• Transparency: SEDs come from the factory with the encryption key already generated on-board and the drive already encrypting. Software-based keys are provisioned by the end-user.
• Ease of management: SEDs have no encrypting key to manage externally. How does software-based encryption protect the encryption key? In software?
• Life-cycle costs: The cost of an SED is pro-rated into the initial drive cost. Software has continuing life-cycle costs.
• Disposal or re-purposing cost: With an SED, erasing the on-board encryption key rapidly renders the encrypted data unreadable; the “clean” drive can be re-used, disposed or shipped out for warranty repair. Software-based encryption often relies on lengthy data-overwriting procedures or even destruction of the drive itself.
• Re-encryption: With SEDs, there is no need to ever re-encrypt the data. Software-based encryption key changes require whole drive re-encryption.
• Performance: There is no degradation in SED performance because it is hardware-based.
• Standardization: The whole drive industry is building to the TCG/SED Specifications. Software is proprietary.
• No interference: SEDs do not interfere with processes such as compression, de-duplication or DLP (data loss prevention). Software encryption is necessarily upstream from storage and can interfere with these processes.
The one issue with SEDs is the cost of migrating out the non-encrypting drives and replacing them with SEDs; however, the normal laptop replacement cycle (nominally, three years) can be leveraged with priority given to employees and executives who carry sensitive personal data on their laptops.
The following advantages of SED-based encryption have been documented in a number of studies:
• Simplified Management: no encryption keys to manage;
• Robust Security: hardware-based and ‘locked’ deep inside a drive;
• Compliance “Safe Harbor”: protection against breach notification;
• Cuts Disposal Costs: key deletion provides rapid erasure of all data — 90 percent of (non-encrypted) even retired drives are still readable;
• Scalable: every drive has its own encryption engine with no stressing of shared encryption resources;
• Interoperable: TCG has specified in detail the technology and interface, and the trusted command set is standardized by all variants of ATA and SCSI (note: the laptop specification is named OPAL);
• Integrated: built into the drive; and
• Transparent: comes from the factory encrypting and never stops.
Is SED Technology Widely Available and Standardized?
The three dimensions: business requirements, industry standardization and availability from all major drive vendors have all come together.
• The breach notification laws and corporate fiduciary responsibilities mandate the protection of stored data and encryption provides compliance. SEDs do the rest.
• The Trusted Computing Group (TCG) standardized the SED technology in early 2009 in published specifications.
• The whole drive industry — both solid-state and rotating media, from laptops to the big data centers — are building and providing products now designed to the TCG specifications.
“Many organizations are considering drive-level security for its simplicity in helping secure sensitive data through the hardware lifecycle from initial setup, to upgrade transitions and disposal,” says Eric Ouellet, Senior Vice President of research firm Gartner.
The user (or IT shop) of an SED configures a strong password (called an authentication key), which is used to unlock the drive for authorized access. The authentication process is carried out (pre-boot) by the drive logic directly before the OS or any applications are loaded. On board the drive, the authentication key is used to wrap (encrypt) the encrypting key, so that key is never stored in the clear. The best practices of cryptography have been incorporated into the TCG specifications.
Seriously consider SEDs as a solution and exemption for your breach notification obligations under state, federal, and international legislation.