Self-encrypting hard drives seemed to be a no-brainer when they hit the market due to their efficacy, but adoption has been poor because trends, such as the cloud, justify reliance on software that protects data wherever it is. By Asavin Wattanajantra.
In June, Glasgow City Council was fined a massive £150,000 by the Information Commissioner's Office, having lost 74 unencrypted laptops, including one that contained the bank records of 6,000 residents.
The size of the fine shows just how seriously organisations need to take data protection, and the price they could pay if they leave their employees' laptops unencrypted. For some, the solution to this problem comes in the form of self-encrypting hard drives (SEDs), which are claimed to be the most secure, best-performing and most transparent encryption option for protecting data.
The drives have a special processing chip that automatically encrypts and decrypts data, with users needing only to enter a start-up password. The encryption keys never leave the drive, so SEDs aren't susceptible to traditional software attacks. SEDs also have little to no effect on a laptop's operating resources, ensuring strong data security that is not only transparent to the end-user, but unobtrusive too.
Leading SED provider Wave Systems counts one of the world's largest oil companies among its clients. A big benefit of the technology, the oil company found, is its ability to bring the organisation into compliance with data protection regulations by providing proof that encryption was in place at the time of a potential breach.
“Once a SED is turned on, it automatically encrypts all data written to the drive,” says Joseph Souren, vice president and general manager EMEA at Wave. “The user is not compelled to decide what's important enough to encrypt. The user knows encryption is on by default, and can prove it.”
Laptops with SEDs are much easier to administer thanks to this ‘always on' status, Souren says, adding that it's essential to keep track of the status of client devices because a stolen laptop with the encryption turned off is a significant breach that might need to be reported to a regulatory authority.
SEDs also are capable of preventing malicious software from being planted in the master boot record, a serious form of covert attack that installs a Trojan that cannot be detected by static analysis and cannot be removed by disk reformatting or the installation of a new operating system.
Dodi Glenn, director of AV Labs at ThreatTrack Security, says SEDs are a good measure to protect against advanced persistent threats and also offer cost savings because users don't require extra encryption software. There are day-to-day work benefits, too, he adds. “SEDs mean that end-user productivity remains optimal, since the encryption is done without requiring idle time, due to the encryption being done instantly.”
Further, when necessary, a SED can be erased with the management software. For instance, if an employee is leaving the organisation, the administrator can easily wipe that staff member's drive and repurpose it for another user.
A few years ago, the benefits of SEDs and the growing need for encryption led some experts to believe the technology would become ubiquitous. SEDs had been created and standardised by a consortium of information security giants, including vendors such as Seagate, Samsung, Micron, Hitachi and Toshiba. Organisations could buy their drives from well-recognised vendors, and knew each device was compliant with the Trusted Computing Group's Opal specification. It seemed a no-brainer: cryptographic processing prices were sliding, and there was now a standard supported by big names in storage technology, fulfilling a real security need.
As self-encrypting drives could also be manufactured with the same APIs, it appeared that nothing would stop these solutions from all but replacing the software alternatives. This has not turned out to be the case – so far, few have picked up the technology, whether in the UK or abroad.
Andrew Rose, principal analyst for security and risk at Forrester Research, is clear on the main reason for SEDs turning out to be something of a damp squib in terms of sales. “Hard drives are purchased by procurement teams that rarely prioritise security options; they seek out the most cost-effective option, and standard hard disk drives tend to be cheaper,” he explains.
Further, organisations recognise the essential nature of full hard disk encryption, but often shirk the hardware option and invest instead in a more popular software alternative. What's more, full hard disk encryption often comes as part of a vendor's standard endpoint protection package, alongside anti-malware, virtual private network and data loss prevention software.
“It isn't a problem for security professionals to maintain the current software they have in place,” says Rose. “In fact, it's easier to live with the status quo than to change anything.”
As well as the issues around cost and the upheaval of implementing new systems, there is a lack of awareness of SEDs. Furthermore, they now represent a solution to a problem that many CISOs believe has already been sufficiently solved by software.
So, although SEDs score highly when it comes to price, ease of use, compliance and performance, they simply don't create a compelling enough business case. And the argument against them doesn't end there.
Perhaps the biggest nail in the coffin of mass SED adoption is cloud computing. More organisations are storing their data outside the drive, which makes SEDs redundant to a large extent.
Mark Bower, vice president of product management at Voltage Security, argues that given the ‘always on' nature of the cloud, mobile devices and enterprise systems, the focus of encryption has shifted from the container (the drive) to the data itself. “Data at rest on a drive represents only a fraction of where the data goes in its lifecycle,” he says. One needs to protect the data itself wherever it goes – on the drive, in the application, over the network and in the cloud – on an end-to-end basis, he says. “Then, if it's compromised, the attacker simply has useless random information.”
Paul Ayers, vice president EMEA at data security firm Vormetric, agrees. He says SEDs don't meet the needs of the enterprise server, virtualisation and cloud environments that exist in many organisations because they only address the physical loss of drives. “To be truly effective, any encryption solution deployed by UK enterprises today needs to not only protect the data itself, but be easy to manage,” he says. SEDs might offer certain cost advantages, but when using them with enterprise storage solutions, organisations will be faced with the unfortunate task of manually tracking and managing the encryption keys for potentially thousands of drives, he says.
The major argument against SEDs, then, is that software-based and hybrid encryption solutions are simply the best bet. They help satisfy compliance requirements by preventing administrative access to protected data, and protect against advanced attacks with logs and reports that flag up unauthorised activity. They can also identify anomalous patterns of activity among authorised users, indicating a compromised account.
“At present, SEDs can't offer this level of sophistication, and organisations looking for a future-proofed encryption solution would be wise to consider software alternatives,” states Ayers.
Future of encryption
But, there is still hope for SEDs. “The easier they are to use, the more successful they will be,” says Ken Warren, European business manager at Cryptography Research. “In the real world, this will be more important than strength of encryption algorithm and key length.”
Forrester's Rose agrees that SEDs will eventually reach most organisations. “An ideal situation would be software encryption consoles that can recognise and use self-encrypting drives under the same framework. I understand that one or two security software providers offer this functionality already.”