism that the user plugs into a USB port. Government or critical infrastructure organizations may use a biometric credential, such as fingerprints or facial recognition. The Defense Department, including civilian employees and contractor personnel, use the common access card, which requires appropriate software and access to a physical card reader.
Using MFA does not guarantee security. If the drive’s data is unencrypted, an attacker can use the stolen drive as a data drive and boot the system from another drive.
The highest level of protection for data at rest is using MFA with a SED containing a hardware encryption engine -- and for the drive itself to be cryptographically locked with a data encryption key. This protects data at rest from bad actors who gain access to the hard drive, either independently or while residing in a computer. Authorization acquisition uses MFA to release the DEK to the drive’s encryption engine. The preferred scenario is for this authorization to occur before booting the OS, which is referred to as pre-boot authentication. This denies an attacker access to even a single data point.
Historically, these types of endpoint security solutions for data at rest have been too complex or too expensive for wide-scale deployment. However, recent technological advances make implementing stringent data security that meets or exceeds U.S. government and military requirements a viable option for federal agencies, critical infrastructure organizations, industrial, banking and medical markets.
Chris Kruell is director of marketing with CDSG.
NEXT STORY: 7 cyber defense use cases