There is a revolution taking place in IT security as the adoption of full disk encryption (FDE) technology soars. Software-based FDE has proven effective at mitigating many threats involving the loss of data and the benefits have been widely discussed. We are now entering a new age of data security solutions as software-based FDE makes way for hardware-based technologies with FDE capabilities built into the drives themselves, whether that is traditional hard disk drives (HDDs) or solid state drives (SSDs). In this next generation of hardware-based encryption technologies – known as self-encrypting drives (SEDs) – encryption takes place within the disk controller. Organisations around the world are increasingly using SEDs to secure confidential information, recognising that this approach simplifies the deployment of security for data at rest.
Next-generation FDE is here
Sound key management is critical to the security of a FDE deployment because it ensures that keys are generated, distributed, stored, retrieved, and used in a secure fashion. A fundamental tenet of securing an FDE deployment is to separate encryption functions and key management. If encryption and key management are handled together, it becomes much easier for an attacker to gain simultaneous access to both the encryption key and the data it protects, which can result in immediate compromise.
All SED solutions and some software-based FDE solutions support this separation of encryption and key management but SEDs provide this support by using a separate software-based key management. There are several benefits to this architecture, like cryptographic keys being kept within the drive hardware itself, meaning greater security because encryption happens at the hardware level. It is also significantly faster to perform encryption and decryption functions in hardware than software. In addition, SEDs add minimal cost and have very little impact on performance. Compression can be performed just before encryption to minimise storage space. Most importantly, hardware encrypted data can be read just after it's written to disk without needing to pass through and additional decryption software layer, meaning near-instant access to encrypted data.
Security and SEDs in the data centre
The importance of security in the data centre has been well covered. When hard drives are removed from the protection of the data centre manager, they become a potential risk for any business. This means that IT departments must not only look at IT security in terms of threats from within their business but also the threat from physical access to drives that may contain sensitive data and potentially be located at a supplier’s site.
Traditionally, data centre security has focused on software and network threats but teams are now placing more emphasis on the physical security of server drives. This means data centre managers are becoming more inclined to encrypt data at rest at the hardware level. This focus on hardware encryption will only become even more prevalent as businesses look to decommission and upgrade drives which may contain sensitive and private data. Current disposal methods for decommissioned drives remain time-consuming, costly and difficult to police, not least for regulatory and compliance reasons. For example, in the US, loss of data encrypted at rest is not classified as a breach and accordingly, does not have to be reported by the company. In the UK, the ICO has mandated that where such losses of hardware occur and where encryption software has not been used to protect the data, regulatory action may be pursued.
The assumption that physical data centre security means drives do not need encryption looks increasingly archaic since eventually all drives leave the data centre one way or another. Encrypting these drives protects data when they are sent out for repair, repurposed or at end of life, leading to a reduction in decommissioning costs. In addition, management of the SED servers should be optimised to address things such as RAID arrays, Disk and Port access control, remote management, multiple-OS support and file and folder encryption to improve productivity across IT teams.
SED holds the key to data centre security
Hardware-based SEDs provide several advantages over software-based FDE, particularly in the areas of performance, security, cost, complexity and key management. Organisations looking to prepare for the future data centre must consider the benefits that SEDs bring to the data centre and the impact on the IT team, where SEDs can significantly reduce IT operating expenses by freeing IT from drive control responsibilities as well as disposal costs of decommissioned drives. When organisations plan for future data centre equipment needs, they should expect to require SED-capable drives that would benefit from this next generation of FDE technologies.