Self-encrypting drives: What's holding back SED hard drive encryption security?

The self-encrypting drive (SED) provides a high level of data security, is invisible to the user, does not affect workflow or performance and cannot be turned off, yet SED technology has been adopted by relatively few organisations – so what's holding it back?


Why don't more organisations use SEDs?

Self-encrypting drives (SEDs) provide a high level of data security by encrypting all data on the disk drive automatically without any action required by users - yet SED technology remains one of the security industry's best-kept secrets.

Despite the fact that encryption is invisible to the user, an SED does not interfere with their workflow or performance and cannot be turned off or by-passed, SED technology has been adopted by relatively few public and private sector organisations.

Part one of this feature identified cost concerns as one of the main reasons SEDs have been overlooked by procurement departments, but a 2011 US survey of IT professionals by the Ponemon Institute, points to other, less obvious reasons.


Lack of awareness of SED hard drive encryption technology

Above all, the study reveals that relatively few IT professionals are aware of SED technology. According to the Ponemon study, only 35% of respondents said they were very familiar with SEDs and 53% said they were only somewhat familiar.

About 85% said their organisations mostly use software-based encryption. When asked why they were not using hardware-based encryption, 36% said they did not understand the hardware-based encryption options available.

These statistics show that awareness and understanding levels remain low, perhaps due to the fact that the technology is relatively new and immature.

Part one of this feature showed that, because SEDs are not shipped as standard, procurement departments typically opt for more economic bundles. But the Ponemon study reveals that, among those organisations that claimed to be familiar with SEDs, uncertainty reinforced cost as a barrier to adoption.

Some IT security professionals are simply unwilling to replace existing hard drives, opting for software encryption instead. Others say that, even if the cost of an SED is not much greater than a normal drive, it will require additional investment in things like a central management infrastructure, training and testing.

However, SED pioneer Robert Thibadeau says the advantages outweigh these concerns. "A strategy to migrate to SEDs is a good one for the improvement in assurance that IT can have, that the data at rest problem is now well-handled," he says.


Operating systems shipped with software encryption

Compounding cost concerns is the fact that some operating systems are shipping with disk encryption, which organisations believe makes it harder to justify the additional cost of investing in SEDs when they have already paid for the operating system (OS).

There are several reasons SEDs are a better option, says Thibadeau, now chief scientist at client and server software supplier for hardware-based security, Wave Systems.

First, the OS that has software disk encryption uses a media encryption key in the OS which makes it vulnerable to rootkit attacks that can expose the key. "With an SED there is no software attack possible to retrieve the media encryption key," Thibadeau says.

Second, there is the problem of where the media encryption lives. "If I put on a second drive, or replace my first, how does that work with software encryption? There are not good solutions to these problems," he says.

Third, studies have shown that even the best performing software encryption (Bitlocker) still slows the performance of the processor by about half for large file reads and writes.

SEDs perform better than software encryption

A 2010 comparative study of SEDs and three common software encryption products, by IT security consultancy firm Trusted Strategies, shows SEDs typically have a better throughput rate, particularly during extensive read operations such as virus scans.

In extensive read tests, at 82.75 megabytes a second, the SEDs performed as well as standard disk drives, but 114% faster than the average of the three software encryption products on test.

In extensive write tests, the SEDs performed as well as standard disk drives, but 43% faster than the average of the three software-based solutions.

In tests to see the effect of full disk encryption on recovering from hibernation, the software products took on average 40.8 seconds, nearly twice as long to recover from hibernation as the SEDs (23.22 seconds).

In addition to performance, the Trusted Strategies report also compared the security and time it takes to instal and deploy the hardware and software encryptions systems.

IT security professionals typically argue that software can be deployed remotely, but deployment is much more difficult with SEDs, posing operational issues with short term deployment.

The study, however, found this can be offset against the time taken for software encryption systems to encrypt a disk for the first time. In testing, the software solutions took between 3.5 and 24 hours to finish the installation and initial encryption of a 500 gigabyte disk.

In contrast, because SEDs automatically encrypt anything written to them, the OS, applications or any data on the drive is encrypted as soon as it is stored on the drive. There is also no need for the initial encryption process required by the software full disk encryption products. The only requirement of SEDs is to enrol authorised users, which took less than two minutes using management software.

