Risk
5/9/2011
05:18 PM
50%
50%

Self-Encrypting Hard Drives Face Perception Challenge

IT professionals see benefits, but questions linger over the cost, manageability, and speed of self-encrypting hard drives, says a Ponemon Institute survey.

One-third of security professionals who handle encryption don't understand self-encrypting hard disk drives. In particular, they're unsure whether the drives are better or worse than software-based encryption for preventing tampering, managing encryption, or handling authentication keys.

Those findings come from a recent survey of 517 IT practitioners who are at least familiar with self-encrypting drives, conducted by Ponemon Institute, and sponsored by the Trusted Computing Group (TCG), which promotes hardware-based, vendor-neutral security specifications.

Today, when full disk encryption is used on a PC, software-based approaches are the norm, with 85% of survey respondents saying that's their primary approach. According to the survey, however, 70% of IT professionals also think that self-encrypting drives would help their organization to protect data, but many worry about the related hardware cost. Perhaps counter-intuitively, 37% of respondents also said that they "would pay a premium" for related data security improvements, according to the study.

As that range of responses and awareness levels suggests, self-encrypting drives currently face an awareness challenge. "There are real advantages to hardware-based encryption solutions, which are obvious, but there are perceptions that they're costly, unwieldy, … or might even cause diminished end-user productivity," said Larry Ponemon, chairman and founder of the Ponemon Institute, in a telephone interview.

Perhaps the lack of understanding isn't surprising, since self-encrypting drives remain scarce in enterprise circles. For starters, that's because the underlying, de facto industry standard for hardware-based full disk encryption--the Opal specification for hardware-based full-disk encryption from TCG--was only finalized in 2009. Since then, Hitachi, Samsung, Seagate, and Toshiba have begun releasing drives which comply with Opal, and six software vendors have released or updated their disk encryption software to manage such drives.

One driver for using any type of hardware-based encryption is that it prevents users from tampering with the encryption, for example if they think it's impeding their speed. Notably, the survey found that 61% of respondents said "employees in their organizations turn off their laptops' security protection without obtaining advance permission to do so."

"We know that the 'jailbreaking' phenomenon is real," said Ponemon. "That's another big motivator here," since hardware-based encryption can't be deactivated. In fact, users shouldn't even know it's there.

That said, any type of encryption must surmount the stigma that it will noticeably slow disk read and write access. But Ponemon said that his survey turned up no users reporting drive performance issues. "In addition to the survey responses, we also do a debriefing--34 people, in this case, who are more than knowledgeable users of [self-encrypting drives]… and we didn't get any feedback at all, zero, about the robustness of the technology." He suggested that one explanation for the performance degradation noted with one older type of self-encrypting drive may have been because it was an earlier generation solid state flash drives.

In addition, he said, "the read we got from people who were familiar with both hardware-based and software-based encryption was that hardware-based encryption improved their management ability." Notably, survey respondents with self-encrypting drive experience reported that they were easier to deploy than software-based full disk encryption approaches, in part because the drives come preloaded with encryption keys.

Regardless of the choice of encryption, when it comes to securing data at rest, Ponemon said he's still amazed by how many organizations choose to use no encryption at all. "Organizations are subject to PCI DSS, or there are other compliance regimes, laws like in Massachusetts and Nevada, and it's amazing to me that organizations are not considering the best possible encryption solution."

What's the culprit? He suspects it could be a lack of executive-level visibility into the problem, or a lack of resources. "But when you talk to IT professionals, they do understand that … it's like playing a game of poker. Sooner or later, you're going to lose."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.