Self-Encrypting Hard Drives Face Perception Challenge

One-third of security professionals who handle encryption don't understand self-encrypting hard disk drives. In particular, they're unsure whether the drives are better or worse than software-based encryption for preventing tampering, managing encryption, or handling authentication keys.

Those findings come from a recent survey of 517 IT practitioners who are at least familiar with self-encrypting drives, conducted by Ponemon Institute, and sponsored by the Trusted Computing Group (TCG), which promotes hardware-based, vendor-neutral security specifications.

Today, when full disk encryption is used on a PC, software-based approaches are the norm, with 85% of survey respondents saying that's their primary approach. According to the survey, however, 70% of IT professionals also think that self-encrypting drives would help their organization to protect data, but many worry about the related hardware cost. Perhaps counter-intuitively, 37% of respondents also said that they "would pay a premium" for related data security improvements, according to the study.

As that range of responses and awareness levels suggests, self-encrypting drives currently face an awareness challenge. "There are real advantages to hardware-based encryption solutions, which are obvious, but there are perceptions that they're costly, unwieldy, … or might even cause diminished end-user productivity," said Larry Ponemon, chairman and founder of the Ponemon Institute, in a telephone interview.

Perhaps the lack of understanding isn't surprising, since self-encrypting drives remain scarce in enterprise circles. For starters, that's because the underlying, de facto industry standard for hardware-based full disk encryption--the Opal specification for hardware-based full-disk encryption from TCG--was only finalized in 2009. Since then, Hitachi, Samsung, Seagate, and Toshiba have begun releasing drives which comply with Opal, and six software vendors have released or updated their disk encryption software to manage such drives.

One driver for using any type of hardware-based encryption is that it prevents users from tampering with the encryption, for example if they think it's impeding their speed. Notably, the survey found that 61% of respondents said "employees in their organizations turn off their laptops' security protection without obtaining advance permission to do so."

"We know that the 'jailbreaking' phenomenon is real," said Ponemon. "That's another big motivator here," since hardware-based encryption can't be deactivated. In fact, users shouldn't even know it's there.

That said, any type of encryption must surmount the stigma that it will noticeably slow disk read and write access. But Ponemon said that his survey turned up no users reporting drive performance issues. "In addition to the survey responses, we also do a debriefing--34 people, in this case, who are more than knowledgeable users of [self-encrypting drives]… and we didn't get any feedback at all, zero, about the robustness of the technology." He suggested that one explanation for the performance degradation noted with one older type of self-encrypting drive may have been because it was an earlier generation solid state flash drives.

In addition, he said, "the read we got from people who were familiar with both hardware-based and software-based encryption was that hardware-based encryption improved their management ability." Notably, survey respondents with self-encrypting drive experience reported that they were easier to deploy than software-based full disk encryption approaches, in part because the drives come preloaded with encryption keys.

Regardless of the choice of encryption, when it comes to securing data at rest, Ponemon said he's still amazed by how many organizations choose to use no encryption at all. "Organizations are subject to PCI DSS, or there are other compliance regimes, laws like in Massachusetts and Nevada, and it's amazing to me that organizations are not considering the best possible encryption solution."

What's the culprit? He suspects it could be a lack of executive-level visibility into the problem, or a lack of resources. "But when you talk to IT professionals, they do understand that … it's like playing a game of poker. Sooner or later, you're going to lose."