Mobile Security: A Surefire Laptop Encryption Strategy | Page 2
There are other performance issues, too, once the encryption is completed. With software-based full disk encryption, it takes approximately 17-18 seconds longer to boot a system. Yet with hardware-based full disk encryption, the additional boot time is only about 2 seconds longer.
Another problem with software-based full disk encryption is that for many software-based encryption products, the keys used to perform the encryption are stored in dynamic RAM. This means that there is the potential to access the keys, and thereby defeat the encryption mechanism, just as researchers at Princeton University proved with the cold-boot attack on encryption keys. With hardware-based full disk encryption, the encryption takes place in the ASIC and the encryption key never leaves the drive and is never launched into memory.
Systems using hardware-based full disk encryption use one password to authenticate before the master boot record is launched. Unless you can authenticate with the proper password, the data on the disk is completely inaccessible. For that reason, with hardware-based full disk encryption, the information on a lost or stolen laptop is completely secure.
Using full disk encryption enterprise management software, from vendors such as Wave Systems, the IT department can look up the configuration of a lost laptop. In this example, IT staff can then use the Wave Embassy Remote Admin Server (ERAS) to find out immediately if full disk encryption was deployed. If the laptop had full disk encryption deployed, it is not necessary to report the loss to authorities. All the IT department has to do is restore the user's files from backup onto a new laptop and the user is ready to go.
Once users are setup for hardware-based full disk encryption, most will not even know the difference, and none of them will be able to disable it. They will login to their laptop using their password, and the encryption will work continually without any action needed from the user. If a user forgets his or her password, the IT admin team can use ERAS to obtain an emergency access recovery password. (If you have ever been a system administrator, you know that everything works better if the users have as little involvement as possible.)
Vendors to WatchThe vendor that is the leading innovator in full disk encryption is Seagate, which was founded in 1979, and first started shipping drives with hardware-based full disk encryption in March of 2007. Seagate's current market cap is 8.8 billion. Though Seagate's net income in 2009 came to a 3.8 billion loss, its most recent quarter (MRQ) showed a net income of 179 million and most financial analysts are predicting a positive outlook and bullish ratings for Seagate in the upcoming year. As of Jan. 15, Seagate was showing a 307 percent return on investment. Vendors who will be challenging Seagate for a share of the market include Samsung, Hitachi, and Toshiba all of whom have more recently started offering hardware-based, self-encrypting drives. Samsung offers a solid-state solution while Hitachi and Toshiba offer traditional, spinning hardware based self-encrypting drives. The Trusted Computing Group's (TCG) free, non-proprietary Storage Architecture Core Specification has enabled more hardware vendors to jump into the self-encrypting storage market. All of Seagate's disks have to be managed by software drivers such as those made by Wave Systems. Wave Systems, headquartered in Lee, Massachusetts, was founded in 1988. Wave Systems specializes in management software for hardware security such as self-encrypting drives and Trusted Platform Modules. Their full disk encryption drivers for Seagate's disks that offer full disk encryption integrate with Active Directory and can be centrally managed. While the encryption hardware in the self-encrypting drive is always on and cannot be turned off, mobile managers must set the security for accessing the drive. When you first get your new computer, you use the Wave EMBASSY Security Center to turn on the security settings, assigned users and set the passwords required to access the self-encrypting drive. These functions are under the Manage tab of the Trusted Drive screen. Once you have the self encrypting drive initialized and configured, you have a secure vault for all the data you send to the drive and you are actually logging onto the hardware that unlocks the drive and releases the data. You have one password that logs you into your computer, your drive, and your Windows session. Wave supports sleep mode, so you can slap the lid closed, and your drive will be locked. The drives use AES but only Seagate's solution is FIPS 140-2 compliant. (There are other configuration options available through the EMBASSY Security Center, but those are outside the scope of this article.) The Seagate and Wave Systems full disk encryption solution is currently being bundled together and sold by Dell. Self-encrypting drive volumes are seeing quarterly growth rates of 40-50 percent or more.
Who Needs Hardware-Based Full Disk Encryption?If you don't want to worry about losing your company's sensitive information, a self-encrypting hard disk will put that worry to rest. Hardware-based, full disk encryption is ideal for the following uses:
- Federal agencies subject to OMB Memo M-06-16
- Healthcare providers employing telehealth or telemedicine that have private patient information on laptops
- Intelligence agencies with classified information
- E-mortgage financial institutions that have eNotes on laptops
- Anyone with credit card or bank account information on their laptop
- People with company patent or proprietary secrets on their laptops
- Consultants who work with sensitive customer information
- DoD agencies with National Security Information on laptops
- Organizations subject to compliance with Gramm-Leach-Bliley
- Organizations subject to PCI compliance
- Organization subject to the Base 1 II regulation
- Organizations subject to HSPD-12 and HIPAA
While still a nascent market, the hardware-based self-encrypting drive market will likely prove to have more impact on the mobile security in the years to come than any other technology.