KIOXIA SSD Security and Encryption

KIOXIA offers Enterprise, Data Center and Client SSD data protection to fit every need.

Data Breach Risks and Cases

Everyone thinks data breaches won't happen to them.  Precautions and security measures are deployed, but it is difficult to secure everything.  One clicked email or storage drive hacked could result in a breach, which could be costly.  Costs typically associated with data breaches include:

  • Regulatory fines
  • Forensic services
  • Customer compensation, such as credit monitoring services
  • Negative publicity and impact to the company's brand
  • Legal fees

Although no environment is completely secure, IT users want the excellent security features available to help protect their data. This is why KIOXIA SSDs provide a range of data security and encryption options to suit data center requirements.

KIOXIA SSDs with encryption and sanitize capabilities can save customers the cost of destroying physical drives.

Data Breach Cases

Client System Breach Example

A stolen laptop exposed personal data of 20,000+ people. An encrypted SSD could better protect customer data.*1

*1 : U.S. Department of Health & Human Services

Data Center Breach

SSDs with encryption could reduce the average cost of a data breach by US$237,176. A stolen and unprotected device, such as an SSD, could increase the cost by US$192,455.*2

*2 : "Cost of a Data Breach Report 2020," © IBM Corporation 2020.

Data Protection Available for KIOXIA SSDs

KIOXIA offers security and encryption options such as personal and business data needs protection to safeguard data for Enterprise, Data Center and Client SSDs

Non-SED

Non-SED (No Encryption) Block Erase

  • When the objective is to simply erase data on a SSD.
  • Data cells on the SSD are all reset to their original factory state & user data from the SSD is deleted. Accessible data and hidden user data is no longer accessible.

Drawbacks:

  • Time consuming process to complete
  • Consumes SSD’s available Program/Erase cycles, reducing the drive’s overall endurance
  • Some data may still be visible/accessible
SIE

Sanitize Instant Erase (SIE)

  • Uses on-board crypto processors to cryptographically encrypt & decrypt data as it is written to/read from the SSD.
  • When the sanitize command is executed with crypto-erase option, the sanitization process is nearly instantaneous, after which the sanitized data cannot be decrypted back to the previous state.

Advantages over Block Erase:

  • Faster data sanitization
  • No impact on SSD endurance
SED

Self Encrypting Drive (SED)

  • Uses Advanced Encryption Services (AES) algorithm & an onboard crypto-processor.
  • When system is powered and the proper credentials are provided, the SSD “unlocks” & the stored data is decrypted.
  • SED offers instantaneous cryptographic erasure which helps reduce device retirement or redeployment costs.

Advantages over software encryption:

  • Host processor cycles not used
  • Greater protection than a non-encrypted drive
  • Easier deployment & usage
FIPS 140-2

FIPS 140-2

  • The Federal Information Processing Standard (FIPS) 140-2 which is developed by the National Institute of Standards and Technology (NIST) specifies the security requirements to validate the encryption module design and implementation.
  • Being validated as FIPS 140-2 (Level 2) guarantees that the SSDs meet the security inspection standard defined by US government regarding the data security.
  • KIOXIA will migrate to FIPS 140-3, when FIPS 140-2 testing ceases.

What is FIPS 140-2 and why is it important?

The Federal Information Processing Standard 140-2 (FIPS 140-2) is an information technology security accreditation program for validating that the cryptographic modules produced by private sector companies meet well-defined security standards. FIPS 140-2 must be used when designing and implementing cryptographic modules used by federal departments and agencies.

NIST's Cryptographic Module Validation Program (CMVP) Process

NIST's Cryptographic Module Validation Program (CMVP) Process NIST's Cryptographic Module Validation Program (CMVP) Process

Vendor

Designs and produces cryptographic modules that comply with requirements specified by National Institute of Standards and Technology (NIST)/FIPS publications.
Submits the module(s) and associated documentation to the accredited Crypto-graphic and Security Testing (CST) Laboratory of choice.
Any changes to crypto modules after validation results in a new submission.

CST Lab

Third party lab accredited by NST.
Independently tests the cryptographic module's documentation and source code, and performs the operational and physical testing of the module.
Submits written report to validation authorities that modules(s) have met the requirements outlined in FIPS 140-2 documentation.
Test results are documented in the submission package by the CST.
If issues exist, works with the vendor to correct issues prior to submitting to CMVP for validation.
Once received by NIST, is posted to NIST website as "Review Pending"

CMVP

Three stages of review and validation:

In Review

  • Validates test results for each cryptographic module.

Coordination

  • CMVP can ask questions directly to CST to verify results are accurate and complete.
  • CST can resubmit changes / additional validation and documentation.

Validation

  • If the test results for the modules are determined to be compliant with FIPS 140-2, then the module is validated, validation is issued, and the online validation list is updated.

Security and Encryption Options Available for KIOXIA SSDs

* Table can be scrolled horizontally.

Category Enterprise Data Center Client
KIOXIA SSD Series
Sanitize Instant Erase (SIE) - -
Self Encrypting Drive (SED) -
FIPS - - - -

Optional security feature compliant drives are not available in all countries due to export and local regulations.

All other company names, product names, and service names mentioned herein may be trademarks of their respective companies.