Q&A: Hard drive encryption
Dave Anderson is Director, Strategic Planning for Seagate and is involved in developing the opportunities for hard drives to contribute to system security. In this interview he discusses the various aspects of hard drive encryption.
Because of legitimate concerns regarding theft, encryption is increasingly becoming ordinary for laptops. What about desktop machines, should companies think about encrypting everything in the enterprise?
In theory the decision to encrypt should be based on factors such as the type of information to be protected and an evaluation of the organization’s susceptibility to a data breach. In practice, information is so easily disseminated and so difficult to track, that it is effectively impossible to manage the problem in this way.
Laptops have received most of the attention with respect to encryption because those systems are the most obviously portable. However, there are two key factors that pertain to desktops and other enterprise storage devices such as servers and external storage arrays that are often missed:
1. Every single disk drive in an organization will eventually leave that organization.
2. It is impossible to know if any given drive contains sensitive information.
An administrative assistant’s PC could as likely contain critical information as the CEO’s or a drive pulled from a server. This and the high cost of data breaches argue strongly for encrypting all data. Now, with Seagate Secure Self-Encrypting Drives (SEDs) available for every disk drive application, and the cost of using them so negligible, it only makes sense to consider encrypting everything, always. It is just so easy to be safe and so expensive to be sorry.
In larger corporations physical security is such that there isn’t typically much worry over the possibility of a server being stolen by thieves walking it out of a building. Of greater concern is drive retirement and disposal. Encryption makes these easy as well. As we’ll see shortly, data on SEDs can be made instantaneously and permanently unreadable using a cryptographic erase. This prepares the equipment for reuse or disposal with no need to worry about other options such as contracting with an outside organization for disposal. This latter approach has too often shown to involve the biggest vulnerability found in a sophisticated IT department. Things go wrong during these disposal processes because there is human involvement in the process, and people make mistakes. Where people can make mistakes, there is always a risk of a data breach along the way. Again, as we’ll see in the answer to the third question, Instant Secure Erase can significantly mitigate the vulnerability of data when people make mistakes.
What kind of performance loss can users expect when it comes to hard disk encryption?
The beauty of using SED’s is that there is no loss of performance, even as the system scales in size. The actual encryption engine is located on each drive and works at precisely the same speed as the drive’s interface transfer rate. Whether the SED is a notebook drive in a laptop or a sever class drive in a SAN array, the encryption function is transparent to the performance of the system.
This becomes an enormous benefit as server and storage systems are scaled up over time with added storage. Because each new drive adds its own encryption engine, there is no bottleneck that would otherwise throttle operations if the encryption were being done elsewhere on the system.
Based on your experience, what are the pros and cons of encrypting entire hard drives?
The benefits of encrypting on hard drives are many. Getting encryption with no loss of performance is only the most easily understood. Another big advantage is in the area of encryption management. To cite just one aspect of this, let’s look a little more closely at how SEDs manage keys. The encryption key never leaves the drive; only the authentication key (server drive) or password (laptop or desktop) is external. This arrangement has at least two enormous benefits. First, if a person resigns his position at a data center having had access to those keys or passwords, good practice dictates that those keys must be changed. Since only the authorization credentials were known and need to be changed, this can be done by the SED in less than a second. If the encryption keys were kept externally – as is the case with most other encryption approaches – and the departing employee had access to those, then those secrets would have to be changed. This would entail reading all the data that had been protected by those keys and re-encrypting it with new keys. This could be an especially traumatic event for a large data center – but something avoided completely by the SED architecture because the encryption keys themselves are never exposed.
Second, because the only copies of the encryption key are within the drive, if those copies are replaced by new keys, the data on the drives is effectively immediately destroyed. This can be used by an IT organization as an efficient method for instantly making all data inaccessible from drives before disposal. This cryptographic erase makes it trivial to instantly prepare drives for retirement, take drives out of service, and donate them to a charity or assign to another application without having to worry about subsequent users of the storage being able to access data from the previous owner. After the crypto erase, any human error in the disposal or decommission process is irrelevant with respect to the security of the data. If drives are lost, misplaced or stolen, it does not matter. The data is already secure. This approach to disposal also avoids creating hazardous waste that is a byproduct of shredding or otherwise physically destroying drives to prevent their contents from falling into the wrong hands after the IT organization relinquishes them.
The first challenge of hard drive encryption is that there is a learning curve to deployment. Any new tool or new technology will have this. An organization will need to identify best practices for key management and, in the case of larger enterprises, will need to deploy key management systems to have full control over their encryption capability. Second, it will likely have to be phased in over time. It is not usually considered practical to completely replace in a single operation all drives in an organization. Rather, as new systems are acquired, they can be specified with SEDs, and over time the entire organization will enjoy SED protection. The one other consideration common to all encryption practices is that the IT organization must take careful control of the credentials.
How important should the encryption of data be for an organization? What issues can it mitigate?
Data encryption should be one element in a comprehensive security plan that covers all the avenues of attack that would threaten the well-being of an organization. Encrypting data at rest is an effective tool to prevent data breaches due to lost or stolen equipment. This is one of many security issues (and one of the most important) that needs to be addressed. The reported costs of a data breach should make encryption one of the higher priorities. An average data breach today costs $202 per victim and $6.6M per incident! (See: U.S. Cost of Data Breach Study, Ponemon Institute, 2009.)
Based on what criteria would you recommend software or hardware encryption?
For data-at-rest security as discussed above, hardware-based encryption at the drive level is the best approach. There are other applications of encryption, though. If the need is to protect individual fields in a database or only a specific folder on a removable drive, software encryption may be of value. Note that there is nothing wrong with overlapping encryption practices. If fields in a database need to be encrypted so that authorized users of that database cannot see certain sensitive information, that does not at all conflict with storing that database on self encrypting drives to protect the entire database from unauthorized access.