The study also rates security of SEDs higher because SEDs perform as well as standard drives and so there is no incentive for users to bypass the encryption process. Central management software provides full audit logs of security settings and disables local changes to security settings. As all encryption is done in the disk, encryption and authentication keys are never accessible to outside systems, where they can be stolen.


Management concerns over SED hard drive encryption

Alessandro Moretti, member of the (ISC)2 board of directors and a senior risk and security executive in financial services, highlights central management as another key obstacle to the wider adoption of SEDs. The lack of central, scalable management is cited by many in the IT security industry as one of the biggest problems with deploying SEDs.

But Thibadeau, says this is a false perception, as there are software systems that provide enterprises with central management capabilities that are scalable, including Wave Systems' own central management software. "We have implementations with over 100,000 laptops/desktops under management. It uses Active Directory and a SQL database making it both scalable and easy to integrate," Thibadeau says.

Another common criticism of SEDs is that they lack a strong authentication component and do not enable recovery-type access for forgotten passwords, but again Thibadeau says this is not true. "Technically the authentication component is 256 bits which is as strong as any that exists. It is true that, since an SED is not software, you have to use software such as Wave's Preboot that implements the desired authentication, and Wave's software both for Enterprise and Preboot contains one-time recovery password support that is suited for the helpdesk" he says.

Thibadeau claims SED management software has now reached a level of maturity that should eliminate concerns around password resets, forensics key backup, compliance reporting and remote erase.

Some security software suppliers have also added SED management capabilities to their encryption offerings, enabling organisations to manage and use a combination of SEDs and software encryption products. The encryption offering from Sophos, for example, automatically detects if an SED is present, and if so, uses it rather than software. This enables organisations not yet ready to replace all existing hard drives to begin using SEDs within an existing estate and replace standard hard drives with SEDs as they reach the end of their life.

The barriers to adoption of SEDs seem to be mainly related to cost, uncertainty about the options available, implementation, performance, deployment and management, but the studies by both Ponemon and Trusted Strategies reveal that these concerns are largely unfounded.

The division of responsibilities and decision-making in the procurement process in public and private organisations is another notable barrier to adoption of SEDs. As highlighted by Thibadeau, security and compliance officers are typically not involved in procurement processes.

These barriers, however, are all based on inaccurate perceptions of how SEDs work and the maturity of the technology in terms of standards and management software.

According to the Trusted Computing Group (TCG), SEDs are easily deployed in the enterprise, and because drives are based on TCG specifications they are easily managed and the cost of deployment is reduced.


Tide of opinion turning for self-encrypting drives

But the tide does seem to be turning, with 37% of those polled in the 2011 Ponemon study saying they believed their organisations would pay a premium to gain the extra security SEDs promise, and 70% saying they believe SEDs would have an enormous and positive impact on the protection of sensitive and confidential information if a disk was lost or stolen.

The cost of deploying and using SEDs could also be justified when compared with the cost of stolen or lost records, which is an average of £80 per record, according to a 2010 Ponemon study of the cost of data breaches. This could help provide a business case for investing in SEDs.

In comparison with software-based encrypted drives, 64% of respondents agree that SEDs provide a faster setup time because the drive is built to encrypt data with no feature turn-on required. And 59% agree SEDs provide enhanced scalability in multi-drive scenarios, because encryption is handled by the drive, eliminating the performance bottleneck of other encryption systems.

Over half of respondents said they believe SEDs will become standard in desktop and laptop drive security in the next one to three years.

This change in attitude is likely to gain momentum as awareness grows, more SEDs are shipped as standard to public and private sector organisations, administration becomes easier, and the cost of ownership is brought in line with traditional technologies.

SEDs are undoubtedly great devices, says James Lyne, director of technology strategy at security firm Sophos. "SEDs provide great performance and abstraction from the software layer, avoiding compatibility challenges that plagued earlier software encryption solutions," he says.

Progressively, more devices will have SEDs built in and the encryption capability will move to the infrastructure, says Lyne, and Thibideau believes they will be a common component in portable computing devices soon, perhaps even within the next year.

Read more on Antivirus, firewall and IDS products