Bringing encryption to every disk

Encrypting a drive or a file system is easy; the trick is managing the process across the enterprise

Seagate and Fujitsu have both recently announced full-drive encryption technologies. Fujitsu's new drives are aimed at laptop users, while Seagate is adding encryption capability to both its laptop and external USB drives, as well as the company's enterprise-class Cheetah and Savvio drives, with plans to add the same capability to its SATA drives in the future. These drives aim to address the urgent need that enterprises have for protecting data in the wake of dozens of data loss fiascos over the last few years.

Encryption can be implemented at many levels, from the chip-based full-drive encryption built into these new drives, to add-on encryption hardware in the data path between PC and storage, to encryption software that stores pre-boot encryption code in a hidden partition or on an external device such as a USB key. Even Microsoft has gotten on-board with BitLocker encryption, available in both Vista and Windows Server 2008.

[ See the Test Center's review of Hitachi and Seagate laptop drives with native full-disk encryption. ]

The newest chip-on-drive technology available in the latest lines of drives uses 256-bit high-speed encryption, but even basic software-based encryption would probably have sufficed in all but a very small percentage of data loss cases. Most data on media is not actually stolen, but lost as a result of systems being decommissioned, laptops being stolen for their resale value, or boxes of drives or tapes being left in the wrong place. Most data that is actively sought and stolen is taken by penetrating firewalls, by intercepting data traffic over wireless or Internet connections, or by means of social engineering. None of these problems is solved by storage encryption. But the lost or stolen laptop is a far more common occurrence.

The bigger problem is not the ability to encrypt data, but the ability to manage keys across an enterprise that could encompass thousands of drives; to securely store and access keys; to reliably recover data stored on encrypted drives after laptop users have lost their stored keys; and to manage keys on storage arrays and tapes as well as laptops and desktop systems.

Key management appliances and software servers attempt to address these needs, but while they can securely store and supply keys for any type of encryption, managing keys from the new drives or from specific applications requires the built-in capability to interface with each device or application using the manufacturer's API. The more pervasive an encryption technology becomes, the better the chance that key management appliances will add the ability to manage keys for that technology.

Thus, Seagate's adoption of the same hardware-based encryption technology across all of its drives is very good news for enterprise security planners, but it's only the first step toward an enterprise-wide solution.


Copyright © 2008 IDG Communications, Inc.