A lot has been written about full-disk encryption and its positive impact on reducing data theft. However, for a variety of reasons — cost, negative performance hits — many organizations have yet to adopt the technology. Further, full-disk encryption is not yet widely adopted in the data center. All that is about to change. Read on to learn about what's coming for full-disk encryption.
Last month, the Trusted Computing Group (TCG), a not-for-profit organization that promotes open standards for hardware-enabled security technologies, released final specifications detailing the standards by which all hard drives will have the capability built-in to enforce encryption at the hardware level. Of course, not all data breaches are the result of lost or stolen hardware, but by including an encryption option right in the actual storage device, organizations can completely close one possible avenue of entry when it comes to loss of sensitive information. Now, if one of your executives is on a business trip and loses his laptop while traveling, worries about possible information loss can go away.
The specifications developed by the team of hard drive manufacturers operate at a level that does not impact overall system performance. Today's most common encryption methods operate between the operating system and the hardware, imposing performance benefits that can sometimes be noticeable.
There are a total of four standards covering various storage elements. From the specification documents themselves:
- TCG Storage Work Group Security Subsystem Class: Opal. The Opal SSC is an implementation profile for Storage Devices built to: 1) Protect the confidentiality of stored user data against unauthorized access once it leaves the owner's control (involving a power cycle and subsequent deauthentication); 2) Enable interoperability between multiple SD vendors. Think individual computers.
- TCG Storage Work Group Security Subsystem Class: Enterprise. This specification is an implementation profile for trusted storage devices commonly deployed within Enterprise-class systems. It provides storage device implementation requirements needed to guarantee interoperability between storage devices from different vendors. Enterprise-class systems often deploy a mix of cross-vendor storage devices and interoperability is therefore key, both for non-trusted and trusted storage devices. This specification defines a limited set of TCG Trusted Storage functionality that, combined with Full Disk Encryption (FDE), protects the confidentiality of user data at rest. Only a single threat scenario is addressed: removal of the storage device from its host system involving a power cycle of the storage device and subsequent unauthorized access to data stored on that device. This covers the enterprise space.
- TCG Storage Interface Interactions Specification. This document defines for each interface: 1) Mapping of interface events to TCG resets; 2) Mapping of IF-SEND, IF-RECV; 3) Handling of common TPer errors; 4) Discovery of security capabilities; 5) Miscellaneous issues. In short, this is the communications portion of the standard - think IDE, SCSI, etc.
- Trusted Computing Group Optical Storage Subgroup FAQ. Defines a set of encryption standards that can be applied to optical storage. Note that only optical storage is included in this particular document. Other removable storage types, such as flash and solid state drives and tape devices, are not covered.
The hard drive standards have been developed jointly by Fujitsu, Hitachi, Samsung, Seagate, Toshiba, and Western Digital so that there is deep interoperability between different vendors. I believe it's a matter of time before governments pass laws related to full-disk encryption, so these kinds of cooperative standards are welcome, as they will hopefully result in minimal consumer impact while providing maximum protection.