By TCG Storage Workgroup
The data protection landscape is rapidly changing in scope, breadth and depth. With changes to data protection laws in recent years, organisations today must keep up with all that is happening in the world of data protection. Data protection no longer solely applies to risk management such as business continuity and disaster recovery, but also governance and compliance.
The protection of electronically stored information – in all its different expressions – should be at the forefront of any business. The permanent physical loss of key information, such as customer account information or the loss of confidentiality of sensitive information, could have a severe negative impact on a business and bring with it huge penalties and legal costs. The loss of confidentiality of information through a data breach can carry high security threats and put businesses of all sizes at risk.
As data and business processes evolve with technological advances, enterprises are actively examining how to improve the data protection function from the perspectives of people, processes and technology. The key to choosing the data protection technologies is to understand the overall data protection infrastructure portfolio into which individual data protection technologies should fit.
The strength is in the hardware
As a solution, data encryption has received strong endorsement from the enactment of state, federal and international data protection legislation. Over the years, the disadvantages of software-based encryption have become increasingly recognised in the industry.
After all, software encryption is only as secure as the rest of the computer or smartphone. In software encryption, there are more possible attacks vectors that can lead, among others, to the ability for a hacker to crack the password. Software encryption tools also share the processing of your computer, which can cause the whole machine to slow down as data is encrypted/decrypted.
Unfortunately, some users remain unaware of the potential to solve these problems with hardware-based encryption. Through an industry-wide, open specification for hardware-based Self Encrypting Drives (SEDs), e.g., Opal Family Specifications, developed by Trusted Computing Group (TCG), the issues caused by software-based encryption are being addressed and the reasons for using a SED continue to grow.
SEDs are storage media that perform on-board encryption/decryption, as well as pre-boot authentication, maintain hashed passwords and offer on-the-fly erasure. In a SED, the entire drive, including the Master Boot Record (MBR) is encrypted and write protected at rest. As a result, the master boot record cannot be corrupted.
Compared to software-based encryption, hardware-based encryption built into a drive offers simplified management, interoperability among drives from different vendors and most importantly no performance impact. In fact, using a SED is much more cost-effective than buying higher performance main laptop processors when software Full-Disk Encryption (FDE) is used. SEDs integrate to systems and image the same as non-encrypting drives, with no initial encryption necessary, nor re-encryption when drives are re-imaged.
SEDs and TPMs – the perfect match for data protection
In order to ensure better security, strong user authentication is needed. With a SED, access to the platform is based on secure authorisation performed by the SED and not by the less-secure software that can be spoofed into allowing unauthorised access to data. Combining hardware-based encryption with Trusted Platform Modules (TPMs) can provide even stronger security benefits in personal computers and can be used in a multitude of ways.
The TPM is designed as a root of trust for the computing platform. It can measure components such as the Basic Input/Output System (BIOS) to determine if the system has been hacked or an unauthorised change has been made. The SED has areas of protected storage that can be used in conjunction with the TPM.
One use of these protected storage areas would be to keep a copy of sensitive software such as the system BIOS or MBR. If the TPM detects that the BIOS or MBR has been hacked, a new, unaltered copy of the software can be loaded before the system boots, resulting in a self-healing system.
The combination of SEDs and TPMs can also assure strong authentication. In this instance, the SED would store an alternative operating system in a read-only area of the drive. When the locked SED is powered up, a ‘shadow’ MBR is used to load this pre-boot Operating System (OS).
The purpose of the pre-boot OS is to allow the user to enter their authentication credentials such as passwords, fingerprints, smart cards, or other tokens which are used to unlock the SED so that the normal MBR and OS can be loaded. Even though the SED protects the pre-boot OS from being altered, the TPM can be used to provide another layer of security by measuring the pre-boot OS each time it is loaded to assure that it has not been altered in an unauthorised way.
Some enterprises want to assure that a SED can only be unlocked by authorised users and in an authorised platform. The TPM can be used to store authentication credentials which are required in order to unlock the SED. At power up time, not only must the user enter their authentication credentials, but the TPM must be used in conjunction with the user authentication credential in order to produce the authentication credential which can unlock the SED.
Through combining hardware-based technologies like SEDs with TPMs, enterprises add another layer of security to their systems, ensuring the possibility of any loss of data is drastically reduced.
Protection against future security threats
Hardware-based encryption like that found in SEDs bring a lot of advantages including compliance, stronger security, integrated authentication and low total cost of ownership with an additional benefit of rapid data destruction or crypto-erase. While these convincing reasons remain valid, additional security scenarios provide even more compelling justification for organisations.
Corporations are reinitiating their spending and investments in technology for the future, with information security proving to be a key area to benefit from increased spending. With new approaches such as SEDs, corporations can obtain improved data security without the shortcomings of software-based encryption.
Once potential users correctly and completely understand the capabilities of SEDs and the misconceptions are corrected as well, the increasing availability of SED options will provide the solution to cope with data security threats both now and long into the future.