We recently ran a poll on www.storage-brain.com that asked the following question: “Which Storage Technology Will Be Next to Gain Widespread Adoption?” Here is summary of the voting:
A. Solid State Disk Drives (54% of votes cast)
B. Hybrid Disk Drives (39% of votes cast)
C. Self-Encrypting Disk Drives (7% of the cast)
To no great surprise, answer “C” came in a distant 3rd. Encryption, like all forms of security, makes things harder not only for crooks, but for honest people, and therefore is something most Users don’t want to bother with. Unfortunately, data can be very confidential and most people never want the wrong data to fall into the wrong hands.
Self-encrypting drives are the storage industry’s attempt to make data more secure and security easier to administer. Instead of using software-based encryption and only encrypting certain files, a self-encrypting drive encrypts everything – registries, FAT tables, and other system-level data. On a PC, self-encrypting drives are authenticated during boot-up at which point everything on the drive is stored encrypted but the encryption is transparent to the authenticated user. If the laptop falls into the wrong hands, (without authentication) – data on the encrypted drive would be extremely difficult if not impossible to decipher. Sounds easy, but there is a catch…
The one drawback that all forms of encryption have, including self encrypting drives, is that if you forget your authentication password (also known as the encryption key), your disk drive becomes a useless pile of plastic and aluminum. Seagate, for one, has tried to solve this problem by providing two levels of authentication – an administrator password and a user password. The user has to enter a password at boot-time in order to access the data on the drive, but if they forget it, there’s also a unique administrator password that an IT department could use to gain access.
In my opinion, self-encrypting drives could soon become mandatory for the millions of government and civilian employees running around with sensitive data on their laptops. In fact, I am a little surprised this technology hasn’t already been mandated. Enterprise disk drives, on the other hand, will probably never see broad adoption of this technology, for a number of reasons I will now explain.
The typical enterprise storage array has hundreds of individual disk drives. Storage arrays are usually housed in data centers with restricted access. The arrays are part of an IT network that is secured by firewalls, passwords, and various levels of User authentications. Furthermore, the data housed in arrays is commonly spread across many physical disk drives in order to maximize performance.
There are two types of security attacks that IT groups defend against – external intrusion and internal theft. In the first, hackers attempt to break into a network by breaking through layers of authentication. Since this intrusion occurs via the server, and drive encryption is application transparent, there is no security benefit from drive encryption in this type of attack. The second type of attack, internal theft, occurs when a malicious employee walks off with one or more disk drives containing sensitive data. As mentioned, array data is largely “scrambled” by the nature of its design, therefore an employee would need to cart off an entire array or at least an entire drive shelve in order to steal anything meaningful – a grand heist to be sure.
Self encrypting drives is neat technology that provides new levels of security protection for individual disk drives and should be embraced by organizations with mobile users carrying sensitive data. For the enterprise data center, however, the value of this feature is not apparent and I just don’t see broad adoption ever occurring. That’s my opinion, what’s yours?