Risk
5/9/2011
05:18 PM
50%
50%

Self-Encrypting Hard Drives Face Perception Challenge

IT professionals see benefits, but questions linger over the cost, manageability, and speed of self-encrypting hard drives, says a Ponemon Institute survey.

One-third of security professionals who handle encryption don't understand self-encrypting hard disk drives. In particular, they're unsure whether the drives are better or worse than software-based encryption for preventing tampering, managing encryption, or handling authentication keys.

Those findings come from a recent survey of 517 IT practitioners who are at least familiar with self-encrypting drives, conducted by Ponemon Institute, and sponsored by the Trusted Computing Group (TCG), which promotes hardware-based, vendor-neutral security specifications.

Today, when full disk encryption is used on a PC, software-based approaches are the norm, with 85% of survey respondents saying that's their primary approach. According to the survey, however, 70% of IT professionals also think that self-encrypting drives would help their organization to protect data, but many worry about the related hardware cost. Perhaps counter-intuitively, 37% of respondents also said that they "would pay a premium" for related data security improvements, according to the study.

As that range of responses and awareness levels suggests, self-encrypting drives currently face an awareness challenge. "There are real advantages to hardware-based encryption solutions, which are obvious, but there are perceptions that they're costly, unwieldy, … or might even cause diminished end-user productivity," said Larry Ponemon, chairman and founder of the Ponemon Institute, in a telephone interview.

Perhaps the lack of understanding isn't surprising, since self-encrypting drives remain scarce in enterprise circles. For starters, that's because the underlying, de facto industry standard for hardware-based full disk encryption--the Opal specification for hardware-based full-disk encryption from TCG--was only finalized in 2009. Since then, Hitachi, Samsung, Seagate, and Toshiba have begun releasing drives which comply with Opal, and six software vendors have released or updated their disk encryption software to manage such drives.

One driver for using any type of hardware-based encryption is that it prevents users from tampering with the encryption, for example if they think it's impeding their speed. Notably, the survey found that 61% of respondents said "employees in their organizations turn off their laptops' security protection without obtaining advance permission to do so."

"We know that the 'jailbreaking' phenomenon is real," said Ponemon. "That's another big motivator here," since hardware-based encryption can't be deactivated. In fact, users shouldn't even know it's there.

That said, any type of encryption must surmount the stigma that it will noticeably slow disk read and write access. But Ponemon said that his survey turned up no users reporting drive performance issues. "In addition to the survey responses, we also do a debriefing--34 people, in this case, who are more than knowledgeable users of [self-encrypting drives]… and we didn't get any feedback at all, zero, about the robustness of the technology." He suggested that one explanation for the performance degradation noted with one older type of self-encrypting drive may have been because it was an earlier generation solid state flash drives.

In addition, he said, "the read we got from people who were familiar with both hardware-based and software-based encryption was that hardware-based encryption improved their management ability." Notably, survey respondents with self-encrypting drive experience reported that they were easier to deploy than software-based full disk encryption approaches, in part because the drives come preloaded with encryption keys.

Regardless of the choice of encryption, when it comes to securing data at rest, Ponemon said he's still amazed by how many organizations choose to use no encryption at all. "Organizations are subject to PCI DSS, or there are other compliance regimes, laws like in Massachusetts and Nevada, and it's amazing to me that organizations are not considering the best possible encryption solution."

What's the culprit? He suspects it could be a lack of executive-level visibility into the problem, or a lack of resources. "But when you talk to IT professionals, they do understand that … it's like playing a game of poker. Sooner or later, you're going to lose."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2015-2168
Published: 2015-03-03
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.