Managing Self-Encrypting Drives in the Enterprise
New categories of storage devices—including self-encrypting drives (SEDs) and solid-state storage devices (SSDs) with encryption capabilities—have extended the boundaries of storage technology and are finding a place in the IT infrastructures of many enterprises. Enterprises keen on maintaining a viable central management strategy are investing in new tools to bring all endpoint devices within their organization under a single unified point of control. Within this rapidly evolving IT environment, achieving a degree of stability and control can be a challenge. This is where the capabilities of WinMagic’s SecureDoc prove advantageous for security managers and IT administrators. SecureDoc brings support for the newest and most advanced encryption standards, processor architectures, operating systems, and disk storage technologies into a management framework strong enough to meet stringent enterprise security requirements.
This paper examines the capabilities of SEDs based on the TCG Opal standard, as they are deployed and managed at the enterprise level within a hybrid IT infrastructure that includes a wide mix of platform architectures and storage device types.
Addressing Common Encryption Issues
Improvements in processor architectures and boosts in computer performance have minimized many of the past problems associated with data encryption, which in earlier generations could noticeably slow down computer operations. Today, full-disk encryption is almost universally recognized as necessary and recommended for complying with regulatory mandates and protecting data at rest. As more and more business users carry around laptops that typically contain sensitive corporate information, the need for full-disk encryption and central management of encrypted storage devices has become an extremely important issue for many enterprises.
Despite the technology advances that have made software-based full-disk encryption more transparent with less impact on system performance, users sometimes opt to turn it off (central administrators should not grant the end user the privilege to turn encryption off), eliminating the data protection. For regulatory compliance, of course, allowing users to disable encryption isn’t acceptable. Drive manufacturers worked together to devise an approach to full-disk encryption that could operate internally within the hardware of the hard disk drive. Working through the Trusted Computing Group (TCG), the leading manufacturers and ISVs (such as WinMagic) collaborated on the Opal standard, which specifies hardware-based data encryption, key handling, drive commands, and other aspects of this new storage technology. The manufacturers mutually agreed to refer to devices based on this standard as self-encrypting drives. SEDs are available as hard disk drives (HDDs) from the major drive manufacturers, including Seagate Technology, Hitachi Ltd., and Toshiba. Samsung and Micron also produce a solid-state drive (SSD) that adheres to the Opal standard.
One key benefit of SEDs is that the encryption function can never be turned off. It operates continuously and silently in the background, carrying out encryption and decryption operations entirely within the drive hardware. If a laptop computer is lost or stolen, an unauthorized individual cannot access the data.
It’s not necessary to re-encrypt the drive if the external credentials (authentication keys) need to be modified. The security administrator can change the external drive credentials quickly and easily. In the case of WinMagic SecureDoc, the authentication key consists of a 32-byte random value that must be supplied to unlock access to the encrypted drive. The drive credentials are stored in a centralized administrative database, where they can be used to perform management operations on the drives (such as adding or removing users or performing a crypto-erase of the drive).
Similarly, a single command can update the internal data encryption key in the drive, a feature known as crypto-erase. When erased in this manner, all data on the drive becomes permanently inaccessible, an important feature for companies decommissioning or disposing of hard disk drives in their organization. The erased data cannot be recovered by anyone even if the drive is removed from the computer and slaved to another system, disassembled and examined with an electron microscope, or by any other mechanical or electronic means.
SEDs always have a significant advantage in timesavings over software-based full-disk encryption. The initial setup and encryption of a hard disk using a software product typically takes anywhere from 3.5 to 23 hours, depending on the product and disk size (according to a report from Trusted Strategies, FDE Performance Comparison: Hardware Versus Software Full Drive Encryption, released 9 FEB 10).
Although in most cases users can continue to work while encryption takes place in the background and some software encryption products support a quick conversion mode for new computers which can take less than 1 hour.
In comparison, SEDs routinely encrypt all data written to them (and decrypt the data when read back). All applications, operating systems, and user data get encrypted as the files are written to disk. Because of this, there is no initial setup or full-disk encryption time penalty. The SED is fully operational as soon as it is powered up.
As noted in the same Trusted Strategies report, typical drive operations are faster with a SED than a HDD using software encryption. As shown in the following table, the SED performs almost as fast as a non-encrypted drive, whereas the software-encrypted drives show a substantial slowdown during write operations. Recent advances in software encryption, such a utilizing the new AES-NI instructions in the CPU and the multiple cores some systems now ship with have given software the ability to close some ground on HDD Opal SEDs. However the newer Opal SSDs are much faster and software encryption has a measureable impact on these very fast drives (Ref the Trusted Strategies site on SSD)
These advantages of SEDs present a particularly beneficial technology for security administrators seeking ways to strengthen policies, protect privacy, and simplify strategic initiatives. Misperceptions and misunderstandings about SED technology have slowed adoption within some enterprises, as discussed in the next section. Overcoming these misperceptions is the first step to introducing them into an organization’s IT infrastructure.
Overcoming Misperceptions about SEDs
As new as SED technology is, many people involved in IT activities still aren’t clear on how this technology works, how it fits into a larger infrastructure, and what the implications of self-encryption are to management and deployment of storage devices. A May 2011 report by the Ponemon Institute, Perceptions about Self-Encrypting Drives: A Study of IT Practitioners, cleared up many of the misperceptions about this drive technology and revealed how this technology is viewed by IT professionals in general.
The consensus of the Ponemon study demonstrated how the lack of familiarity with the cost, options, and integration issues for SEDs was a factor in their adoption by enterprises. The following excerpt from the study highlights these points:
Thirty-five percent of IT practitioners in our study report that they are very familiar with SEDs and 53 percent say they are somewhat familiar. Approximately 85 percent say their organizations mostly use software-based encryption. When we asked why they were not using hardware-based encryption, 36 percent say they do not understand the hardware-based encryption options available for their organizations. We believe this response can be due to the fact, as we noted above, that this option became available only recently.
An important finding of this study is that IT practitioners view hardware-based encryption favorably but are uncertain about the cost. However, 37 percent believe their organizations would pay a premium to gain the extra security SEDs promise.
The majority of respondents agree that in terms of protecting data-at-rest, hardware-based encryption (including SEDs) are more secure than software-based encryption. In fact, 70 percent say that SEDs would have had an enormous and positive impact on the protection of sensitive and confidential information in the event that a data breach should occur.
The study also revealed a number of significant facts about security practices within organizations and the potential impact of SEDs:
- Employees often disable laptop security protections, thereby violating corporate security policies. An estimated 40 percent of employees routinely disengage protections. The study also showed that 50 percent of the respondents thought that SEDs could curtail this problem. (SEDs raise the bar in preventing this behavior but do not prevent it. The best protection is to monitor the encryption and compliance status of the drive from a central console which is the most effective means for both SW and )
- SEDs will become the standard of excellence in desktop and laptop drive security over the next one to three years, according to 56 percent of the
- One or more data breaches were experienced by reporting organizations in the prior 24 months. The majority of respondents—70 percent—felt that SEDs would have had a large impact in protecting records in at least 80 percent of these
- IT practitioners support making investments in SEDs. The respondents rated these hardware-based encryption features very important:
- Performance (73 percent)
- Ease of deployment (66 percent)
- Re-encryption (65 percent)
- Compatibility (61 percent)
- Standardization (61 percent)
- Regulatory mandates are a major incentive for encrypting data at rest. 51 percent of respondents said they used encryption to comply with state or federal data protection laws. 49 percent used encryption to comply with internal regulations and
- Hardware-based encryption makes sense for my organization today. 63 percent of respondents agreed with this
- Hardware-based encryption is more secure than software-based encryption for protecting data at rest. 63 percent of respondents agreed with this
The overall results of the study point to an expansion of the use of SEDs throughout organizations in the near future. Although IT professionals were generally positive about the technology and the additional security afforded, they were uncertain about cost and the hard drive options that would be available following deployment of SEDs. A clear majority of respondents were convinced that SEDs are about to become the standard of excellence in desktop and laptop security within the next one to three years.
More details about the study and a downloadable version are available from this address: www.trustedcomputinggroup.org/resources/ponemon_sed_survey_report
TCG Maintains the Opal Standard
The Opal Standard, developed and maintained by the Trusted Computing Group, established the mechanisms through which encryption and security features operate in SEDs. The final specifications for version 1.0 were published in January 2009 . These standards—covering client drives, data center drives, and the interoperability of self-encrypting drives—quickly gained traction in the industry and the leading HDD manufacturers began shipping SEDs in March 2009. Sales have been steadily ramping up, although they’re still a fraction of sales for conventional drives. Seagate noted in February 2011 that its SED products had experienced a tripling of sales1 in the previous two quarters.
The Opal Security Subsystem Class (SSC) specification provides information for systems integrators for trusted storage solutions. Security software vendors and manufacturers of Opal SSC storage devices adhere to the specification to ensure compatibility and interoperability within an IT infrastructure. The Opal SSC details implementations of features, including pre-boot authentication, protection of sensitive user data, repurposing of drives, and secure end-of-life disposal methods.For more information, visit the Trusted Computing Group: www.trustedcomputinggroup.org
How SED Keys are Handled
The data encryption key (DEK) in a SED, which is generated by a chipset in the drive, always remains within the hardware and it is stored in encrypted format on the drive itself. To decrypt it, unlocking access to the encrypted data on the drive, the authentication key (AK) must be provided. Once the DEK is decrypted, it is then used to provide access to the encrypted data. If the DEK is changed or erased, any prior data existing in encrypted form on the drive will be inaccessible.
The following figure (from a Trusted Computing Group presentation) shows one technique for handling authentication within a SED. There are other possible ways to accomplish this process, as implemented by individual manufacturers, but to ensure compatibility the authentication method must follow the practices outlined by the Opal specification.
SecureDoc Management of SEDs
WinMagic’s SecureDoc includes provisions to manage SEDs, including SSDs that feature Opal self- encryption. Within the SecureDoc Enterprise Server (SES) management console, there is an enabling option: Use hardware full-disk encryption if available.
If the administrator selects that option, it sets up the process through which SEDs are recognized and brought under management control. Administrators have the option to exclude Opal drives and select Use software encryption only (for example if the SED is not FIPS 140 approved and the enterprise policy mandates the use of a FIPS 140 certified crypto graphic engine such as used in SecureDoc SW encryption), but in most cases they will want to take advantage of self-encrypting hardware if it is available.
All of the policy decisions get wrapped together within an executable SecureDoc program called a package. The package then gets deployed to the notebook. If it is a new notebook right out of the box, this task might be accomplished by the SES administrator or the IT administrator—deploying the package at the main facility before the notebooks are shipped to users at different locations. Or, the package might be deployed in the field, if the user has had the notebook for a while. Either way, when the software lands and starts to execute, it is usually configured as a silent installation that doesn’t ask the user any questions. Typically, the security administrator has already made all the decisions about how the product should be running.
When it runs locally, the software discovers automatically whether there is an Opal drive in the system. If so, it investigates the policy settings. For example, a policy setting addresses the question “If there is an Opal drive in this system, should I use it?” In most cases, the policy probably says yes. In such a case, the SecureDoc package determines that it will manage this Opal drive (as opposed to encrypting the hard drive in software). Once the software detects that there is an Opal drive set to be managed—as specified in the settings—it becomes one of the devices available for control under the SES management console.
The Opal drive features a protected area within hardware for the SecureDoc pre-boot authentication code to be run, referred to as the MBR shadow. This 128MB region, created using Opal commands, is off the map of the drive and is also invisible to the operating system. The SecureDoc pre-boot authentication code is written into that area. A command to the Opal drive is required to unlock the drive. When it initially boots, the authentication code runs in the 128MB protected region. Until valid authentication is received, the rest of the user data and the operating system remain completely hidden.
