Home CTR Exclusives Hardware-Based Solutions Increase Encryption Security

Hardware-Based Solutions Increase Encryption Security

Wednesday, 16 June 2010 08:41

Data Security

By Robert Thibadeau, Ph.D.

The need for encrypting critical data to prevent lost or stolen devices from divulging their content is rapidly gaining acceptance based on several factors, including data breach regulations. Regulations allow users to avoid disclosure and penalties if the confidential information on lost or stolen equipment was encrypted. Based on recent computer security surveys, 10% of laptop computers are lost or stolen each year, and most of them contain sensitive, confidential data. In Business Case for Data Protection, a Ponemon Institute white paper, 94% of respondents of a security survey indicated that they had their data attacked in the last six months. The need for data protection goes beyond lost or stolen hardware.

Data encryption is one of the more common approaches to prevent access to the digital data on a lost or stolen laptop or drive, or an online attack, and avoid the penalties of non-compliance to U.S. and other governments’ laws. However, encryption performed by software can significantly reduce the performance of the laptop. It is not uncommon to hear about organizations, including law firms that have purchased software for encryption and required all employees to have it on their laptops. When the software slowed down the operation of the laptops and significantly disrupted workflow including ordinary activities, users shut down the encryption. Once the technique to turn off the encryption software was discovered, it spread rapidly throughout the organization.

In The Human Factor in Laptop Encryption: US Study, Ponemon Institute stated that 56% of business managers (managers of non-IT business functions) admitted to disengaging their laptop’s encryption solution with 48% doing so in violation of their company’s security policy. Disengaging the encryption solution is not confined to strictly business people with 25% of IT security practitioners acknowledging that they have done the same.

According to the laws and regulations, to avoid the penalties from a data breach of a missing computer, the enterprise must provide evidence (logs) that the laptop was encrypting before it was lost or stolen. Obviously, the evidence cannot be provided in cases where the encryption software has been disabled. Another problem involving encryption results from loopholes that exist in current regulations. A low-cost approach may satisfy the regulations but not adequately protect critical data. However, there are alternatives that provide users the security they expect.

A Hardware-based Solution
The Trusted Computing Group (TCG), a not-for-profit organization, has developed several open standards to protect data based on trusted hardware. Compared to single-factor software-only approaches, hardware-based solutions are more robust and immune to external software attacks. TCG’s Trusted Platform Module, or TPM, provides a hardware basis, usually through a microcontroller or application-specific integrated circuit (ASIC), for protection. However, TPM capabilities also can be integrated into other components in a system.

By storing keys, passwords and digital certificates, the TPM protects security processes, such as digital signature and key exchange. Additional capabilities include trusted cryptography, protected storage, integrity management and attestation. A TPM improves disk encryption by preventing decryption using another computer or with hacked system software. For example, Microsoft’s BitLocker Drive Encryption feature, included in Windows Vista and Windows 7, uses the TPM to ensure a trusted boot path and to secure the encryption key. The encryption can be used for both full-disk and file/folder encryption.

Self-encrypting drives (SEDs) automatically encrypt all data in the drive, preventing attackers from accessing the data through the operating system. The TCG Storage Security Subsystem Class (OPAL) Specification, released in 2009, defines the requirements for SEDs. Coupled with the TPM’s public key infrastructure (PKI) capability, an SED achieves even stronger authentication. Several leading hard drive manufactures and their software partners have announced support for hardware-based encryption products based on TCG’s OPAL Specification.

Demonstrated Hardware Capability
With examples of software and hardware encryption techniques readily available, comparison testing of three different software products, an SED and a regular drive, was conducted and summarized in a recent white paper. One of the conclusions of the in-depth analysis was that unlike software encryption, the performance of SEDs was comparable to standard drives in all cases. As a result, “there is simply no incentive for users to remove or bypass the encryption, even if it were possible.”  This comparison held even when reading or writing large amounts of data.

In addition, software solutions require an initial encryption of the hard disk, a process that can take anywhere from 3 ½ to 24 hours per laptop. As a recommendation to organizations considering the cost-effectiveness of using software solutions to encrypt existing laptops versus upgrading to new laptops with self-encrypting drives, they “need to carefully consider the time involved and loss of performance when deploying software solutions.”

One solution to avoiding the performance hit for software is limiting the amount of encryption to a file/folder basis for those items that corporate policies classify as requiring encryption. The Aberdeen Group’s recent report, “Full-Disk Encryption on the Rise” summarized its insight into file/folder encryption versus encrypting everything on the endpoint, by noting that the simplicity of full-disk encryption (FDE), as compared to the precision of encrypting on specific files or folders, showed a general trend toward full-disk encryption. The FDE approach has less dependence on the precision of the policies and accuracy of enforcement required for the selective encryption alternative.

Establishing Security with a Hardware Foundation
While not supporting hardware or software-based full-disk encryption, the Aberdeen Report does predict that “in the long term, it seems likely that hardware-based cryptography will become the foundation for most endpoint encryption, based on inherent advantages in security, performance and out-of-the-box support.” Certainly, those enterprises seeking the highest level of security will embrace one that has demonstrated capability and acceptance from organizations that also require the highest security. For example, international governments have already adopted or plan to adopt the TPM as the standard for authentication. Self-encrypting drives that utilize the TPM’s hardware advantage take data security to a higher level - without compromising performance.

Robert Thibadeau, Ph.D. is the Senior Vice President and Chief Scientist of Wave Systems Corp., writing on behalf of the Trusted Computing Group.
 

 

White Papers

Achieving Rapid Data Recovery for IBM AIX Environments

The Benefits of Data Replication in HACMP/PowerHA AIX Cluster Management Implementations

Introduction to High Availability for IBM System i High Availability

Five Reasons Why Smaller Organizations Should Consider High Availability

The Benefits of Continuous Data Protection (CDP) for IBM i5/OS and AIX Environments 

State of Resilience of IBM Power Systems (AIX and i5/OS)

Journaling and High Availability - Understanding IBM i Data Protection

Breakthrough Data Recovery for IBM AIX Environments - How New Technologies Are Making Data Protection, Recovery and High Availability Easier and More Affordable

High Availability in an SAP Environment- Keep mission-critical SAP operations running no matter what

How to Solve Downtime Challenges to Manufacturing and Supply Chain Operations

Information Availability: What Every Health Organization Should Know      


Computer Technology News
  See current issue or subscribe below

Subscribe to CTN