Can your computer keep a secret "Part III: next generation encrypting hard drives.
Why encrypt within the disk drive?
The ability to encrypt data on hard disks has been around for a long time. Although juvenile by today'[TM]s standards, applications that encrypt specific sets of data were emerging in the early 80'[TM]s, and software drivers that encrypt everything as it is being written to the hard disk started appearing in 1987. However, it'[TM]s only recently that disk drives have evolved to perform hardware-based encryption within the drive itself. So far, only two of the major hard disk manufacturers, Seagate and Hitachi, have produced encrypting hard drives, but other manufacturers are sure to follow suit. Seagate is leading the market, and announced the industry'[TM]s first encrypting hard disk in fall of 2006. Hitachi entered the encrypting hard disk market several months later.
There are several reasons why performing the encryption within the drive itself makes sense. First, encryption requires a great deal of processing power to carry out the complicated and intense cryptographic operations. Without dedicated cryptographic hardware, a device'[TM]s CPU must do all the processing, essentially robbing cycles from other tasks the computer could be doing. Encryption done within the device'[TM]s CPU can, depending on the application and amount of data, have a dramatic impact on overall system performance. Encrypting hard disks on the other hand, contain their own encryption chip. Cryptographic processing is handled by the drive'[TM]s hardware, not the computer'[TM]s CPU, so there is no impact on the system'[TM]s performance.
Another reason that makes doing encryption within the hard drive a good idea is added security. For example, Seagate'[TM]s encryption capabilities are based on their DriveTrust technology, which includes a secure hardware environment that is inaccessible to other processes. Spyware, Trojans, or other forms of malicious malware can often see and modify what is going on in the operating system, but they can'[TM]t penetrate the DriveTrust hardware, so encryption done within the secure hard drive is not subject to having the encryption keys captured or the data modified. This might be likened to an armed guard and security system positioned right next to the Mona Lisa versus protection only at the outer doors of the museum. The closer the defense mechanism is to the treasure itself, the better the security. Performing encryption within the drive itself puts the security as close to the data as possible.
A third advantage of doing encryption within the hard disk is the fact that it is built into the system from day one. Because the drives themselves do the encryption, everything on the disk can be protected from the very beginning, including the operating system and all user or application data. Everything on the disk is already protected when the unit is purchased, and there is no need to buy and install a separate after market or add-on software package to do the encryption. This is not only a savings in cost, but avoids the hours long and frequently frightening process of the initial encryption of all data on the disk that software solutions require. Although when a software encryption solution is installed users can usually continue working during the initial encryption of their data, the process can literally take hours on a large disk. Even though the software solutions are generally robust and don'[TM]t deserve the fear users have of them, the need to do a full system backup and the thought that something could go wrong during the process is tough to swallow for many users. All of that is unnecessary on a system with the encryption built into the hard disk from day one.
Features and capabilities
In addition to the characteristics mentioned above, there are a number of features found in encrypting hard drives that are worthy of note, so let'[TM]s take a deeper look at the more significant ones. Although Hitachi is now producing encrypting hard drives, they have not yet released any significant details to the public regarding their technologies, features, and capabilities. As a result we won'[TM]t be able to say as much about their systems as we'[TM]d like, but we will address as much as we can. Seagate however, who was first to deliver encrypting drives and has set the standard whereby other systems will be measured, has provided a goodly amount of information regarding their encryption solutions. This allows us to discuss the list of capabilities and features established by Seagate in fair detail.
Both Hitachi and Seagate drives provide full disk encryption (FDE). This means that for authorized users, every write to the disk is encrypted and every read from the disk is decrypted. All data, including the operating system, swap and temporary system space, applications, application data, and user data is automatically and transparently encrypted. Apart from authenticating themselves and backing up their authentication credentials, users don'[TM]t need to take any action whatsoever in order to reap the benefits of FDE and protect their stored data.
To implement FDE, both manufacturers use the widely accepted Advanced Encryption Standard (AES) and 128 bit key lengths, so the strength of the encryption is excellent and adequate for even U.S. government classified information. Since all encryption is done within the drive, there is no performance impact on the system'[TM]s CPU. One notable difference between the two manufacturers is that Seagate'[TM]s DriveTrust technology, which is the cryptographic engine used by the Seagate drives, includes a dedicated crypto chip whereas Hitachi builds the encryption function into the disk drive'[TM]s firmware.
Another important feature found in encrypting hard drives is called secure erase. Government entities and private enterprise spend millions of dollars each year to ensure that sensitive data is not recovered from hard drives that have been discarded, repurposed, out for repair, or are being stored. Simply changing the encryption key on an encrypted disk, or more accurately, the key(s) to the encrypted encryption key, instantaneously and securely renders all stored data unreadable and unusable. Secure erase can be done in seconds and eliminates the time and potential for human error associated with standard disk erase techniques such as physically destroying the disk or overwriting it with multiple passes of random data.
Seagate'[TM]s encrypting hard disks, which benefit from the DriveTrust security platform built into the drives, have a number of additional capabilities and features. Secure storage partitions are specially secured disk storage areas that are only available to software applications that have been authorized by DriveTrust. Secure storage partitions are completely hidden and inaccessible to the operating system and all other applications. Applications authorized by DriveTrust can use secure storage partitions to safely store sensitive application specific data such as encryption keys, user passwords, account numbers, financial information, or other sensitive data. Each application has its own secure storage partition that even other DriveTrust authorized applications can'[TM]t access.
Another feature, Drive paring, allows a specific disk drive to be locked to a specific system or host. This DriveTrust technology can be used to address a number of business challenges. For example, many organizations are concerned about USB-attached external hard drives being used to steal sensitive data from a laptop, desktop, or server. Because gigabytes of stored information can be copied to such a device and stolen in a matter of minutes, there is large and growing demand for restricting their use to authorized systems. Drive paring can be used to lockout specific drives, including unauthorized USB-attached external hard drives so they can'[TM]t be attached to a given host. Conversely, drive paring can 'lock-in' specific drives, so a drive can only be used with a specific set of computers. Drive paring has many additional applications, including the prevention of illicit copying and distribution of copyrighted or otherwise protected data.
DriveTrust also includes a cryptographic service provider (CSP) built into the drive. A CSP supplies Microsoft windows applications with advanced cryptographic services such as encryption and decryption for authorized applications as well as a random number generator, cryptographic key generation, hashing, and other digital signature functions. ISVs can utilize the DriveTrust CSP functions to implement central key management and enhanced security features such as application level data encryption, secure email, and strong authentication of users, web sites, transactions, or documents.
DriveTrust'[TM]s SDK and associated trusted command set and issuance protocol allow central management systems to administer security functions for the entire enterprise. In any organization, it'[TM]s critical to be able to assist users who forget their logon ID or password, and to administer a host of other related tasks. Managing the length and security attributes of passwords, key generation, escrowing, and recovery, and governing who has authority to access what systems are all critical administrative functions. For example, if a user is unavailable for any reason, his supervisor or co-workers may need to have access to their PC. Key or password recovery is vital in this situation. For all of these reasons and many more, an encrypting hard drive must have a secure interface to the outside world, including enterprise'[TM]s management systems. Fortunately, to that end, in addition to the DriveTrust SDK and CSP, Seagate has been instrumental in creating and working with the Trusted Storage Group standards body. This group is focused on establishing standards to protect information assets and has wide industry participation. As a result secure messaging has been designed into the ATA and SCSI interface protocols.
Software and Hardware Working Together
The actual encryption of a disk drive'[TM]s data is ideally done within the drive'[TM]s hardware. However, if it'[TM]s necessary to protect existing systems that aren'[TM]t equipped with an encrypting hard disk, the only choice is to use a software based FDE solution to protect those legacy systems. Many larger organizations will have both older computers requiring software FDE, and at the same time be deploying new systems equipped with encrypting hard disks. So having both software and hardware based FDE solutions at the same time will likely be quite common.
Fortunately, at least in the case of Seagate'[TM]s encrypting drives, both hardware- and software-based FDE systems can work together in a very complimentary way. Utilizing DriveTrust'[TM]s SDK and external interfaces, software FDE vendors can enhance their software to detect if a computer has an encrypting hard disk, and if it does, the encryption can be done within the drive'[TM]s hardware. If no encrypting drive is present, then the encryption can fall back to a software approach. Additionally, since the better software FDE packages are feature rich with enterprise management functions such as central help for forgotten passwords, key management, auditing, etc., there is strong synergy present when encrypting disk drives are used in conjunction with enterprise software FDE packages and their management engines.
Since encrypting hard drives are still very new to the industry, it will take time for the various software FDE vendors to add support for the drives, but that process has already begun. Secude IT Security has already demonstrated support for Seagate'[TM]s encrypting drives with their FinallySecure Pro enterprise capable FDE product. Wave Systems, and Guardian Edge have also indicated they will support the drives. Other leading vendors are expected to follow.
Numerous recent security incidents involving lost or stolen data have received a lot of press and attention, and with good reason. One laptop worth a couple of thousand dollars can become a multi-million dollar device when loaded with lots of sensitive data. Here'[TM]s why. We at Trusted Strategies have estimated that the average cost of a security incident involving stolen personal private information is around $200 per user record. A single laptop like the one stolen from GAP in September 2007 with 800,000 sensitive user records is actually a $160 million dollar device! Unfortunately thefts like GAP experienced are happening on an almost daily basis. Protecting sensitive stored data has become absolutely imperative.
There are many security solutions at the front door so to speak, including password locks at the operating system, BIOS, or hard disk level. However, these front door locks can be easily defeated by an attacker with even modest skills. The only real protection from theft is encryption of the data itself. A thief who defeats the outer perimeter locks and ultimately gets to data that has been securely encrypted obtains nothing. Encryption is the only real safe harbor for data protection. As such, it is mandated by many of the laws and regulations governing sensitive data worldwide.
Until recently, the only real option for encrypting data was to do it in software. Unfortunately this required the purchase and installation of a 3rd party add-on software solution, then doing a full-system backup, and finally encrypting all of the data on the drive. An installation and initial encryption process of such a software based solution can take many hours on a large disk. To add to these issues, because software solutions perform all cryptographic functions within the systems CPU, there can be a substantial impact on system performance.
Fortunately, the next generation of encrypting hard drives developed by Seagate and Hitachi solve these limitations. These hardware based encryption solutions are built in, so everything on the drive is encrypted from the beginning and there is no need to do a massive initial encryption of all your data. And since the encryption is done in the drive not the system'[TM]s CPU, there is no negative impact on system performance.
Moreover, Seagate drives include DriveTrust technology with additional significant features that empower central management and a number of other functions for applications that need enhanced security. Features such as drive paring and secure storage partitions are sure to enable a whole new breed of badly needed security offerings.
While Seagate has set the standard for encrypting hard drives and is the undisputed leader, Hitachi has made aggressive strides and other vendors are sure to follow suit. This is all great news for ISVs as well as end consumers. It will probably be a few years before we see encrypting drives in the mainstream, and the battle against computer crime will certainly go on, but the addition of encrypting hard drives is a huge leap forward in our quest to protect or precious and sensitive data.
Part 1: Can Your Computer Keep a Secret?
Part 2: Software Solutions for Encrypting Data at Rest
The views and positions of our guest authors are not necessarily the views of WestWorld Productions. This forum offers authors the ability to state their opinions regarding technology and industry issues. We do not endorse or condone their viewpoints. 'WestWorld Productions, Inc. Staff and Management.
|Printer friendly Cite/link Email Feedback|
|Publication:||Computer Technology Review|
|Date:||Jan 1, 2008|
|Previous Article:||Business agility--a TAC strategic imperative.|
|Next Article:||Case study: universal imaging utility cuts anchorage Int'[TM] Airport IT admin time by two-thirds.|