Home Enterprise Securing Data on a Moving Target: Self-Encrypting Drives Deliver Top Security, Performance and Manageability

Securing Data on a Moving Target: Self-Encrypting Drives Deliver Top Security, Performance and Manageability

by Guest Author

Today’s increasingly mobile work force has moved more and more end-users, devices, computing applications and highly sensitive data beyond the safety of the enterprise firewall. As the number of laptops multiplies across the enterprise, the prospect of a security breach through a lost or stolen device shifts from a speculative risk to a virtual inevitability. Such breaches can now be measured in dollar signs, as underscored by a 2009 study by the Ponemon Institute, which estimated a lost or stolen laptop can cost an enterprise $200 for every customer record stored on the device. Much of these costs derive from penalties imposed by “Notice of Breach” laws adopted by 46 states, the District of Columbia and throughout Europe with the European Union Data Protection Directive and the Data Protection Act in the U.K. Such laws often require a company to publicly report security breaches unless it can guarantee the data is safe and unable to be misused by unauthorized persons.


Today’s increasingly mobile work force has moved more and more end-users, devices, computing applications and highly sensitive data beyond the safety of the enterprise firewall. As the number of laptops multiplies across the enterprise, the prospect of a security breach through a lost or stolen device shifts from a speculative risk to a virtual inevitability. Such breaches can now be measured in dollar signs, as underscored by a 2009 study by the Ponemon Institute, which estimated a lost or stolen laptop can cost an enterprise $200 for every customer record stored on the device. Much of these costs derive from penalties imposed by “Notice of Breach” laws adopted by 46 states, the District of Columbia and throughout Europe with the European Union Data Protection Directive and the Data Protection Act in the U.K. Such laws often require a company to publicly report security breaches unless it can guarantee the data is safe and unable to be misused by unauthorized persons.

Consequently, most corporate IT managers now agree that full-disk encryption (FDE) isn’t merely critical to securing sensitive data, it is pivotal to their organizations’ financial well-being. This has fueled a host of third-party FDE software solutions that encrypt all data stored on a disk drive, including bootable operating system partitions. Yet, while software FDE solutions are a step in the right direction, they have their shortcomings. They do not, for example, encrypt the master boot record, and thus leave data to attacks targeting a laptop’s operating system. Also, like any add-on application, software FDE draws on a PC’s memory and processing resources, leading to degradation of overall system performance.

The limitations of software solutions have led more and more IT managers to favor the superior FDE provided by self-encrypting drives (SEDs). An SED is like any standard hard drive, with one key difference: It embeds encryption into the drive itself. Thus, data is protected the moment it is written to the drive.

Seagate introduced the first laptop hard drive with built-in encryption in 2007. Since then, the Trusted Computing Group (TCG) has defined an SED standard called Opal that has since paved the way for a wide-range of Opal-based SEDs from leading hard drive manufactures like Seagate and Hitachi, flash vendors like Micron and Samsung and external drive providers like CMS. PC vendors like Dell, HP and Lenovo offer these SEDs on a variety of systems, for little to no additional cost. Gartner estimates that in five years all drives will be hardware encrypted.

How Do SEDs Work?
How SEDs work is simple: Comprising a closed and independent architecture, they include their own processor, memory and RAM, and impose very strict limits on the code that can run within their architecture. Encryption and decryption of data occurs in the drive controller itself, rather than relying on the PC’s host CPU.

Every SED reserves a small block of internal memory isolated from the rest of the drive. These “protected partitions” securely house encryption keys and user access credentials. Once the drive is unlocked, data will flow normally in and out of the drive. If you are an authorized user, you can access the data. If you are not, the drive will not grant access and the data cannot be obtained by any other means, such as traditional software-based attacks via malware and rootkits. All data on the drive is encrypted, all the time.

Since the encryption key is created onboard the drive during manufacture and never leaves the drive’s protected hardware boundary, it is impossible to steal and it is immune to traditional software attacks. No software – malicious or otherwise – can run on the machine until the drive is unlocked and the OS is booted.

The “baked in” encryption of data also provides logistical and cost of ownership benefits over software solutions. Because encryption keys never leave the hard drive, there is no need for IT staff to spend time or money managing keys, or building key escrow and backup programs. Plus, SEDs do not draw on a machine’s memory or processing resources, thus avoiding the marked degradation that software solutions often impose on system performance. A study by Trusted Strategies LLC showed a commercially available SED performed as well as a standard drive and handled large-file operations nearly twice as fast as three drives equipped with active software-based encryption tools.

SED Deployment
SEDs are also supremely easy to deploy. In the study cited earlier by Trusted Strategies, software encryption tools took anywhere from 3½ to 24 hours to fully encrypt a hard drive. In contrast, a corporate IT department can phase SEDs in with the purchase of each new machine. Since the drive comes built-in and with encryption on, there is virtually no IT overhead or machine downtime required to turn on data protection.

The emergence of Cloud platforms has only facilitated the deployment and management of SEDs. Today, small- to medium-size businesses can now tap management tools once available only to large organizations with the resources to maintain on-premise solutions. Such Cloud-based solutions enable drive initialization, user management, drive locking and user recovery for all SEDs. More importantly, they provide IT with a centralized platform with which to institute SED-driven security policies, thereby ensuring stronger data security and compliance with data breach laws even if a laptop goes missing.

Although today’s workforce continues to expand beyond the corporate firewall, the fundamental goal of IT administrators remains the same: To ensure the security of all data, users, devices and applications – from the network’s central servers all the way out to every scattered end-point. Achieving this task in full compliance with Notice of Breach regulations demands a best-in-class option for centrally managed data encryption.

SEDs are the only physically self-contained FDE solution that avoids degradation of system performance, and enables remote centralized management via captive server or the Cloud. These qualities alone identify them as the best-in-class FDE solution commercially available today.

Also see – Top 10 Reasons to Buy SEDs

Discuss This Story

About the Author

Lark Allen – Executive Vice President of Business Development, Wave Systems

Mr. Allen is responsible for Wave’s business and corporate development, specifically creating strategic technology relationships and evaluating opportunities that have potential to achieve Wave’s strategic goals. Additionally, Mr. Allen oversees the development of a core set of markets and strategies related to security products, thereby furthering the company’s competitive positioning.

Mr. Allen plays an active role in a number of industry standards organizations, including the Trusted Computing Group where he is a member of the Storage Work Group, which builds upon existing TCG technologies and focuses on developing open standards around secure data storage. Mr. Allen has more than thirty years of industry IT experience with large enterprises and has held executive management positions in sales, marketing, development and consulting. Before coming to Wave, Mr. Allen worked for many years with IBM. He graduated from Brigham Young University with a BS in Physics and earned an MS in Industrial Administration from Purdue University.