Is full-disk encryption worth it?

New study -- sponsored by drive makers -- argues the data security benefits of hardware-based encryption outweigh hassle, cost

Lost devices and data theft remain a major worry for enterprise IT firms. One way to protect against data loss is full-device encryption, now made easier to implement via self-encrypting hard drives or SSDs. Few people dispute the security advantages of using hard drives that are unreadable without their host system and proper user credentials, but does the cost of rolling out self-encrypting hardware outweigh the protection benefits?

The Ponemon Institute's research study, entitled "The TCO of Software vs. Hardware-based Full Disk Encryption," claims to provide an answer. The study, conducted last year, polled more than 1,300 IT and IT security professionals in four countries -- the United States, the United Kingdom, Germany, and Japan -- for detailed information about their use of and expectations for hardware-based full-disk encryption.

The results, recently reanalyzed with new insights provided in a follow-up paper, showed that full-disk encryption came at a fair cost, in big part because of the time and labor involved in deploying it. But the perceived benefits for using full-disk encryption far outweighed those costs.

A full-disk-encrypted system comes at a greater TCO -- not just from the cost of the hardware and software needed, but the costs involved with provisioning and maintaining encrypted systems. But according to the study, the cost savings from reduced data breach exposure via loss or theft far outweigh the TCO.

While the total amount of estimated savings varied from country to country, the biggest difference found was in the United States. There, each $235 spent on an encrypted system yielded some $4,650 in projected savings. Germany had the smallest difference: $260 in TCO yielded $973 in savings.

The study did find that the benefits of hardware-based encryption are by no means uniform across all sizes of organizations. The larger the organization, the greater the benefit -- especially where the risks and costs of a data breach are also bigger.

It comes as no surprise that the study was co-sponsored by a number of major players in either the storage or storage-controller arena. Among them were Intel, Micron, Plextor, Samsung, Seagate, and Toshiba, all of whom have varying degrees of vested interest in selling or supporting storage hardware with built-in encryption.

The study makes no specific recommendations for a particular manufacturer or variety of hardware-based encryption. It doesn't discuss specific software encryption systems either, such as Microsoft's OS-level solution BitLocker or third-party products like TrueCrypt.

While the total management and ownership cost of hardware encryption is greater, the increased costs for the hardware itself do appear to be marginal. Seagate's Constellation 1TB 7,200-rpm ES SATA drive retails for $119. Their SV35 series (which Seagate claims is built for video surveillance systems), has the same size and interface specs but lacks encryption, and retails for $109.

Likewise, the base cost of adding TPM to a computer -- a vital ingredient in the proper deployment of encryption -- is negligible. That said, the minimal manufacturing cost is hidden by the fact that most TPM-equipped systems tend to be sold upmarket anyway via more business-oriented SKUs.

This story, "Is full-disk encryption worth it?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies