EXPERT RESPONSE
Disks that automatically encrypt data as they write -- and decrypt when they read -- are appealing for a number of reasons. To start, they make it possible to argue that data on a stolen drive remains safe, something that a lot of embarrassed companies and government agencies would like to have been able to claim in the last few years following high-profile data breaches. Such a process makes encryption the default state of the drive's data at rest. Very little user knowledge or input is required after the initial sign-on at boot time as well.
Software that provides full-disk encryption has been around for a while and has much the same appeal. However, implementing disk encryption in hardware potentially reduces the processing overhead involved in read/write operations. Both software and hardware approaches to full-disk encryption, though, involve key management issues.
The software approach would appear to be more amenable to key management. Key management is usually an integral part of a software-based encryption application and would seem to offer greater ease of patching and so on. However, more security software is emerging that encompasses full-disk encryption hard drives, including the Embassy Trust Suite from Wave Systems Corp., which Dell Inc. offers with some its laptops.
In an organization with a large mix of machines, a software approach may offer greater flexibility. Typically, it's possible to implement the same software-based full-disk encryption application on a wide range of machines, whereas a hardware approach depends on machines having specific hardware. Suppose you set a policy that all laptops must have full-drive encryption at the hardware level. This may create an uphill upgrade struggle. On the other hand, if you are on the verge of buying new laptops to all field employees anyway, then opting for hard drive encryption might be a sensible decision, particularly if yours is the sort of business where a lost laptop could lead to unpleasant headlines.
At the moment, the range of available hard drives with full-disk encryption is fairly small, and the demand for them is hard to judge.
It's worth noting that full-disk encryption is not the only way to protect sensitive data. Software that provides file-by-file encryption is an alternative that can offer more complete protection because a file can stay encrypted when it leaves a machine. With disk encryption only, a file attached to an email is read from the disk into the clear prior to transmission. The encryption is keyed to the hardware, not the file. If you need to protect files moving from one office to another, you will need a file-encryption system that provides key exchange among users.
The allure of hardware-level encryption is hard to deny, but the need for key management (including protection and recovery) means that hard drive encryption will never be as simple to implement as regular storage. And bear in mind that even hardware-based products rely on software code to perform its work. If that code is weak, it could be cracked.
Strong encryption technology itself does not ensure strong security if the implementation itself is vulnerable, or if the users are poorly trained. That said, companies that value security should already be looking at hardware-based full-disk encryption, along with other ways of encrypting files. Defense in depth through a combination of hardware- and software-level precautions may be where the industry is headed.
More information:
W. Curtis Preston reveals some encryption key management best practices.
See why hardware-based encryption gained the most innovation of 2007.
|
