New Storage Security Specs Promote Hardware-Based Encryption
The Trusted Computing Group unveiled three specifications for full-disk encryption for use in all types of storage devices and encryption key management schemes
January 30, 2009
Everyone believes sensitive data should be encrypted, whether housed in the data center, stored on PCs or notebooks, or filed away on removable storage. The problem, as recent headlines show, is that too few organizations bother. Just this week, a New Zealand man who bought a used MP3 player in Oklahoma found 60 files that included the names and personal details on U.S. military personnel. That's just the latest example of many that demonstrate that lots of drives, tapes, and entire notebooks are lost with sensitive data that wasn't encrypted.
An industry standards group and many of the world's hard drive makers hope to make it easier to protect that data. The Trusted Computing Group (TCG) this week unveiled three specifications for full-disk encryption for use in all types of storage devices and encryption key management schemes. Because the encryption management technology based on the specifications is built into the hardware, any storage device using the technology could require the use of a password before the system even starts.
Devices that could use the specification range from consumer gadgets to standard PCs and notebooks to drives used in data centers, servers, and large storage arrays. "This is a great step in making encryption a standard feature for hard drives. Building security in is an excellent approach to such a difficult problem to start with," says Pete Lindstrom, research director at analyst firm Spire Security.
The three specifications include:
Storage Interface Interactions -- This specification details how all of the TCG's specifications interact with storage connections and interface specifications, including ATA, ATAPI, SCSI, Fibre Channel, and others.
Opal -- This specification details requirements for fixed storage media PCs and notebooks.
The Enterprise Security Subsystem Class -- This specification is aimed at drives in data centers and high-volume applications, where typically there is a minimum security configuration at installation.
Backers of the TCG and the new specifications include Fujitsu, Hitachi GST, IBM, LSI Corp., Seagate Technology, Samsung, Toshiba, Wave Systems, and Western Digital.
"There are state laws [for example, in Nevada and Massachusetts] mandating full disk encryption on laptops that contain consumer data. For that reason alone, corporations need to understand the endpoint crypto capabilities already available in tools like Windows BitLocker," says Eric Ogren, analyst at research firm The Ogren Group.
"This is a 1.0 specification. Which means this is just a start," Ogren adds. "Storage vendors should understand the features of the standard and charge product management with determining which features resonate with customers. Features that are attractive to customers should be placed in the product roadmap, with an eye to revising as the TCG specifications mature."Enterprise storage managers need to take a different attitude, he says. "IT managers today really can't afford to wait for this standard, however. They need to be sure they can manage keys for their encryption needs today."
Many of the hard drive manufacturers such as Fujitsu, Hitachi, and Seagate have incorporated parts of the standard in certain versions of their drives, and some businesses have adopted encryption to protect their data. Some security vendors that make encryption management software, such as Wave Systems and WinMagic, already have announced their applications are certified to the standard.
You May Also Like