Risk
5/9/2011
05:18 PM
Connect Directly
RSS
E-Mail
50%
50%

Self-Encrypting Hard Drives Face Perception Challenge

IT professionals see benefits, but questions linger over the cost, manageability, and speed of self-encrypting hard drives, says a Ponemon Institute survey.

One-third of security professionals who handle encryption don't understand self-encrypting hard disk drives. In particular, they're unsure whether the drives are better or worse than software-based encryption for preventing tampering, managing encryption, or handling authentication keys.

Those findings come from a recent survey of 517 IT practitioners who are at least familiar with self-encrypting drives, conducted by Ponemon Institute, and sponsored by the Trusted Computing Group (TCG), which promotes hardware-based, vendor-neutral security specifications.

Today, when full disk encryption is used on a PC, software-based approaches are the norm, with 85% of survey respondents saying that's their primary approach. According to the survey, however, 70% of IT professionals also think that self-encrypting drives would help their organization to protect data, but many worry about the related hardware cost. Perhaps counter-intuitively, 37% of respondents also said that they "would pay a premium" for related data security improvements, according to the study.

As that range of responses and awareness levels suggests, self-encrypting drives currently face an awareness challenge. "There are real advantages to hardware-based encryption solutions, which are obvious, but there are perceptions that they're costly, unwieldy, … or might even cause diminished end-user productivity," said Larry Ponemon, chairman and founder of the Ponemon Institute, in a telephone interview.

Perhaps the lack of understanding isn't surprising, since self-encrypting drives remain scarce in enterprise circles. For starters, that's because the underlying, de facto industry standard for hardware-based full disk encryption--the Opal specification for hardware-based full-disk encryption from TCG--was only finalized in 2009. Since then, Hitachi, Samsung, Seagate, and Toshiba have begun releasing drives which comply with Opal, and six software vendors have released or updated their disk encryption software to manage such drives.

One driver for using any type of hardware-based encryption is that it prevents users from tampering with the encryption, for example if they think it's impeding their speed. Notably, the survey found that 61% of respondents said "employees in their organizations turn off their laptops' security protection without obtaining advance permission to do so."

"We know that the 'jailbreaking' phenomenon is real," said Ponemon. "That's another big motivator here," since hardware-based encryption can't be deactivated. In fact, users shouldn't even know it's there.

That said, any type of encryption must surmount the stigma that it will noticeably slow disk read and write access. But Ponemon said that his survey turned up no users reporting drive performance issues. "In addition to the survey responses, we also do a debriefing--34 people, in this case, who are more than knowledgeable users of [self-encrypting drives]… and we didn't get any feedback at all, zero, about the robustness of the technology." He suggested that one explanation for the performance degradation noted with one older type of self-encrypting drive may have been because it was an earlier generation solid state flash drives.

In addition, he said, "the read we got from people who were familiar with both hardware-based and software-based encryption was that hardware-based encryption improved their management ability." Notably, survey respondents with self-encrypting drive experience reported that they were easier to deploy than software-based full disk encryption approaches, in part because the drives come preloaded with encryption keys.

Regardless of the choice of encryption, when it comes to securing data at rest, Ponemon said he's still amazed by how many organizations choose to use no encryption at all. "Organizations are subject to PCI DSS, or there are other compliance regimes, laws like in Massachusetts and Nevada, and it's amazing to me that organizations are not considering the best possible encryption solution."

What's the culprit? He suspects it could be a lack of executive-level visibility into the problem, or a lack of resources. "But when you talk to IT professionals, they do understand that … it's like playing a game of poker. Sooner or later, you're going to lose."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.