Risk
9/24/2009
11:30 AM
50%
50%

Full Disk Encryption Evolves

The Opal standard paves the way for hardware-based encryption.

Management's A Must

Consider yourself warned: Without an integrated management infrastructure, enterprise deployment and support of Opal-compliant hard drives will be a nightmare. There are a few key features that are essential. For starters, organizations must manage boot passwords and password resets. If an employee leaves, becomes unavailable, or just forgets the password, IT needs a way to access the data on the drive. Conversely, if an IT administrator leaves, the organization must be able to change admin accounts.

Another necessary function is the ability to report on the state of a given laptop or asset. If a device goes missing, can you demonstrate beyond a reasonable doubt that the drive was indeed protected via encryption? This capability will have a major impact on compliance with state breach disclosure laws and limit the fallout from potential data loss.

These use cases require a centralized management platform that can communicate with endpoints. We're aware of only one vendor--Wave Systems--that's shipping a management platform to tie all of this together. Wave uses a "pre-boot" operating system to set up admin and user accounts for unlocking the hard drive's encryption keys before the OS boots, and also has a Windows agent that can sync these accounts with Active Directory.

At A Glance
SELECTED FULL DISK ENCRYPTION PLAYERS
Opal hard-drive manufacturers:
Fujitsu, Hitachi, Samsung, Seagate Technology
Opal management software vendor:
Wave Systems
Laptop vendors shipping Opal drives: Dell, Lenovo
Software-based FDE vendors:
Check Point Software, Guardian Edge, McAfee, Microsoft, PGP
So will software-based FDE products go the way of the dodo? Not likely--organizations with global software FDE deployments aren't about to rip them out. It also will take time for companies to swap in laptops with Opal-compatible drives. Software FDE vendors certainly don't project a sense of urgency, either. McAfee and Check Point say they see the need for managing hardware- and software-based FDE. But neither has announced timelines for Opal support.

In contrast, on the manufacturing side, vendor support for hardware-based FDEs is good. In the last six months, Fujitsu, Hitachi, and Samsung have debuted Opal-compliant drives, and system vendors Dell and Lenovo are shipping laptops with Opal-based drives. In fact, the hardware-based approach is going to come faster than some FDE vendors are envisioning. The technology will find a warm reception among organizations struggling with their FDE strategies, because the advantages are too compelling to ignore.

Greg Shipley is CTO of Neohapsis, an information security and risk management firm.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.