Managing a Network of Self-Encrypting Hard Drives

With high-profile data breaches making headlines regularly, organizations are carefully evaluating their options for protecting mobile data. For years, software full disk encryption, (FDE), has been the preferred means of addressing this threat. But widespread adoption has been hampered by the complexity and cost surrounding these software-based FDE deployments.

Before exploring the integrated management of hardware encryption, it may be useful to step back and review the development of self-encrypting drives (SEDs). The first SEDs were made available in 2007 by Seagate Technology. Nearly three years later, most all hard drive vendors have developed their own versions, spurred by the passage of a single industry standard, Opal, published by the Trusted Computing Group in January 2009. Today, SEDs come in various form factors and speeds, including the first solid-state SED (offered by Samsung).

The growing presence of SEDs in the data protection market can be attributed to several drivers including:

• Federal regulations increasingly require public disclosure in the event personally identifiable information has been mishandled;
• Storage technology is getting faster (notably solid-state technology is altering expectations in terms of data throughput and responsiveness);
• Growing awareness from IT that costs related to encryption encompass more than simply licenses; there’s significant expense related to management and integration, as well as the cost of acquisition.

Notably, there are significant technological differences between traditional software-based FDE and SEDs. With SEDs, the encryption keys are generated in the drive itself and access control/ authorization also takes place in the drive. The drive-embedded encryption executes below the partition table and below the file system.

Hardware-based self-encrypting drive technology enables “always embedded” key management, which, when managed properly, does not expose the encryption key outside the drive hardware. This creates a root of trust for storage and the encrypted data cannot be accessed unless the attacker has access to the drive hardware. This protected key management effectively creates multi-factor security for drive data. To access the data, both access credentials and the original drive hardware are required (i.e., something you know and something you own). In contrast, software-encrypted partitions can be copied and attacked offline (this becomes even easier if the keys are centrally stored and accessible through insider attack).