Wave Embassy Trusted Drive Manager Simplifies Encrypted Drive Management

Securing data on laptops protects your company's data in the event the laptop is lost or stolen. According to the DatalossDB, which is maintained by the Open Security Foundation, by November 22, 2010, 12 million personal records have been exposed because of lost or stolen computers, laptops, disks, and other media. That tally doesn't include data loss such as intellectual property and other company secrets. Losing data is a risk most companies can't afford. Encrypting hard drives is one critical step to ensure lost or stolen computers, laptops, and media aren't exposing your company.

Rather than encrypting files and folders, which require users to save sensitive information to the right location, encrypting the entire drive is largely transparent to the user and sufficient to ensure data will be kept from prying eyes. Software-based whole disk encryption is one option, but there is a significant performance hit when reading or writing data. Hard disk encryption speeds the process by performing encryption on the disk controller in hardware. In addition, the encryption keys are generated and retained in the drive hardware, protecting them from memory debuggers.

Wave's Embassy Trust Suite and Embassy Remote Administration Server (ERAS) 1.6 offers a useful pairing of hard disk encryption and remote administration. We tested these products and found them to be simple to use. In particular, ERAS makes managing encrypted drives from a central point easy.

Embassy Trust Suite with Trusted Drive Manager is the stand-alone management application for individual laptops. It is pre-loaded on Dell laptops that have encrypted drives, and is an option on laptops from HP and Lenovo. Trusted Drive Manager is an ETS module and allows users with administrative privileges to create encryption keys and manage authorized drive users. TDM also integrates with Windows to provide single sign-on so users that successfully log into the drive are also logged into Windows.

Enterprises, however, should centrally manage these drives to enforce uniform encryption policies and support users that forget passwords and encounter other problems. With ERAS and Trusted Drive Manager, you can centrally manage the secure hard drive , Trusted Platform Management (TPM), and biometric polices on domain computers. ERAS is integrated with Windows, so you can synchronize users' Domain credentials with the encrypted drives for single sign-on and password policy enforcement. If you need encrypted drives, a central manager is a must for effective management.We tested TDM on Embassy Trust Suite and ERAS using a pair of Dell Lattitude E6400s. One had a Seagate Momentus 160GB, 7200 RPM hard disk and the other had a Samsung PB22-JS3 Full Disk Encryption (FDE) solid state drive. Both laptops were part of the domain, but only one drive was managed by ERAS. The other was managed with Wave's Embassy Security Center locally so we could get a feel for local administration. In an enterprise environment, you definitely want ERAS to make it easier to support multiple laptops.

Unlike software disk encryption which either encrypts the drive or not, encrypting hard drives are always encrypting and decrypting the data written to and read from the drive. A drive becomes protected when user credentials--an account and password--is added to the drive. The user credentials encrypt the drive Media Encryption Key. A successful login to the drive decrypts the Media Encryption Key, granting access to the drive. The Media Encryption Key never leaves the drive. Multiple user accounts can be assigned to the drive, and each account will have its own copy of the Media Encryption Key encrypted with the user password. If you want to wipe the drive, you can have ERAS generate a new drive Media Encryption Key. NIST is considering making a Media Encryption Key change equivalent to a level-4 wipe, which requires 7 overwrite passes of a drive.

The price premium for an encrypting drive isn't as much as you might think. For example, a Seagate Momentus 160GB, 7200 RPM has a street price of approximately $88, while a similarly sized non-encrypting drive are less. The price difference between encrypting SSDs is difficult to nail down because Samsung's FDE SSD is an OEM product. A Web search showed a range of  between $600 and $700 for the Samsung FDE and nonFDE 256GB drives. However, you don't need encrypting drives on all your laptops--just the ones carrying sensitive data.

ERAS is a Microsoft Management Console (MMC) plug-in. The computers in the domain show up in the Computers tab, which displays the computers' status such as drive protection.. There is also an extensive audit log that is sent to Microsoft's event log to track administrative actions . ERAS manages encrypting drives and the Trusted Platform Module (TPM) if it is installed and enabled. Management of trusted drives is fairly hands-off once the drives have been initialized and users have been assigned to them. Multiple users can be assigned to a single laptop, so that a laptop can be shared among many users, or to retain administrative privileges.

Once a trusted drive is managed by ERAS, local management is blocked. A drive administrator can view the trusted drive options, but changes can only be made from ERAS. This feature centralizes control and logging at ERAS and prevents administrators or users that have direct access to a machine from changing trusted drive settings, potentially irretrievably locking a drive. Centralized management also means that computers managed by ERAS must be connected to the ERAS server for changes to take immediate effect. If a computer is not connected, such as a laptop that is out of the office, the configuration changes are queued until the computer connects to ERAS.User passwords can be synchronized with Windows for single sign-on using Windows Password Synchronization. This means the user's Domain credentials will be synchronized with the drive automatically, even when the user changes passwords. ERAS doesn't enforce Domain password policies; instead, it relies on Windows Group Policy Objects to do so. If the passwords get out of synch, then the drive password can be temporarily reset. This is a two-step process: first, the password is reset in ERAS, creating a temporary password on the drive. Second, when the user powers up the computer, they enter the reset password, and then log in to Windows using their domain password. Once the user logs in, the Domain credentials are applied to the drive. It's not exactly single sign-on, but it is one less password for the user to remember and only happens on the rare occasion that password get out sync. The computer has to be connected to the ERAS server for the password reset initiated from ERAS to take effect.

If a remote user can't connect to ERAS, then a lost drive password can be recovered using a pre-installed password or a challenge/response. When the drive is initialized, a user account called recovery_agent is assigned to the drive with a long, complex password. When the user calls in for help, the help desk can read off the password, which the user enters to unlock the drive. However, once you've used the pre-installed password, you must generate a new recovery password and apply it on the drive; otherwise or the user can continue to use the same password over and over. Once the user has recovered the drive, make sure you generate a new password if the user is connected to ERAS. An easier alternative uses a challenge/response method, which automatically generates a new recovery password once the current one is used and doesn't require the client to be connected to ERAS.

We tested the drive performance using IOmeter and the stock 4KB configuration files that ship with IOmeter. While there was a marked difference in file transfer speed and I/O operations per second between the Seagate HDD and the faster Samsung SSD, there was no difference in performance when the drive was protected or not.

Pricing for ERAS starts at $93 per user for 50 users. Volume pricing discounts are available.