Wave Systems Rides The Wave Of Self-Encrypting Disk Drives

Posted by David Hill
February 09, 2010

Protecting the confidentiality of data on mobile devices is an increasingly critical issue. For example, the loss or theft of laptop computers has led to numerous breaches of data privacy laws for exposing confidential information, such as Social Security and credit card numbers. Public admission of such a data breach is not only a matter of embarrassment and direct costs, such as notifying individuals of the thefts, but may also subject the company to fines and other sanctions.

That is the only the visible tip of the confidentiality iceberg. The vast majority of laptops probably don't contain that kind of information on them. However, they may include information that requires confidentiality from intellectual property to customer lists for sales representatives or other business planning documents. A bigger issue is public disclosure. Even when information lost is not overly sensitive, that is hard to prove and often requires the damaging public disclosure of a breach. For that reason, mobile devices used by businesses, as well as government and non-profit organizations, need to be protected, and the data encrypted.

Encryption seems to be the magic bullet most likely to successfully ensure data confidentiality. Two types of encryption are available for storage devices: software and hardware. Software has the advantage over hardware in that it can be retrofitted to existing pieces of storage media, such as hard drives or flash drives that do not have encryption or self-encryption built in. Conversely, hardware encryption is an option that must be chosen either when new mobile devices are purchased or through a painful migration of data and switchover to the self-encrypted drive. That is a costly use of personnel and product investment resources.

So then software encryption is best, right? The answer is an emphatic no. Why? Because software encryption suffers from performance degradation, imperfect security, and an IT management burden for both deployment and maintenance. The performance degradation comes about because software-based full disk encryption relies on a mobile device's memory and processing resources, often resulting in noticeably longer boot and response times. Imperfect security in software encryption often results from management and access issues, such as "cold boot" attacks (stealing information from memory at shut down time). The IT management burden of software encryption starts with the time required to encrypt a single device, which is reputedly between 3 1/2 to 24 hours for a 500 GB disk.

The hardware alternative consists of self-encrypting drives made by a number of manufacturers based on the Trusted Computing Group (TCG) "Opal" encryption specification. These drives contain a dedicated processor, dynamic RAM and boot environment that lead to higher security than software-based encryption solutions. For example, encryption keys reside in the disk controller and not system memory and are impervious to attack since external I/Os can never reach the disk controller itself. In addition, self-encrypting drives impose no performance penalty because dedicated processors in the disk provide the heavy lifting in a swift and transparent manner and without requiring any system memory or processing resources. Moreover, self-encrypting drives are always on, something that software-based encryption can not always claim, which is essential for ensuring you are truly in compliance with data breach laws.

Related Reading

More data-protection Insights