Seagate Technology today announced it is collaborating with others in the storage and security industry to extend its hardware-based, Full Disk Encryption (FDE) technology to its entire portfolio of enterprise-class hard drives. Providing data center managers with the best possible protection for data-at-rest is a significant advancement for security of the world's enterprise data centers.
The Trusted Computing Group (TCG) is establishing a security protocol for communicating with these self-encrypting hard drives, and the IEEE 1619.3 is creating a key management standard to ensure that this new technology will have interoperability. Among the major storage industry players actively involved are IBM, LSI, and Seagate.
Seagate this week is also demonstrating the performance and security capabilities of enterprise drive-level FDE at Storage Networking World. The demonstrations underscore the value that FDE technology brings to storage system administrators tasked with protecting against breaches of data that can occur in drives and systems that have been repurposed, decommissioned, disposed of, sent for repair, misplaced or stolen.
"Many organizations are considering drive-level security for its simplicity in securing sensitive data through the hardware lifecycle from initial setup, to upgrade transitions and disposal," said Eric Ouellet, vice president, Secure Business Enablement, Gartner. "Drive disposal in particular has always been one of the most challenging elements of the data security lifecycle. Even with secure disposal processes in place, misplacement, mislabeling and theft still do occur which can result in significant losses, penalties and fines. Eliminating the risk of compromise from the source is one approach that can significantly reduce the complexity of managing sensitive data."
Benefits of Drive Level FDE in the Enterprise
Many organizations, including storage vendors IBM and LSI, who have closely evaluated how encryption in the data center can best be done to guarantee performance, manageability, security and compatibility while minimizing complexity, have concluded that encryption belongs on the disk. Acting in its interests to secure U.S. Government data, the National Security Agency (NSA) has also identified this as a desirable solution.
"The need for enterprise administrators today to be sure that all corporate data is secure across the infrastructure is becoming an increasing priority," said Barry Rudolph, vice president of Disk Storage Solutions, IBM. "Natively securing data at rest within the disk drives is the next step in the evolution of securing storage media that physically leave the secure confines of the datacenter, and we look forward to collaborating with Seagate and utilizing our industry leading key management and security solutions to enable drive level full disk encryption across the enterprise."
"Data-at-rest encryption is an important topic in the industry," said president and CEO Abhi Talwalkar, LSI Corporation. "Although it can be implemented through many techniques, the preferred implementation method for external systems is through encryption at the HDD level. LSI is pleased to be working with other industry leaders and standards organizations to develop and deliver the most effective, standards-based encryption technology in the market."
Drive-level FDE security provides a range of superior benefits for protecting an enterprise system's data-at-rest when compared to current software and hardware encryption tools. Among them are:
Performance -- Because the encryption engine is in the disk drive's controller ASIC and matches the drive's maximum port speed, encryption won't slow a system down. And because it is in the drive itself, its performance automatically scales every time storage is added in the data center. With FDE at the drive level, performance problems are solved because the encryption functions are done automatically, at full interface speed, within each and every drive in the system.
Compatibility -- Drive-level FDE technology is supported by the security protocol developed through the TCG, an organization consisting of membership of more than 50 participating companies, including all hard drive manufacturers. Key management standards to insure interoperability are being established via the IEEE 1619.3. All major storage system providers are participating in IEEE 1619.3.
Manageability -- The IT user does not need to escrow the encryption key to maintain data recoverability because the encryption key is in the drive. There is less of a need to decrypt and re-encrypt the data to maintain security, because the encryption key does not leave the drive. This frees the storage administrator from having to schedule and conduct this performance throttling activity.
Security -- This self-encrypting drive technology delivers a new standard of security for data-at-rest encryption. Cipher text is never exposed. There are no clear text secrets anywhere on the drive, and an attacker is assumed to have complete knowledge of the secrets' design and location. The drive can self power down after a predefined number of authentication attempts. Access control credentials are separate from the encryption key. An attacker cannot alter the firmware -- firmware downloads are protected. Seagate has put no back doors in the drive. In fact, the drive is locked and inaccessible to anyone without full authorization.
"The fact that the NSA has been such a strong supporter and active participant in the TCG's efforts around standards for device-level FDE speaks volumes," said Bill Watkins, Seagate CEO. "We've listened very carefully to their advice and requests, worked closely with others in the TCG organization, and we're excited about the opportunity to deliver on this new technology collaborating with industry leaders such as IBM and LSI. It feels good to play a major role in solving a very real problem for IT end users for improved enterprise security."