2011 – The Year for Self Encrypting Drives (SEDs) February 14, 2011
Posted by mstarry in 2 - Enterprise Network Architecture and Security.trackback
Do you encrypt the data contained on your corporate hard drives? If you do, are you using File and Folder encryption (FFE), Software Based Full Disk Encryption (FDE) or Self Encrypting Drives (SEDs)? If your answer is SEDs, you are in the minority. If you are using FFE you’re taking a pretty big chance. According to data provided by the Aberdeen Group at RSA today, FFE encryption has about 25% more data loss incidents than full disk encryption. This is due to burden placed on the user of the device to make sure sensitive data is stored only in certain folders. To date, software based FDE has been the standard. Although effective, in my experience it is hard to manage, provides a performance hit to the system and is just overall clunky. Key management and single sign on remain challenges in the FDE world.
Now is the time for Self Encrypting Drives (SEDs). Although SEDs have been around for over four years, the adoption rate has been low. This is mainly due to the lack of standards and the associated price tag. Never mind managing SEDs into the enterprise environment. This has changed over the past year or so as hard drive manufacturers have embraced the Trusted Computing Group’s (TCG) OPAL standard for SEDs. The OPAL standard is allowing hard drive manufacturers to seamlessly integrate their wares into OEM markets in order to reduce the cost of SEDs.
All major pc and laptop vendors provide SEDs based on the OPAL standard as an option in their system configuration. Although the SEDs are a little more expensive than standard hard drives, I would never purchase a laptop without one. All major FDE vendors are retooling their software to add support for the use of SEDs alongside their current FDE offerings. Now is the time to implement SEDS and move away from traditional software based FDE. According to the TCG, the key benefits of OPAL based SEDs include:
• Transparency: No system or application modifications required; encryption key generated in the factory by on-drive random number process; drive is always encrypting
• Ease of management: No encryption key to manage; software vendors exploit standardized interface to manage SEDs, including remote management, pre-boot authentication, and password recovery
• Re-encryption: With SED, there is no need to ever re-encrypt the data
• Performance: No degradation in SED performance; hardware-based
• Standardization: Whole drive industry is building to the TCG/SED OPAL Specification.
There was a comment made at the session that Apple doesn’t appear to be a significant player in the encryption game. Their device proliferation is growing steadily and more are connecting to corporate networks. Have we become complacent on Apple products, because the attack vectors are so low for their devices (or the proprietary nature of their hardware and code)? And when that changes, what will the shock value look like?
Currently Apple does not offer a SED as an option in their product lines. When Apple grows up and decides that they want to play in the big boy enterprise world, I’m confident they will offer a SED. Maybe even an enterprise level management tool. Don’t hold your breath. Until then we should enjoy the toys that Apple brings to the market.