Storage Security Using Self-Encryption

Self-Encrypting drives are becoming the new IT security standard

IT shops everywhere are becoming grimly aware of the explosive growth in lost and stolen data from businesses. As many as 10 percent of laptop computers are lost or stolen each year, and most of those computers contain sensitive, confidential data; in fact, according to the FBI, a notebook computer is stolen every 53 seconds and 97 percent are never recovered. Grim statistics, indeed, and lost or stolen data from data centers only adds to that statistic.

Governments around the world have taken note of the severe impact of exposing personal information of their citizenry and have enacted legislation that requires protection of such data held by businesses. In the case of a data breach, pending U.S. state and federal legislation is clear: Given that a loss/theft contains sensitive personal information on clients and employees, the affected company is obligated to notify the affected persons of the data breach.

The cost of a data breach, which includes notification to affected clients, paying for the protection of their credit worthiness and identity for two years, and loss of client and business partner trust in the company, is stark — $6.65 million on average, per incident. Some companies have either folded or severely restructured due to a breach incident.

However, a breach exemption is granted if the data was protected by encryption (referred to as an encryption “safe harbor” in the state legislation). Properly documented stored-data encryption renders the sensitive data unavailable to the thief and obviates the need for the breach notification: a new compliance requirement for corporations and institutions.

The Benefits of Secure Encryption

The business mandate for exemption from breach notification dictates that security should provide pervasive encryption of stored data, in the data center, but especially for the increasingly mobile laptops.

So how can data be encrypted securely? Software-based encryption solutions for laptops have existed for some time, but such solutions often suffer from usability and complexity issues, lifetime configuration and maintenance costs and weak security. Software traditionally is more vulnerable to attacks, and many users turn off software-based encryption because it slows their systems considerably.

Sensing the need for better data protection, some years ago almost all storage vendors, through the auspices of the non-profit industry standards organization Trusted Computing Group, developed an open specification for these self-encrypting drives. The group took a novel approach to stored-data encryption: putting the encryption engine in hardware directly inside the storage system.

The resulting new kind of drive is called a self-encrypting drive (SED). From the outside, an SED functions as an ordinary drive, processing reads and writes; however, deep inside the drive electronics, just before the data ‘bits’ are written to the physical media, an encryption engine applies real-time encryption to the data stream, so the “bits” on the media are encrypted and therefore unreadable to an unauthorized adversary. Conversely, “bits” read from the media are decrypted before leaving the drive, completely transparent to the end-user. Loss or theft of an SED-equipped laptop means that no data is lost or exposed.

Several comparisons of hardware-based SEDs to software and indirect encryption solutions have been conducted. The research and testing by consultant Trusted Strategies is especially revealing of the stark differences in performance for SEDs vs. software full-disk encryption (FDE). Three leading FDE software products were pitted against an SED, using a series of intensive read/write tests. In a typical test, the SED was 79 percent, 132 percent and 144 percent faster than the software-based products. Using a solid-state drive (SSD) with self-encryption further increases the performance advantages.

Compared to traditional software-based encryption, SEDs offer the following capabilities:

This content continues onto the next page...