Once a user has been authenticated—whether through a username and password, token, biometric input, or even via a wired or wireless PBConnex connection to a server —the cryptographic information becomes available to access the drive credentials—the equivalent to an authentication key—that are used to unlock the drive. An unlocked drives appears in all respects as an unencrypted drive—with full access to the operating system, applications, and user data. It is this “transparency” attribute of Opal SEDs that is perhaps the most important advantage over software encryption, even more important than performance as IT practitioners identified in the Ponemon study. SecureDoc has OS present agents to manage Opal drives in Windows and Mac OSx but the transparency aspect of Opal is best illustrated with WinMagic’s SmartStart for SEDs. With this product there is absolutely no OS present software. The drive is completely managed from the pre-boot OS running in the MBR shadow. This approach allows any flavor of Linux or any other OS for that matter that can run on a laptop or desktop to leverage the advantages of Opal drives.
When the drive power is removed, a SED locks automatically. Even after the computer is powered on again, the SED remains locked until the authentication key is provided, allowing read and write operations to be performed normally. The method of data security provides a strong degree of protection for the data stored on the drive, which cannot be decrypted if the authentication process is bypassed. The key required for decryption is itself stored within the drive hardware, where it is inaccessible. This prevents drive data from being access if it is removed from the computer or slaved to another system. Without authentication, the data is fundamentally unaccessable.
In general, WinMagic follows the policy recommendations of NIST SP 800-111, which provides guidelines for implementing storage encryption technologies for end user devices. These guidelines, as reflected in SecureDoc, are used in combination with an organization’s own specialized policies and procedures to provide comprehensive and consistent data security across the full range of storage device types. SEDs map into this framework as a natural extension of existing security policy, providing the additional performance and security benefits of internal self-encryption.
Strengthening Compliance in the Enterprise
IBM estimates that 90 percent of those drives still contain readable data. From a compliance standpoint and to simply provide a reasonable level of data protection for sensitive and private corporate assets, encryption is essential to guard enterprise assets.
Most US states (46 in total) have strong laws on the books requiring data privacy laws with encryption safe harbor. Among federal regulations that mandate data privacy for data at rest, PCI and HIPAA affect large segments of the industry.
- Payment Card Industry Data Security Standard (PCI DSS): Requirements ensure that companies that process, store, or transmit credit card information maintain a secure environment
- Health Insurance Portability and Accountability Act (HIPAA): Regulations protect the privacy of individually identifiable health information, setting national standards for securing patient data and ensuring privacy
Considering the steep penalties and costs associated with data breaches, the business case for deploying SEDs is a strong one. The Ponemon Institute’s 2010 Annual Study: U.S. Cost of a Data Breach Study calculated the average cost for each lost or stolen record at $214. They further determined that as a result of the average data breach 16,000 records were lost, which equates to a loss of approximately USD 3.4 million per incident.
From an enterprise perspective, the judicious employment of encryption across a wide range of device types makes the deployment, maintenance, and—ultimately—the disposal of storage devices a challenge. SEDs simplify problems in these ways:
- Hardware encryption and decryption is faster and more secure, since the fundamental operations are carried out inside the hardware (in an AES encryption engine)—away from potential access by hackers and thieves
- Lost or stolen drives can’t be accessed or read—even if removed from the computer in which they reside
- Making data inaccessible at the end of a device’s lifespan is as simple as changing or erasing the decryption key on the drive, making it physically impossible to read the data
- Encryption is complete and continuous for the full hard-disk drive, so that individual users can’t subvert the encryption process by turning it off
The misperceptions about SEDs, as discussed earlier in this paper, are more about lack of knowledge than any lack of capabilities or technological issues associated with the devices. As security administrators and IT professionals become more familiar with the promise of SEDs, their use within organizations will inevitably become more accepted. SecureDoc stands as an important and proven management application that can help integrate SEDs into the corporate infrastructure and provide full access to their security features and capabilities.
- 1 http://www.csoonline.com/article/664415/self-encrypting-drive-sales-on-the-rise-claims-seagate