Self-encrypting drives

I’ve long been an enthusiastic supporter of self-encrypting drives (SEDs), a technology that offers substantially better performance and security than software-based encryption solutions. SEDs can even work out much cheaper to deploy, as a less powerful machine can be used to deliver the same level of laptop performance. Yet few organisations are deploying them. Why is this? Is it apathy, ignorance or some other reason?

The Ponemon Institute have just published a survey of IT Practitioners on their perceptions about SEDs. Unsurprisingly, it shows that compliance is the main driver for adoption of encryption solutions. More interestingly, it reports that most practitioners have a high regard for SEDs and their capabilities. The barriers to adoption appear to be perceptions about cost, and uncertainty about the options available and their ease of implementation. Another issue seems to be the division of responsibilities and decision-making in the procurement process.

This sounds about right. I recall meeting a security manager at a recent conference. I asked him if he had encryption on his enterprise laptop. “Of course” he replied “though it’s currently switched off”. I asked him if he’d considered SEDs. “No” he responded “but it sounds like a good idea”. He didn’t, of course, pick the solution.

Ponemon predict that, as understanding grows, there will be greater adoption of SEDs. That of course assumes that enterprises take more interest in the quality of their security solutions, rather than just aiming for the easiest route to ticking the compliance box.    

By the way, for those who’d like to know more about SEDs, Bob Thibadeau, the inventor, is in London later this week and will be speaking at the ISSA-UK Chapter meeting on Thursday.   

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The true barrier to adoption of SEDs and similar tools for many enterprises is that a point solution usually creates many more problems than it solves. Centralised management helps solve the key recovery, distribution and revocation issues, but typically introduces another management console, requiring further administration and helpdesk resources, not to mention additional training, both for the administrators and the end-users. Some vendors overlook these additional costs, glossing over it during the sales process, much to the annoyance of experienced CIOs/CSOs. However, some organisations hide their inertia behind these reasons, using them as excuses to delay deployment of appropriate controls, be they products, processes, policies and/or people (i.e. their education/training). It is human nature to underestimate serious risks and overestimate minor risks - it takes a lot of hard work, from the organisation's management team, from the sales channel and from the vendor, to position, classify and address these risks properly.
All encryption today requires centralized managment to provide the proof of encryption. By it's nature any full disk encryption process will change the logon process for users to the PC as it must take place before the OS loads. I agree that these areas must be examined closely. However, due to the performance and security benefits of an SED drive and the fact that it is a solid industry standard it should be clear to add SED drives to every new PC and move off of software encryption solutions over time. We are in a transition to hardware security in the endpoint. It is critical that all of the security capabilities in the PC and other devices are leveraged. SED drive procurrment is a good step in this direction and a great opportunity for the security team to meet the device procurment team in many organizations. TPMs, Intel TXT, SED, Client trusted execution, Security in smart Phones.... are all moving to hardware. Standards are a very important part of the puzzle. The barrier is that it is hard to add hardware after you buy the device. As you indicate the cost is addopting these technologies as part of the overall security of the enterprise but the ROI is very solid. steven Sprague - Wave systems (A vendor)
I cannot believe a security professional “that so called security manager” can be so negligent about his data. How can he be an example (a good one!) for the other employees? As a security manager I’m sure he has some very sensitive information on his machine.