KIOXIA SSD Security and Encryption

Everyone thinks data breaches won't happen to them.  Precautions and security measures are deployed, but it is difficult to secure everything.  One clicked email or storage drive hacked could result in a breach, which could be costly.  Costs typically associated with breaches include:
 

  • Regulatory fines
  • Forensic services
  • Customer compensation, such as credit monitoring services
  • Negative publicity and impact to the company's brand
  • Legal fees

 

Although no environment is completely secure, IT users want the best security features available to help protect their data. This is why KIOXIA SSDs provide a range of data security and encryption options to suit data center requirements.


KIOXIA SSDs with encryption and sanitize capabilities can save customers the cost of destroying physical drives.

 


Client System Breach Example

A stolen laptop exposed personal data of 20,000+ people. An encrypted SSD could better protect customer data.*
*U.S. Department of Health & Human Services


Data Center Breach

SSDs with encryption could reduce the average cost of a data breach by $237,176. A stolen and unprotected device, such as an SSD, could increase the cost by $192,455.*

*"Cost of a Data Breach Report 2020," © IBM Corporation 2020.

What protection is available for KIOXIA SSDs?

Non-SED (No Encryption)
Block Erase

  • When the objective is to simply erase data on an SSD.
  • Data cells on the SSD are all reset to their original factory state & user data from the SSD is deleted. Accessible data and hidden user data is no longer accessible.
  • Drawbacks:
    - Time consuming process to complete
    - Consumes SSD’s available Program/Erase cycles, reducing the drive’s overall endurance
    - Some data may still be visible/accessible

Sanitize Instant Erase (SIE)
 

  • Uses on-board crypto processors to cryptographically encrypt & decrypt data as it is written to/read from the SSD.
  • When the sanitize command is executed with crypto-erase option, the sanitization process is nearly instantaneous.
  • Advantages over Block Erase:
    - Faster data sanitization
    - No impact on SSD endurance

Self Encrypting Drive (SED)
 

  • Uses Advanced Encryption Services (AES) algorithm & an onboard crypto-processor.
  • When system is powered and the proper credentials are provided, the SSD “unlocks” & the stored data is decrypted.
  • SED offers instantaneous cryptographic erasure which helps reduce device retirement or redeployment costs.
  • Advantages over software encryption:
    - Host processor cycles not used
    - Greater protection than a non-encrypted drive
    - Easier deployment & usage

FIPS 140-2
 

  • A US government computer security standard applied to cryptographic devices.
  • Used when working with sensitive but unclassified (SBU) data.
  • May provide the addition of tamper-evident coatings, seals or tapes.
  • KIOXIA FIPS 140-2 compliant SSDs are certified by an accredited facility. Ideal for government agencies & regulated industries such as financial & health-care. KIOXIA will migrate to FIPS 140-3, when FIPS 140-2 testing ceases.

What is FIPS 140-2 and why is it important?

The Federal Information Processing Standard 140-2 (FIPS 140-2) is an information technology security accreditation program for validating that the cryptographic modules produced by private sector companies meet well-defined security standards. FIPS 140-2 must be used when designing and implementing cryptographic modules used by federal departments and agencies.

 

CMVP Process

CMVP Process

Security Blog

Security and encryption options available for KIOXIA SSDs

Category SSD Series  Sanitize Instant Erase (SIE) Self Encrypting Drive (SED) FIPS
Enterprise PM6-WI
PM6-MU
PM6-RI
140-2 in progress
PM5-V
PM5-M
PM5-R
140-2 Certification 3290
CM6-V
CM6-R
140-2 in progress
CM5-V
CM5-R
Capable
Data Center XD5   Capable
CD6-V
CD6-R
140-2 in progress
Client XG6
XG6-P
   
BG4    

In progress: Application has been submitted to NIST for processing and awaiting approval.
Capable: While the architecture is designed to pass the NIST process, an application has not been submitted.