Storage Security Using Self-Encryption

Aug. 31, 2011
Self-Encrypting drives are becoming the new IT security standard

IT shops everywhere are becoming grimly aware of the explosive growth in lost and stolen data from businesses. As many as 10 percent of laptop computers are lost or stolen each year, and most of those computers contain sensitive, confidential data; in fact, according to the FBI, a notebook computer is stolen every 53 seconds and 97 percent are never recovered. Grim statistics, indeed, and lost or stolen data from data centers only adds to that statistic.
Governments around the world have taken note of the severe impact of exposing personal information of their citizenry and have enacted legislation that requires protection of such data held by businesses. In the case of a data breach, pending U.S. state and federal legislation is clear: Given that a loss/theft contains sensitive personal information on clients and employees, the affected company is obligated to notify the affected persons of the data breach.
The cost of a data breach, which includes notification to affected clients, paying for the protection of their credit worthiness and identity for two years, and loss of client and business partner trust in the company, is stark — $6.65 million on average, per incident. Some companies have either folded or severely restructured due to a breach incident.
However, a breach exemption is granted if the data was protected by encryption (referred to as an encryption “safe harbor” in the state legislation). Properly documented stored-data encryption renders the sensitive data unavailable to the thief and obviates the need for the breach notification: a new compliance requirement for corporations and institutions.

The Benefits of Secure Encryption
The business mandate for exemption from breach notification dictates that security should provide pervasive encryption of stored data, in the data center, but especially for the increasingly mobile laptops.
So how can data be encrypted securely? Software-based encryption solutions for laptops have existed for some time, but such solutions often suffer from usability and complexity issues, lifetime configuration and maintenance costs and weak security. Software traditionally is more vulnerable to attacks, and many users turn off software-based encryption because it slows their systems considerably.
Sensing the need for better data protection, some years ago almost all storage vendors, through the auspices of the non-profit industry standards organization Trusted Computing Group, developed an open specification for these self-encrypting drives. The group took a novel approach to stored-data encryption: putting the encryption engine in hardware directly inside the storage system.
The resulting new kind of drive is called a self-encrypting drive (SED). From the outside, an SED functions as an ordinary drive, processing reads and writes; however, deep inside the drive electronics, just before the data ‘bits’ are written to the physical media, an encryption engine applies real-time encryption to the data stream, so the “bits” on the media are encrypted and therefore unreadable to an unauthorized adversary. Conversely, “bits” read from the media are decrypted before leaving the drive, completely transparent to the end-user. Loss or theft of an SED-equipped laptop means that no data is lost or exposed.
Several comparisons of hardware-based SEDs to software and indirect encryption solutions have been conducted. The research and testing by consultant Trusted Strategies is especially revealing of the stark differences in performance for SEDs vs. software full-disk encryption (FDE). Three leading FDE software products were pitted against an SED, using a series of intensive read/write tests. In a typical test, the SED was 79 percent, 132 percent and 144 percent faster than the software-based products. Using a solid-state drive (SSD) with self-encryption further increases the performance advantages.
Compared to traditional software-based encryption, SEDs offer the following capabilities:
• Transparency: SEDs come from the factory with the encryption key already generated on-board and the drive already encrypting. Software-based keys are provisioned by the end-user.
• Ease of management: SEDs have no encrypting key to manage externally. How does software-based encryption protect the encryption key? In software?
• Life-cycle costs: The cost of an SED is pro-rated into the initial drive cost. Software has continuing life-cycle costs.
• Disposal or re-purposing cost: With an SED, erasing the on-board encryption key rapidly renders the encrypted data unreadable; the “clean” drive can be re-used, disposed or shipped out for warranty repair. Software-based encryption often relies on lengthy data-overwriting procedures or even destruction of the drive itself.
• Re-encryption: With SEDs, there is no need to ever re-encrypt the data. Software-based encryption key changes require whole drive re-encryption.
• Performance: There is no degradation in SED performance because it is hardware-based.
• Standardization: The whole drive industry is building to the TCG/SED Specifications. Software is proprietary.
• No interference: SEDs do not interfere with processes such as compression, de-duplication or DLP (data loss prevention). Software encryption is necessarily upstream from storage and can interfere with these processes.
The one issue with SEDs is the cost of migrating out the non-encrypting drives and replacing them with SEDs; however, the normal laptop replacement cycle (nominally, three years) can be leveraged with priority given to employees and executives who carry sensitive personal data on their laptops.
The following advantages of SED-based encryption have been documented in a number of studies:
• Simplified Management: no encryption keys to manage;
• Robust Security: hardware-based and ‘locked’ deep inside a drive;
• Compliance “Safe Harbor”: protection against breach notification;
• Cuts Disposal Costs: key deletion provides rapid erasure of all data — 90 percent of (non-encrypted) even retired drives are still readable;
• Scalable: every drive has its own encryption engine with no stressing of shared encryption resources;
• Interoperable: TCG has specified in detail the technology and interface, and the trusted command set is standardized by all variants of ATA and SCSI (note: the laptop specification is named OPAL);
• Integrated: built into the drive; and
• Transparent: comes from the factory encrypting and never stops.

Is SED Technology Widely Available and Standardized?
The three dimensions: business requirements, industry standardization and availability from all major drive vendors have all come together.
• The breach notification laws and corporate fiduciary responsibilities mandate the protection of stored data and encryption provides compliance. SEDs do the rest.
• The Trusted Computing Group (TCG) standardized the SED technology in early 2009 in published specifications.
• The whole drive industry — both solid-state and rotating media, from laptops to the big data centers — are building and providing products now designed to the TCG specifications.
“Many organizations are considering drive-level security for its simplicity in helping secure sensitive data through the hardware lifecycle from initial setup, to upgrade transitions and disposal,” says Eric Ouellet, Senior Vice President of research firm Gartner.
The user (or IT shop) of an SED configures a strong password (called an authentication key), which is used to unlock the drive for authorized access. The authentication process is carried out (pre-boot) by the drive logic directly before the OS or any applications are loaded. On board the drive, the authentication key is used to wrap (encrypt) the encrypting key, so that key is never stored in the clear. The best practices of cryptography have been incorporated into the TCG specifications.
Seriously consider SEDs as a solution and exemption for your breach notification obligations under state, federal, and international legislation.


Dr. Michael Willett is a member of Trusted Computing Group’s Storage Work Group, and he also serves as storage security strategist with Samsung. He received a Bachelor of Science degree from the U.S. Air Force Academy (Top Secret clearance) and a Masters and PhD in mathematics from North Carolina State University.