Wave Systems Rides The Wave Of Self-Encrypting Disk Drives

Protecting the confidentiality of data on mobile devices is an increasingly critical issue. For example, the loss or theft of laptop computers has led to numerous breaches of data privacy laws for exposing confidential information, such as Social Security and credit card numbers. Public admission of such a data breach is not only a matter of embarrassment and direct costs, such as notifying individuals of the thefts, but may also subject the company to fines and other sanctions.

David Hill

February 9, 2010

6 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Protecting the confidentiality of data on mobile devices is an increasingly critical issue. For example, the loss or theft of laptop computers has led to numerous breaches of data privacy laws for exposing confidential information, such as Social Security and credit card numbers. Public admission of such a data breach is not only a matter of embarrassment and direct costs, such as notifying individuals of the thefts, but may also subject the company to fines and other sanctions.

That is the only the visible tip of the confidentiality iceberg. The vast majority of laptops probably don't contain that kind of information on them. However, they may include information that requires confidentiality from intellectual property to customer lists for sales representatives or other business planning documents. A bigger issue is public disclosure. Even when information lost is not overly sensitive, that is hard to prove and often requires the damaging public disclosure of a breach. For that reason, mobile devices used by businesses, as well as government and non-profit organizations, need to be protected, and the data encrypted.

Encryption seems to be the magic bullet most likely to successfully ensure data confidentiality. Two types of encryption are available for storage devices: software and hardware. Software has the advantage over hardware in that it can be retrofitted to existing pieces of storage media, such as hard drives or flash drives that do not have encryption or self-encryption built in. Conversely, hardware encryption is an option that must be chosen either when new mobile devices are purchased or through a painful migration of data and switchover to the self-encrypted drive. That is a costly use of personnel and product investment resources.

So then software encryption is best, right? The answer is an emphatic no. Why? Because software encryption suffers from performance degradation, imperfect security, and an IT management burden for both deployment and maintenance. The performance degradation comes about because software-based full disk encryption relies on a mobile device's memory and processing resources, often resulting in noticeably longer boot and response times. Imperfect security in software encryption often results from management and access issues, such as "cold boot" attacks (stealing information from memory at shut down time). The IT management burden of software encryption starts with the time required to encrypt a single device, which is reputedly between 3 1/2 to 24 hours for a 500 GB disk.

The hardware alternative consists of self-encrypting drives made by a number of manufacturers based on the Trusted Computing Group (TCG) "Opal" encryption specification. These drives contain a dedicated processor, dynamic RAM and boot environment that lead to higher security than software-based encryption solutions. For example, encryption keys reside in the disk controller and not system memory and are impervious to attack since external I/Os can never reach the disk controller itself. In addition, self-encrypting drives impose no performance penalty because dedicated processors in the disk provide the heavy lifting in a swift and transparent manner and without requiring any system memory or processing resources. Moreover, self-encrypting drives are always on, something that software-based encryption can not always claim, which is essential for ensuring you are truly in compliance with data breach laws.Wave Systems Provides The Management Capabilities For Self-Encrypted Drives

Encryption is necessary for ensuring the security of mobile devices but is not sufficient alone. IT management must be provided for policy-based access controls, centralized administration and proof of compliance. Individuals should not be allowed to manage passwords on their own since organizations then run the risk of losing company data should a user lose or forget a password.

Wave Systems is a supplier of the software required to manage these processes. At the organizational level, Wave's EMBASSY software centrally provisions security policies across the enterprise and provides access controls. Encrypted information is only available to authorized users, and EMBASSY can also be used to reset passwords if necessary. Most importantly, the software also provides the enforcement capability to prove that a laptop's data was encrypted at the time that it went missing, eliminating the need to report any data breach.

Without that capability, an organization is in a quandary. If it can not prove for certain that data on a missing laptop was encrypted, what does it do next? If it reports a data breach but the data was really encrypted, then it takes the heat for public exposure of confidential data where none occurred. Yet, if it does not report a data breach and the data was not encrypted, and the exposure of the data is found out after the fact, the company is likely in for a world of hurt.

For large enterprises, Wave provides the EMBASSY Remote Administration Server solution that allows the IT organization to manage policies and access control from a centralized location. This software integrates with existing directory structures and policy distribution mechanisms, allowing customers to leverage an existing directory framework to greatly simplify deployment, saving precious time and money. Wave's ERAS solution can also be used to manage other embedded hardware security, such as the Trusted Platform Module security chips now standard in business-class PCs.At the client level, Wave provides a Trusted Drive Manager, which activates on-board security features in self-encrypting drives, such as pre-boot authentication. This software, often pre-loaded on PCs, such as Dell machines containing a self-encrypting drive, also enforces policy-based access controls when the laptop is turned on. Moreover, integration with Microsoft's Windows password updates enables the drive access policies to be automatically updated at the same time the operating system is upgraded. This not only ensures compliance to company password policies but also simplifies the overall management process.
 
One additional Wave capability of note is secure "erase" for the safe retirement, disposal or transfer to another user and their associated drives. Simply changing the encryption key effectively makes any and all data on the drive securely inaccessible. At first that may not seem like a big deal, but it actually is. The laptop can still be used by a new user, as the original user's data cannot be accessed by a new user. Contrast that to the time-consuming processes of overwriting and data shredding that would have to be otherwise applied.

Wave Systems finds itself in a dependency relationship with the sales of self-encrypting drives on laptops. If the sales of these drives grow rapidly, the company should benefit roughly proportionally as self-encrypting drives used in businesses need to be managed by someone. Though individuals' laptops could use a product such as Trusted Drive Manager, companies that want IT to manage the encryption process across the board require a larger solution, such as Wave's EMBASSY software. We believe that the managed self-encrypting drive market should grow rapidly. Individuals buying a laptop for personal use may choose encryption or not. But companies that have or expect that they might have a risk of exposure of confidential data, especially personal and not just business information, don't have the luxury of choice

Since retrofitting or replacing employee laptops may be prohibitively expensive, IT would be well-advised to execute a plan where new laptops have managed self-encrypting drives. A triage scheme may have to be put in place where the key individuals most likely to have sensitive confidential information receive new laptops sooner. The plan may tie into other issues, as well, such as a migration to Windows 7. Regardless, IT should start strategizing on how best to ensure the security of data on mobile devices as soon as possible. In my opinion, self-encrypting hard drives that leverage the TCG specification, coupled with cross-platform management solutions, such as Wave Systems' offerings, offer an excellent place to begin.

About the Author

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights