Can your computer keep a secret "Part III: next generation encrypting hard drives.Can Your Computer Keep a Secret 'Data Protection Methods are NOT Created Equal, we discussed the pros and cons pros and cons Noun, pl the advantages and disadvantages of a situation [Latin pro for + con(tra) against] of each of these options and showed their relative level of security, with encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. being the most secure approach by far. In the second article, Can Your Computer Keep a Secret" Software Solutions for Encrypting Data at Rest, we focused on encryption, and took a close look at using software to encrypt See encryption. the data on your hard disk. In this article, we will focus on a hardware approach for encrypting your data at rest. Specifically, we are going to look at the new breed of encrypting hard drives. We will discuss the features and benefits of this next generation solution, and show why this hardware based approach to encryption is so effective. Why encrypt within the disk drive? The ability to encrypt data on hard disks has been around for a long time. Although juvenile by today'[TM]s standards, applications that encrypt specific sets of data were emerging in the early 80'[TM]s, and software drivers that encrypt everything as it is being written to the hard disk started appearing in 1987. However, it'[TM]s only recently that disk drives have evolved to perform hardware-based encryption within the drive itself. So far, only two of the major hard disk manufacturers, Seagate and Hitachi, have produced encrypting hard drives, but other manufacturers are sure to follow suit. Seagate is leading the market, and announced the industry'[TM]s first encrypting hard disk in fall of 2006. Hitachi entered the encrypting hard disk market several months later. There are several reasons why performing the encryption within the drive itself makes sense. First, encryption requires a great deal of processing power to carry out the complicated and intense cryptographic operations. Without dedicated cryptographic hardware, a device'[TM]s CPU CPU in full central processing unit Principal component of a digital computer, composed of a control unit, an instruction-decoding unit, and an arithmetic-logic unit. must do all the processing, essentially robbing cycles from other tasks the computer could be doing. Encryption done within the device'[TM]s CPU can, depending on the application and amount of data, have a dramatic impact on overall system performance. Encrypting hard disks on the other hand, contain their own encryption chip. Cryptographic processing is handled by the drive'[TM]s hardware, not the computer'[TM]s CPU, so there is no impact on the system'[TM]s performance. Another reason that makes doing encryption within the hard drive a good idea is added security. For example, Seagate'[TM]s encryption capabilities are based on their DriveTrust technology, which includes a secure hardware environment that is inaccessible to other processes. Spyware, Trojans, or other forms of malicious malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. can often see and modify what is going on in the operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. , but they can'[TM]t penetrate the DriveTrust hardware, so encryption done within the secure hard drive is not subject to having the encryption keys captured or the data modified. This might be likened to an armed guard and security system positioned right next to the Mona Lisa Mona Lisa La Gioconda, da Vinci’s enchanting portrait. [Ital. Art: Wallechinsky, 190] See : Beauty, Lasting Mona Lisa enigmatic smile beguiles and bewilders. [Ital. versus protection only at the outer doors of the museum. The closer the defense mechanism is to the treasure itself, the better the security. Performing encryption within the drive itself puts the security as close to the data as possible. A third advantage of doing encryption within the hard disk is the fact that it is built into the system from day one. Because the drives themselves do the encryption, everything on the disk can be protected from the very beginning, including the operating system and all user or application data. Everything on the disk is already protected when the unit is purchased, and there is no need to buy and install a separate after market or add-on software package to do the encryption. This is not only a savings in cost, but avoids the hours long and frequently frightening process of the initial encryption of all data on the disk that software solutions require. Although when a software encryption solution is installed users can usually continue working during the initial encryption of their data, the process can literally take hours on a large disk. Even though the software solutions are generally robust and don'[TM]t deserve the fear users have of them, the need to do a full system backup and the thought that something could go wrong during the process is tough to swallow for many users. All of that is unnecessary on a system with the encryption built into the hard disk from day one. Features and capabilities In addition to the characteristics mentioned above, there are a number of features found in encrypting hard drives that are worthy of note, so let'[TM]s take a deeper look at the more significant ones. Although Hitachi is now producing encrypting hard drives, they have not yet released any significant details to the public regarding their technologies, features, and capabilities. As a result we won'[TM]t be able to say as much about their systems as we'[TM]d like, but we will address as much as we can. Seagate however, who was first to deliver encrypting drives and has set the standard whereby other systems will be measured, has provided a goodly good·ly adj. good·li·er, good·li·est 1. Of pleasing appearance; comely. 2. Quite large; considerable: a goodly sum. amount of information regarding their encryption solutions. This allows us to discuss the list of capabilities and features established by Seagate in fair detail. Both Hitachi and Seagate drives provide full disk encryption Full disk encryption (or whole disk encryption) is a kind of disk encryption software or hardware which encrypts every bit of data that goes on a disk. The term "full disk encryption" is often used to signify that everything on a disk including the operating system is (FDE FDE Full Disk Encryption FDE FedEx FDE Fundação para o Desenvolvimento da Educação (Brazil) FDE Frequency Domain Equalization FDE Fault Detection and Exclusion FDE Full Duplex Ethernet FDE Flat Dark Earth ). This means that for authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal , every write to the disk is encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science and every read from the disk is decrypted. All data, including the operating system, swap and temporary system space, applications, application data, and user data is automatically and transparently encrypted. Apart from authenticating themselves and backing up their authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. credentials, users don'[TM]t need to take any action whatsoever in order to reap the benefits of FDE and protect their stored data. To implement FDE, both manufacturers use the widely accepted Advanced Encryption Standard (cryptography, algorithm) Advanced Encryption Standard - (AES) The NIST's replacement for the Data Encryption Standard (DES). The Rijndael /rayn-dahl/ symmetric block cipher, designed by Joan Daemen and Vincent Rijmen, was chosen by a NIST contest to be AES. (AES) and 128 bit key lengths, so the strength of the encryption is excellent and adequate for even U.S. government classified information. Since all encryption is done within the drive, there is no performance impact on the system'[TM]s CPU. One notable difference between the two manufacturers is that Seagate'[TM]s DriveTrust technology, which is the cryptographic engine used by the Seagate drives, includes a dedicated crypto See cryptography. chip whereas Hitachi builds the encryption function into the disk drive'[TM]s firmware A category of memory chips that hold their content without electrical power. Firmware includes flash, ROM, PROM, EPROM and EEPROM technologies. When holding program instructions, firmware can be thought of as "hard software." See flash memory, ROM, PROM, EPROM, EEPROM and FOTA. . Another important feature found in encrypting hard drives is called secure erase. Government entities and private enterprise spend millions of dollars each year to ensure that sensitive data is not recovered from hard drives that have been discarded dis·card v. dis·card·ed, dis·card·ing, dis·cards v.tr. 1. To throw away; reject. 2. a. To throw out (a playing card) from one's hand. b. , repurposed, out for repair, or are being stored. Simply changing the encryption key on an encrypted disk, or more accurately, the key(s) to the encrypted encryption key, instantaneously and securely renders all stored data unreadable and unusable. Secure erase can be done in seconds and eliminates the time and potential for human error associated with standard disk erase techniques such as physically destroying the disk or overwriting Overwriting An options strategy that involves the sale of call or put options on stocks that are believed to be overpriced or underpriced. The options are not expected to be exercised. Notes: Also referred to as overriding. it with multiple passes of random data. Seagate'[TM]s encrypting hard disks, which benefit from the DriveTrust security platform built into the drives, have a number of additional capabilities and features. Secure storage partitions are specially secured disk storage areas that are only available to software applications that have been authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: by DriveTrust. Secure storage partitions are completely hidden and inaccessible to the operating system and all other applications. Applications authorized by DriveTrust can use secure storage partitions to safely store sensitive application specific data such as encryption keys, user passwords, account numbers, financial information, or other sensitive data. Each application has its own secure storage partition that even other DriveTrust authorized applications can'[TM]t access. Another feature, Drive paring, allows a specific disk drive to be locked to a specific system or host. This DriveTrust technology can be used to address a number of business challenges. For example, many organizations are concerned about USB-attached external hard drives being used to steal sensitive data from a laptop, desktop, or server. Because gigabytes of stored information can be copied to such a device and stolen in a matter of minutes A Matter of Minutes is an episode from the television series The New Twilight Zone. Cast
intr.v. con·versed, con·vers·ing, con·vers·es 1. To engage in a spoken exchange of thoughts, ideas, or feelings; talk. See Synonyms at speak. 2. , drive paring can 'lock-in' specific drives, so a drive can only be used with a specific set of computers. Drive paring has many additional applications, including the prevention of illicit copying and distribution of copyrighted or otherwise protected data. DriveTrust also includes a cryptographic service provider In Microsoft Windows, a Cryptographic Service Provider (CSP) is a software library that implements the Cryptographic Application Programming Interface (CAPI). CSP's implement encoding and decoding functions, which computer's application programs may use for e.g. (CSP (1) (Certified Systems Professional) An earlier award for successful completion of an ICCP examination in systems development. See ICCP. (2) (Commerce Service P ) built into the drive. A CSP supplies Microsoft windows See Windows. (operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. applications with advanced cryptographic services such as encryption and decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. for authorized applications as well as a random number generator A program routine that produces a random number. Random numbers are created easily in a computer, since there are many random events that take place such as the duration between keystrokes. , cryptographic key generation, hashing Creating hash totals or hash tables. See hash total and hash table. hashing - hash coding , and other digital signature functions. ISVs can utilize the DriveTrust CSP functions to implement central key management and enhanced security features such as application level data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign , secure email, and strong authentication of users, web sites, transactions, or documents. DriveTrust'[TM]s SDK (Software Developer's Kit) See developer's toolkit and Windows SDK. SDK - Software Developers Kit (or "Software Development Kit"). and associated trusted command set and issuance protocol allow central management systems to administer security functions for the entire enterprise. In any organization, it'[TM]s critical to be able to assist users who forget their logon See login. 1. (jargon) logon - login. 2. (networking) logon - In ACF/VTAM, an unformatted session-initiation request for a session between two logical units. ID or password, and to administer a host of other related tasks. Managing the length and security attributes of passwords, key generation, escrowing, and recovery, and governing who has authority to access what systems are all critical administrative functions. For example, if a user is unavailable for any reason, his supervisor or co-workers may need to have access to their PC. Key or password recovery is vital in this situation. For all of these reasons and many more, an encrypting hard drive must have a secure interface to the outside world, including enterprise'[TM]s management systems. Fortunately, to that end, in addition to the DriveTrust SDK and CSP, Seagate has been instrumental in creating and working with the Trusted Storage Group standards body. This group is focused on establishing standards to protect information assets and has wide industry participation. As a result secure messaging has been designed into the ATA (1) (AT Attachment) The specification for IDE drives. See IDE. (2) See analog telephone adapter. ATA - Advanced Technology Attachment and SCSI interface SCSI interface - SCSI adaptor protocols. Software and Hardware Working Together The actual encryption of a disk drive'[TM]s data is ideally done within the drive'[TM]s hardware. However, if it'[TM]s necessary to protect existing systems that aren'[TM]t equipped with an encrypting hard disk, the only choice is to use a software based FDE solution to protect those legacy systems. Many larger organizations will have both older computers requiring software FDE, and at the same time be deploying new systems equipped with encrypting hard disks. So having both software and hardware based FDE solutions at the same time will likely be quite common. Fortunately, at least in the case of Seagate'[TM]s encrypting drives, both hardware- and software-based FDE systems can work together in a very complimentary way. Utilizing DriveTrust'[TM]s SDK and external interfaces, software FDE vendors can enhance their software to detect if a computer has an encrypting hard disk, and if it does, the encryption can be done within the drive'[TM]s hardware. If no encrypting drive is present, then the encryption can fall back to a software approach. Additionally, since the better software FDE packages are feature rich with enterprise management functions such as central help for forgotten passwords, key management, auditing, etc., there is strong synergy present when encrypting disk drives are used in conjunction with enterprise software FDE packages and their management engines. Since encrypting hard drives are still very new to the industry, it will take time for the various software FDE vendors to add support for the drives, but that process has already begun. Secude IT Security has already demonstrated support for Seagate'[TM]s encrypting drives with their FinallySecure Pro enterprise capable FDE product. Wave Systems, and Guardian Edge have also indicated they will support the drives. Other leading vendors are expected to follow. Summary conclusions Numerous recent security incidents involving lost or stolen data have received a lot of press and attention, and with good reason. One laptop worth a couple of thousand dollars can become a multi-million dollar device when loaded with lots of sensitive data. Here'[TM]s why. We at Trusted Strategies have estimated that the average cost of a security incident involving stolen personal private information is around $200 per user record. A single laptop like the one stolen from GAP in September 2007 with 800,000 sensitive user records is actually a $160 million dollar device! Unfortunately thefts like GAP experienced are happening on an almost daily basis. Protecting sensitive stored data has become absolutely imperative. There are many security solutions at the front door so to speak, including password locks at the operating system, BIOS, or hard disk level. However, these front door locks can be easily defeated by an attacker with even modest skills. The only real protection from theft is encryption of the data itself. A thief who defeats the outer perimeter The Outer Perimeter was an expressway originally planned to encircle Atlanta about 20-to-25 miles further away from the city than the existing Perimeter Highway (I-285). The original plan of the highway would have roughly gone through or near the communities of Cartersville, locks and ultimately gets to data that has been securely encrypted obtains nothing. Encryption is the only real safe harbor Safe Harbor 1. A legal provision to reduce or eliminate liability as long as good faith is demonstrated. 2. A form of shark repellent implemented by a target company acquiring a business that is so poorly regulated that the target itself is less attractive. for data protection. As such, it is mandated by many of the laws and regulations governing sensitive data worldwide. Until recently, the only real option for encrypting data was to do it in software. Unfortunately this required the purchase and installation of a 3rd party add-on software solution, then doing a full-system backup, and finally encrypting all of the data on the drive. An installation and initial encryption process of such a software based solution can take many hours on a large disk. To add to these issues, because software solutions perform all cryptographic functions within the systems CPU, there can be a substantial impact on system performance. Fortunately, the next generation of encrypting hard drives developed by Seagate and Hitachi solve these limitations. These hardware based encryption solutions are built in, so everything on the drive is encrypted from the beginning and there is no need to do a massive initial encryption of all your data. And since the encryption is done in the drive not the system'[TM]s CPU, there is no negative impact on system performance. Moreover, Seagate drives include DriveTrust technology with additional significant features that empower central management and a number of other functions for applications that need enhanced security. Features such as drive paring and secure storage partitions are sure to enable a whole new breed of badly needed security offerings. While Seagate has set the standard for encrypting hard drives and is the undisputed leader, Hitachi has made aggressive strides and other vendors are sure to follow suit. This is all great news for ISVs as well as end consumers. It will probably be a few years before we see encrypting drives in the mainstream, and the battle against computer crime will certainly go on, but the addition of encrypting hard drives is a huge leap forward in our quest to protect or precious and sensitive data. Also see: Part 1: Can Your Computer Keep a Secret? Part 2: Software Solutions for Encrypting Data at Rest Bill Bosen is a partner with the research firm, Trusted Strategies. You can reach Mr. Bosen at This e-mail address See Internet address. e-mail address - electronic mail address is being protected from spambots. You need JavaScript enabled to view it . www.TrustedStrategies.com The views and positions of our guest authors are not necessarily the views of WestWorld Productions. This forum offers authors the ability to state their opinions regarding technology and industry issues. We do not endorse or condone condone v. 1) to forgive, support, and/or overlook moral or legal failures of another without protest, with the result that it appears that such breaches of moral or legal duties are acceptable. their viewpoints. 'WestWorld Productions, Inc. Staff and Management. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion