In the past, I have tried to make the case for encrypting physical servers on premises. The argument for not needing to encrypt them is that these servers usually run for weeks, months, or even years without being brought down. And, that they are physically protected within a well-fortified data center. The protection that Full Drive Encryption (FDE) brings only really applies to data at rest, and it seldom is at rest on these servers.
(Microsoft announces end of mainstream support for MBAM as of July 2019)
WinMagic’s CEO, THI NGUYEN-HUU, has blogged in the past about the ideal architecture for Full Drive Encryption, and Key Management (Separating Encryption and Key Management). By separating key management, which includes authentication, from the actual encryption layer, one is able to use a single key manager for many platforms while allowing the best individual encryption solutions to be selected and used for each use case where storage encryption is needed.
In the past few weeks I have been looking into the fallout from the paper [PDF] by Carlo Meijer and Bernard van Gastel from Radboud University, the Netherlands titled “Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)”.
From the paper’s abstract: “In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret” … “This challenges the view that hardware encryption is preferable over software encryption. We conclude that one should not rely solely on hardware encryption offered by SSDs.”
For me, the title of this blog entry isn’t just a marketing slogan or a catch phrase. It’s something that I take very seriously because, just like the metrics that I keep track of, acting on feedback from customers allows the Technical Support team here at WinMagic to improve to serve you better. That’s the key reason why you get a survey when a case is closed. I want to know what your support experience was like so that I know what went well, and what we can improve upon. Rest assured, when I get feedback I do act upon it.
An international law firm and longtime customer of WinMagic has leveraged our flagship encryption and key management platform – SecureDoc Enterprise Server – to protect thousands of endpoint devices against loss or theft. In this era of digital transformation though, protecting endpoints is only one of many projects within their security and risk management portfolio. Now as the organization aim to leverage the undeniable benefits of cloud computing, IT had a new mandate to move their existing server infrastructure to Microsoft Azure. Security and compliance risks could no longer prevent cloud migration, despite concerns about undisclosed access to sensitive workloads; particularly those related to client cases, which could be subject to subpoena or government access.
In my recent blog “Pre-Boot Authentication. Wisdom in Security” I wrote in conclusion:
Bottom Line: ‘No PBA’ is not a wise choice for enterprises
Microsoft’s reasoning that you don’t need PBA because the known memory attacks are difficult to pull off on most modern hardware is simply wrong because the threat is much more than just those attacks.”
The Cold Book Attack was resurrected last week by some researchers at f-secure https://press.f-secure.com/2018/09/13/firmware-weakness-in-modern-laptops-exposes-encryption-keys/ . I would like to provide some context for both the exploit and the mitigations because the cold boot attack is just the tip of the iceberg. But first, if you don’t want to know the details, there are steps that organizations can take to protect against Cold Boot attacks on PC’s and Macs when using SecureDoc including:
In the past, I have tried to make the case for encrypting physical servers on premise. The argument for not needing to encrypt them is that these servers usually run for weeks, months or even years without being brought down, and that they are physically protected within a well-fortified data center. The protection that Full Drive Encryption (FDE) brings only really applies to data at rest, and it seldom is at rest on these servers. I would counter that all drives eventually leave the data center for repair or disposal, and having them encrypted protects you from having your old drives show up on eBay, with your customer data still on them. Encrypting the drive means it can be quickly and easily crypto-erased if it is still operational, and if not, the data is still not accessible without the encryption key.
Takeaways from NCR Innovation Conference 2018
Innovation, Meet Security
Digital banking has transformed the way we connect and transact with one another. From mobile banking apps to contactless payments, a focus on consumer experience has driven new technologies like never before seen. The consistent, common factor – convenience.