Special Coverage Series

Network Computing

Special Coverage Series

Commentary

Serdar Yegulalp
Serdar Yegulalp

Self-Encrypting Drives Aren't Magic Security Dust

SEDs may be attractive in this time of heightened data security awareness but they're not necessarily a better option than software-based encryption for data protection.

Suddenly, everyone’s talking about at-rest, on-disk encryption again. No surprise why: Recent news about NSA surveillance programs and Bradley Manning's conviction for leaking U.S. classified files have reawakened interest in data protection. But I worry that people will once again fall into the trap of thinking that a single technology automatically means security.

The other day I received a press release from desk encryption vendor WinMagic proudly announcing that Hewlett-Packard had chosen WinMagic's SecureDoc tech for HP’s Client Security product. SecureDoc is a pretty venerable product, with broad deployment, a lot of industry accolades, and -- most importantly -- native support for Opal-compliant self-encrypting drives, or SEDs. (Opal is a standard for storage device policy management.)

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

Now, SEDs are appealing for a lot of reasons: They require no specific software to work; they do their encryption and decryption in dedicated hardware for speed; and they’re apparently tougher to hack. But they’re not magic dust that automatically blesses an organization with bulletproof data security. What’s more, I’m not convinced they’re an automatic upgrade path from software-only on-disk encryption, for a variety of reasons.

• Minimal amount of stress encryption puts on the average CPU. Even on notebook computers, software encryption doesn’t generate the kind of CPU usage that would hobble today’s systems or lower battery life. Having encryption in hardware is a nice bonus, but hardly a quantum leap.

• Not every SED is alike. First off, not all such drives are Opal-compliant, which means while they may use a strong encryption algorithm, their implementation of it is another story. SandForce’s implementation of AES encryption on its SSDs, for instance, turned out to have some problems. Buying any old drive won’t cut it; you have to do research.

• Upgrading software-based encryption is less disruptive. If the implementation of the encryption algorithm used by the drive turns out to be vulnerable to some kind of attack, the entire drive may need to be replaced. A software-based system can be upgraded a little less painfully; it still requires the drive be re-encrypted, but such things can be done passively in the background and even across multiple user sessions. The above-mentioned SandForce drives, for instance, couldn’t be fixed with a firmware patch; they had to be completely ditched.

[Email encryption is a tough balancing act for organizations. Read how in, "Email Encryption And The Goldilocks Principle."]

• Management on a large scale. Software-based encryption, whether by third-party endpoint protection suites or an OS-native technology like Microsoft BitLocker makes management part of the deployment process. SEDs need to be treated like an explicitly managed asset in order to be useful, not something that’s just deployed once and forgotten about.

• Software-based encryption doesn’t require new hardware. Existing assets can be protected with it, although the degree of protection will vary. For instance, cold-boot attacks might be easier to stage on such hardware, although some of this can be mitigated with a PIN or other two-factor authentication scheme.

• Audit incentive. Unless the next wave of SEDs are open hardware along the lines of the Open Compute Project’s work, it’s hard to audit a SED's design for flaws in its encryption. Software is a little easier to do this with, especially if it’s an open source product.

Why organizations encrypt is also an important consideration. A 2011 Ponemon Institute study surveyed some 500 IT professionals and found that the single biggest reason for using SEDs was compliance with regulations -- rather than protecting customers or minimizing the cost of a data breach. “These choices may be less important to IT practitioners,” said the report, “because they do not deal directly with consumers or financial issues.” Consequently, an organization may just default to using the endpoint encryption systems it already has in hand --i.e., software-based products, rather than purchase all-new hardware.

Okay, I need to be honest. I don't mean to sound like I believe SEDs have no place in an organization. With the right deployment strategy and the right attention to the specific security problems they mitigate, they can be useful. But they’re not by themselves a defense against data theft or loss, nor are they by themselves a compliance procedure.

Security is a process, not a product, and while you can buy products that make the process easier, the majority of the heavy lifting is still yours to do.



Related Reading



Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 

Editor's Choice

Research: 2014 State of Server Technology

Research: 2014 State of Server Technology

Buying power and influence are rapidly shifting to service providers. Where does that leave enterprise IT? Not at the cutting edge, thatís for sure: Only 19% are increasing both the number and capability of servers, budgets are level or down for 60% and just 12% are using new micro technology.
Get full survey results now! »

Vendor Turf Wars

Vendor Turf Wars

The enterprise tech market used to be an orderly place, where vendors had clearly defined markets. No more. Driven both by increasing complexity and Wall Street demands for growth, big vendors are duking it out for primacy -- and refusing to work together for IT's benefit. Must we now pick a side, or is neutrality an option?
Get the Digital Issue »

WEBCAST: Software Defined Networking (SDN) First Steps

WEBCAST: Software Defined Networking (SDN) First Steps


Software defined networking encompasses several emerging technologies that bring programmable interfaces to data center networks and promise to make networks more observable and automated, as well as better suited to the specific needs of large virtualized data centers. Attend this webcast to learn the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging.
Register Today »

Related Content

From Our Sponsor

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

Business executives are challenging their IT staffs to convert data centers from cost centers into producers of business value. Data centers can make a significant impact to the bottom line by enabling the business to respond more quickly to market demands. This paper demonstrates, through a series of examples, how data center infrastructure management software tools can simplify operational processes, cut costs, and speed up information delivery.

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Both hot-air and cold-air containment can improve the predictability and efficiency of traditional data center cooling systems. While both approaches minimize the mixing of hot and cold air, there are practical differences in implementation and operation that have significant consequences on work environment conditions, PUE, and economizer mode hours. The choice of hot-aisle containment over cold-aisle containment can save 43% in annual cooling system energy cost, corresponding to a 15% reduction in annualized PUE. This paper examines both methodologies and highlights the reasons why hot-aisle containment emerges as the preferred best practice for new data centers.

Monitoring Physical Threats in the Data Center

Monitoring Physical Threats in the Data Center

Traditional methodologies for monitoring the data center environment are no longer sufficient. With technologies such as blade servers driving up cooling demands and regulations such as Sarbanes-Oxley driving up data security requirements, the physical environment in the data center must be watched more closely. While well understood protocols exist for monitoring physical devices such as UPS systems, computer room air conditioners, and fire suppression systems, there is a class of distributed monitoring points that is often ignored. This paper describes this class of threats, suggests approaches to deploying monitoring devices, and provides best practices in leveraging the collected data to reduce downtime.

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Rack power of 10 kW per rack or more can result from the deployment of high density information technology equipment such as blade servers. This creates difficult cooling challenges in a data center environment where the industry average rack power consumption is under 2 kW. Five strategies for deploying ultra-high power racks are described, covering practical solutions for both new and existing data centers.

Power and Cooling Capacity Management for Data Centers

Power and Cooling Capacity Management for Data Centers

High density IT equipment stresses the power density capability of modern data centers. Installation and unmanaged proliferation of this equipment can lead to unexpected problems with power and cooling infrastructure including overheating, overloads, and loss of redundancy. The ability to measure and predict power and cooling capability at the rack enclosure level is required to ensure predictable performance and optimize use of the physical infrastructure resource. This paper describes the principles for achieving power and cooling capacity management.