Full-disk encryption (FDE) used to be a software-only proprietary solution. But over the past couple of years, a hardware based hard drive standard has emerged in the form of Opal Security Subsystem Class, or just Opal for short.
Developed by the Trusted Computing Group (TCG), a not-for-profit international standards organization, Opal is used for applying hardware-based encryption to hard drives (rotating media), solid state drives, and optical drives.
Hardware encryption has many advantages. For starters, it works with any OS. It also transfers the computational load of the encryption process to dedicated processors, cutting the stress on the host system's CPU. In addition, because the encryption/decryption keys are stored in the hard drive controller and never sit in the system's memory, cold-boot attacks don't work.
Free Security Resources
2016 Data Threat Report - Encryption & Data Security Trends
The 2016 Vormetric Data Threat Report is based on a survey conducted by 451 Research (Oct-Nov '15) to over 1,100 senior security executives across the globe, including regional markets in the US, UK, Germany, Japan, Australia, Brazil, and Mexico, and segments such as federal government, retail, finance, and healthcare.Download
Prominent makers of Opal-compliant, self encrypting drives (SEDs) include Hitachi, Samsung, Seagate and Toshiba.
Many independent software vendors provide management of self encrypting drives, both locally and remotely. Such vendors include Absolute Software, CryptoMill, McAfee, Secude, Softex, Sophos, Symantec, Wave Systems and WinMagic.
"Encryption standards established by organizations such as the Trusted Computing Group are making it significantly easier to deploy security solutions such as self-encrypted HDDs on portable PCs," said IDC Industry Analyst, John Rydning.
A study released a few months ago by TCG and the Ponemon Institute found that most IT professionals agree that hardware based encryption is superior to software varieties at protecting data-at-rest. In fact, 70 percent of the respondents said that self encrypting drives would have an enormous and positive impact on the protection of sensitive and confidential information in the event that a data breach should occur.
The study, Perceptions about Self-Encrypting Drives: A Study of IT Practitioners, interviewed 517 IT professionals in various fields who are familiar with SEDs.
Compliance is the main driver for encrypting data-at-rest, the study found and confidential financial documents, employee records and customer data are the top three types of data that are normally encrypted.
The main reason to encrypt data-at-rest is to comply with state or federal data protection laws said 51 percent of the IT practitioners surveyed. The remaining 49 percent cited their organizations' need to comply with self-regulatory programs such as PCI DSS, ISO, NIST and others.
Here's a look at some pros and cons of SEDs:
Pro No. 1: Hardware based encryption is very secure; far more secure than any software-based offering. Software can be corrupted or negated, while hardware cannot.
Software runs under an operating system that is vulnerable to viruses and other attacks. An operating system, by definition, provides open access to applications and thus exposes these access points to improper use.
Hardware based security can more effectively restrict access from the outside, especially to unauthorized use. Additionally, dedicated hardware can have superior performance compared to software.
Pro No. 2: Hardware encryption has no negative impact on the performance of systems. In fact, dedicated hardware can always out-perform software running on a general purpose OS-based platform.
Con No. 1: Management can be difficult. Buyer beware: You will need an integrated management solution to support Opal compliant drives, especially if you plan to do a major deployment.
Essential functions to consider: The ability to manage boot passwords and password resets. IT needs a way to access the data of a drive when an employee leaves, is unavailable, forgets the password, and so on. At the same time, IT must be able to change administration accounts quickly and easily when an IT administrator leaves, goes on vacation, and so on.
Another vital function you will need is the ability to report on the status of each particular laptop. For example, when a laptop goes missing, can you verify that the drive was indeed protected via encryption? Your ability to verify the device's status will enhance your organization's compliance with state breach disclosure laws and limit the potential for data loss.
Con No. 2: SEDs are not designed to protect data in flight.
As SEDs are focused on data at rest, you will have to choose another solution to protect your data in flight. Popular and successful techniques include transport layer security (TLS) and its predecessor secure sockets layer (SSL), cryptographic protocols.
TLS and SSL provide communication security over the Internet by encrypting the segments of network connections above the transport layer. These protocols are widely used in Web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP so there's virtually no learning curve with these technologies.
Herman Mehling has written about IT for more than 25 years. He has worked for many leading computer publications and websites, including Computer Reseller News, eWeek, and InformationWeek. Currently, he contributes regularly to Devx.com and Enterprisestorageforum.comas well as ProjectManagerPlanet.com