Hardwiring Disk Encryption for Extra Protection

Industry analysts believe that security is no longer the number one priority. Security has been displaced by topics like business intelligence and performance management. Bear in mind though that all this means is that security remains a concern but just not number one.

Indeed Gartner’s 2008 survey of CIOs point to security as 6th in importance from a technology perspective and not in the top 10 from a business perspective. And yet we continue to read reports about security.

According to the Privacy Rights Clearinghouse (PRC), a nonprofit consumer organization in the US, there have been a total of 230,454,030 records containing sensitive personal information have been involved in security breaches in the US since January 2007.

“With industry reports estimating 700,000 laptops stolen every year and the associated costs reaching $5.4 billion, organizations face a clear and pressing security threat,” said Christopher So, General Manager, Volume Products Division, Fujitsu Hong Kong Limited.

Where should security start? Should it be at the servers that run business-critical applications? Should it be at the device level that houses the behavior of its owner? Should it be on the Web where a vast major of information flows today? Or should it be down to the individual components that make up the technologies we use today to make life simple and complicated at the same time?

There are those who believe that security must be deployed across as wide a spectrum of data entry points as possible. Some vendors have been working to integrate security measures down to the firmware that makeup part of the embedded intelligence in computing devices.

I recently spoke to a security expert who noted that no matter how many times you delete a file on a hard disk or portable memory media like a USB thumb drive, there is software available that can recover the data. The hour-long debate on what constitutes the protection of information boils down to using data encryption technology to keep confidential information private.

Data encryption falls under three broad categories: data-in-transit; data-in-use; and data-at-rest.

Encryption of ‘data-in-transit’ protects information as it moves from node to node across local networks, wireless networks and the internet. There are a number of widely adopted standards for this type of encryption, including SSL (Secure Sockets Layer), TLS (Transport Layer Security), and IPSec (Secure Internet Protocol). Encryption of data-in-transit prevents thieves from intercepting or ‘sniffing’ sensitive data traffic as it travels the network.

‘Data-in-use’ refers to data being accessed or processed by applications or databases. Efforts to secure data-in-use include digital rights management (DRM), content management and content filtering technologies.

‘Data-at-rest’ (‘DAR’) refers to data in computer storage (and excludes data temporarily residing in computer memory). Examples include data stored on a computer hard drive, a database on a networked server, and files copied to a USB drive. The recent stories in Hong Kong about theft of information via USB drives point to the uncontrolled proliferation of USB drives within enterprises.

There are 2 fundamental means of achieving encryption for data-at-rest. The simplest method is to encrypt individual data files and folders. A more comprehensive approach is to encrypt the entire storage media.

“Disk encryption, has emerged as the ‘best practice’ for protecting data-at-rest on endpoint devices – desktops, laptops, and removable storage media. By encrypting data at the sector level, full-disk encryption provides the most comprehensive safeguards in the event of the loss or theft of an endpoint device,” says Adrian Chua, Sales Director Asia Pacific for WinMagic.

Kelvin Lim, regional manager for South Asia at Check Point, notes that with disk encryption, a user will not need to employ file encryption on a file-by-file basis, and still obtain complete data integrity and security.

“Disk encryption renders the information on an entire disk unreadable to unauthorized third parties without the credentials. Disk encryption removes the security decision from the end user, ensuring compliance without any form user interaction or training,” Lim adds.

As employees become more mobile the incidence of notebook theft (and subsequent data loss) has been on the rise. While few organizations agree on the dollars lost associated with these theft.

David M. Smith, associate professor of economics at Pepperdine University in Michigan, believes there are three cost components associated with data loss: cost due to technical services, lost productivity and the value of the lost data. Together, this amounts to US$3,957 per incident. Click here for additional details on his findings.

Hard disk vendors like Seagate and Fujitsu have added encryption into a number of their products. Seagate partnered with encryption specialist WinMagic to provide additional protection for some of its Momentus hard drives.

Fujitsu introduced the world’s first 256 bit advance encryption standard (AES) technology offering secure, highly automatic hardware encryption at the drive level.

The built-in AES automatically encrypts data when writing to the hard drive and decrypts during read process. The Fujitsu FDE implementation also includes an advanced secure erase feature to help reduce risks associated with re-using hard drives.

Security, simplicity and ease of use are what users and IT managers expect of technology today.

For example the Fujitsu MHZ2 CJ drive series creates a simple-to-use and virtually impenetrable data lock down, with no encryption keys remaining on the machine when it is powered off. “The data on the disk drive remains inaccessible without the password, delivering advanced protection for the organization owning the machine, and the critical data for which they are responsible,” said So.

But in case you think that FDE is the answer to all of your encryption needs, there are those who think otherwise.

Chua cautions that full-disk encryption is not suitable for applications. File, folder and container encryption (collectively ‘FFCE’) extend cryptographic safeguards to shared files and folders on departmental servers and other common storage media.

“FFCE offer protection for data files in transit (e.g. e-mail attachments) as well as additional security against internal threats. Issues surrounding the protection of sensitive data or personal identifiable information (PII) are complex,” explains Chua.

In today’s age of community-based hacking and relentless threats coming from every conceivable route, data encryption should be part and parcel of an organization’s overall security policy.