Leveraging high-speed NVMe storage for CSfC encrypted data-at-restStory
November 21, 2023
Today’s advanced military intelligence, surveillance, and reconnaissance (ISR) platforms generate large amounts of highly sensitive data that must be captured and securely stored without impacting performance. System designers must ensure that data-capture systems can handle large amounts of data in as close to real time without interruption or bottlenecks that might otherwise affect performance. When this critical data is stored, it’s considered data-at-rest (DAR).
DAR can be threatened from different vectors, some internal and some external. For example, in deployed DAR applications (e.g., manned and unmanned vehicles), platforms may be lost during a mission. DAR can also be lost during transport from a deployed vehicle while it travels back and forth to the ground station. Once mission data has been safely downloaded and stored on a network, it is still at risk from malicious actors. To protect ISR DAR from falling into adversarial hands when unattended – in other words, not guarded by an armed soldier – that very important data must be properly and securely encrypted.
The National Security Agency (NSA) offers two approved encryption programs: Type 1 and Commercial Solutions for Classified (CSfC). The Type 1 program was introduced in 1952 and has supported many sensitive applications and programs ever since. In the early 2000s, the NSA recognized the need for a new approach that would enable system designers to use the latest commercial encryption technology in classified environments; this program became CSfC. The basic premise of CSfC is that when properly configured, a two-layered encryption solution can adequately protect classified data in a wide variety of applications.
The CSfC program is essential to the NSA’s strategy to deliver secure cybersecurity solutions. The program leverages commercial encryption technologies and products to provide much-needed cybersecurity solutions with the latest performance capabilities. Vendors seeking to be listed on the approved CSfC Components List must first build their products in accordance with the applicable Protection Profiles, which are published by National Information Assurance Partnership (NIAP). The product must then be successfully submitted for approval using the internationally recognized Common Criteria process. NSA then enters into an agreement with the vendor, which may stipulate other requirements for their particular encryption solution.
The combination of more sensors being deployed on platforms which are then gathering more and more critical data in high-risk environments is helping to drive designers of NAS [network-attached storage] solutions to use the latest network and commercial storage technology.
As a result, more defense platforms are turning to higher speed 10 Gigabit Ethernet networks. Today, the best data storage media type for use in applications that require the fastest data throughput and large storage capacities are high-speed NVMe [nonvolatile memory express] memory devices. NVMe-based memory reduces latency and increases bandwidth by eliminating storage interface bottlenecks, making it ideal for use in high-speed data storage applications.
One way to take optimal advantage of the increased performance of the NVMe storage devices is to use an NVMe-based in-line hardware encryptor, a physical device that sits between the data source and the NVMe storage destination, so it can encrypt incoming data at near line-rate without adding burdensome overhead. The NVMe protocol can deliver transmission and storage performance improvements of nearly 50% over SATA (bus)-based alternatives.
An example of a high-speed, high-capacity NAS device is a new variant of the Curtiss-Wright HSR10, a high-speed, high-capacity NAS device that features the industry’s first NVMe in-line hardware full disk encryptor. The compact rugged unit’s dual 10 Gigabit Ethernet interfaces eliminate data bottlenecks on sensor-rich platforms while supporting two-layers of encryption to protect up to 32 Tbytes of critical data. The NVMe in-line hardware encryptor provides a path to NSA CSfC Components List approval. Because the HSR10’s hardware encryption technology is NVMe-based, the unit provides near line-rate data throughput, which is significantly faster than SATA-based alternatives. (Figure 1.)
[Figure 1 ǀ The HSR10 variant provides two layers of full disk encryption (FDE) in a single device. Both FDE layers are CSfC-certifiable and fully operational in a single unit. It is designed for storing and protecting critical DAR on deployed air, sea, and ground platforms.]
For system designers that require NSA-approved encryption, the NAS device will be submitted for National Information Assurance Partnership (NIAP) and Common Criteria Recognition Arrangement (CCRA) certification to achieve CSfC Components List approval in 2024.
Steve Petric is Sr. Product Manager at Curtiss-Wright Defense Solutions.
Curtiss-Wright Defense Solutions www.curtisswrightds.com