SED 101: What security practitioners need to know about self-encrypting hard drives

 - 
04/29/2011

By Aly Sidi, development manager, Absolute Software

For many organizations and security directors, the task of encrypting information on an employee’s computer poses a significant challenge. Encryption tools often serve as the “frontline of defense” for protecting sensitive data. Organizations rely on encryption to protect against data breaches and the negative publicity that follows such events.

Encryption has evolved over the past few years from file/folder encryption to volume and full disk encryption. All of these types of encryption utilize the operating system to perform the actual encryption. The biggest hurdle to a universal acceptance of encryption is that all of these tools and methods slow down the system as a whole. In addition, these encryption methods are also susceptible to cold boot attacks as the encryption keys are stored in RAM. Most importantly, traditional encryption tools have always suffered from one major setback: human error. For example, if a user using volume encryption fails to store the documents in an appropriate volume of a hard drive or forgets to safeguard their encryption key, the encryption product can be compromised, possibly resulting in a data breach. And if the organization does not employ a multi-layered approach to security, it could have serious implications when it comes to a breached, lost, or stolen laptop.

Many manufacturers including Samsung, Seagate, Toshiba, Fujitsu, and Hitachi are now building self-encrypted drives (SEDs) providing a standardized, hardware-based method of encryption that ships with the computer. At their core, SEDs are hard drives that have an encryption chip on the device, which protects the data. Based on a specification from the Trusted Computing Group (TCG) the encryption hardware is incorporated into the drive’s electronics controllers with either a 128-bit or 256-bit AES encryption algorithm.

Though many companies have already deployed full disk encryption onto their devices, SEDs have significant benefits for both IT managers and organizations. Unlike full disk encryption, SEDs are constantly encrypting. This eliminates the usual 6-10 hour wait to encrypt or decrypt the hard drive when loading the application. Additionally, the encryption chip is actually part of the hard drive, so it does not use the operating system resources. This has long been a pain point for users, as full disk encryption methods often tax the operating system, draining resources. Finally, SEDs are not susceptible to cold boot attacks, protecting the device’s encryption keys.

Some companies are ahead of this trend and are already employing SEDs in their organizations. However, these are the original Seagate DriveTrust drives. Computer and drive manufacturers are working on a new standard, the OPAL specification from TCG. Based on an agreement between drive manufacturers to conform to a single specification rather than create their own implementations, OPAL is positioned to become the de facto standard for SEDs. This summer, more companies will begin to make the switch to OPAL certified SEDs to get ahead of the game before mass implementation by the end of the year.

New devices bring new management challenges for security staff members. Though these drives ship directly from the manufacturer, organizations may still need to take immediate action to control and administer these drives. Third-party management tools are available and necessary in order to “lock” and “unlock” the drive. These tools can also help IT managers easily administer users, authentication methods, policies, and perform system maintenance tasks from one central administration console.

The cost effectiveness of the third-party management tools is one of the key benefits of managing these drives. For companies that go through frequent refresh cycles or staff changes, these tools can also wipe the drive for decommissioning or at the end of the device’s lifecycle. Finally, IT staff can easily restore credentials should the system crash or fail.

With such a strong value proposition, analysts are predicting that SEDs will make full disk encryption obsolete as organizations adopt this new form of encryption when they add new devices as part of their regular refresh cycle. It is expected PC OEM manufacturers will be shipping SEDs before the end of the year. Security and IT staff need to start preparing their teams now for this implementation. They must be trained and ready to administer and secure these devices before integrating them into an organization’s deployment.

As organizations – both employees and data – become increasingly mobile, IT needs to ensure their security methods are keeping pace. SEDs are the next evolution in encryption and will become the de facto standard in the next few years making software and full disk encryption obsolete. IT needs to start planning now for the integration of SEDs into their security methodology and begin their assessment of third-party management tools that add a competitive advantage over and above simply locking and unlocking the drive.