Encrypting hard drives on their way
Three disk drive makers have recently announced hardware-based encryption for 2009. Embrace it.
Breaking with the recent stream of bad news, disk drive manufacturers Fujitsu, Hitachi, and Seagate Technologies all announced encrypting hard drives over the past few weeks.
The three disk drive amigos announced a number of new models featuring things like 256-bit encryption, 500GB of capacity, and up to 16MB of disk-based cache memory. As far as availability goes, all three vendors will offer multiple encrypting hard drive models in 2009.
Users should anticipate a whole bunch of new PCs featuring encrypting hard drives in 2009. As this happens, security professionals should:
• Embrace the technology. Attention IT, you are looking at the future here. In a few years, almost all hard drives will be "encryption ready." This means that you need a plan for a graceful migration from software to hardware over time. Make sure your software vendor is prepared ASAP to support hardware-based encryption management chores (i.e. configuration management, key management, etc.).
• Push vendors on Trusted Computing Group (TCG) storage encryption standard support. Fujitsu, Hitachi, and Seagate were all extremely influential in developing TCG storage encryption, a feature-rich standard with secure APIs and a wide range of use cases. To maximize future flexibility, make sure that software and hardware encryption vendors are familiar with and support this standard. This will help prevent vendor lock-in and help drive new innovation.
• Examine ways to use the Trusted Platform Module (TPM). Every PC ships with a TPM security chip with a unique identification number, but few organizations use this functionality. Why? Software functionality has been a bear to administer in the past. As encrypting drives become ubiquitous, this techno traffic jam will likely ease. Keep your eyes open for software support from endpoint security and encryption management vendors.
• Not wait for Intel vPro. This is not to diss Intel; I actually like the potential of the vPro architecture. That said, encryption is just one feature in vPro. It can do a lot of other cool things for configuration management, vulnerability scanning, and power management. As for full-disk encryption, my bet is that disk-based encryption will arrive sooner and be cheaper and simpler to use than chip-based encryption. Intel and the disk guys will figure this out over the long-term, but it is certainly not worth delaying purchases while awaiting hardware detente.
Hardware-based encryption will protect system-resident data and help solve another thorny problem: data erasure. When a system is ready for the scrap heap, simply delete the encryption key and voila, the data is unreadable. This may be the biggest benefit of all.