At present, data storage devices are typically protected against deliberate attempts by unauthorized users to copy, transmit, view, steal, or use sensitive, protected, or confidential information stored on the devices (hereinafter “cyberattacks”), if they are protected at all, by passive techniques, such as encryption and authentication. Most commonly, these passive techniques consist largely of encryption of the data on the storage media (“data at rest” encryption), password-based authentication of a storage management interface, and signed firmware on the storage device itself. These passive security techniques are growing increasingly dated as cyberattackers become more resourceful and sophisticated, and many custodians of sensitive information are vulnerable to cyberattacks by failing to provide more robust security solutions for their data storage devices.
One potential solution to the drawbacks of relying on passive techniques is the use of link encryption to protect “data in transit,” i.e. data as it flows over networks between the data storage media and one or more users. In link encryption, data are encrypted and decrypted at each end of a communications line within the network, rather than being encrypted at the point of origin and decrypted at the destination as in end-to-end encryption. Link encryption may be difficult to implement, however, especially on storage networks where interoperability between different components of the network is an issue.
Another vulnerability that is unaddressed by passive techniques is the storage management interface itself. The goal of some forms of cyberattack is simply to turn off the power to a data storage device or otherwise make the device inaccessible to authorized users; applied to a large enough number of devices in a short period of time, these types of attack can be devastating to the integrity of a network. Thus, any comprehensive data security solution should protect against attacks originating through the management interface as well.
There is thus a need in the art for more active security techniques for data storage devices. It is particularly advantageous for such techniques to protect data in transit, and to protect the devices from attacks that do not rely on access to unencrypted data stored on the devices.