Executive Summary
Cloud computing is transforming IT for businesses of all sizes, but not without significant concern from IT and security professionals. Yet for large and small businesses alike, cloud computing delivers new capabilities that can enhance security posture rather than diminish it.
Disk encryption is a case in point. With data breach regulations becoming more pervasive, the need for encryption on desktops and mobile laptops is growing daily. Yet many companies have been slow to deploy full disk encryption, in part because of the perceived costs of deployment and ongoing management
This paper describes how Self-Encrypting Drive (SED) technology builds encryption into laptops and desktops and how cloud-based security management can make it easier for companies to test and deploy SEDs. It describes the barriers, both perceived and real, to SED deployment, and how using cloud-based management accelerates pilots and supports a phased deployment model.
Background: The Need for Full Disk Encryption
Organizations of all kinds face a growing need to encrypt data on desktops and mobile laptops. In the U.S., most states have implemented data breach disclosure laws to protect consumer privacy. Research by the Ponemon Institute shows that the cost of a data breach reached $214 per compromised record in the US in 2010, with an average organizational cost of $7.2 million per breach1. Other ramifications of data breaches include brand
degradation and the loss of intellectual property.
As employees become more mobile, the potential for data being lost, stolen or misplaced increases exponentially. Each new publicized data breach involving a lost/stolen laptop highlights the vulnerability of data residing on the desktops and laptops where people work every day.
Analysts and security experts all agree that encrypting laptops and desktops is a priority. Gartner, for example, recommends that all companies deploy encryption broadly across all workstations2. Despite this consensus, a recent study by the Ponemon Institute reveals
that very few organizations have a consistent encryption strategy.
Without a consistent strategy, securing data from loss and demonstrating compliance is an impossible challenge.
1 Ponemon Institute 2010 Annual Study: U.S. Cost of a Data Breach
2 Gartner Magic Quadrant for Mobile Data Protection, September 2011, John Girard, Eric Ouellet
Why Desktop and Laptop Encryption Isn’t Widespread
In an Information Week survey about encryption, “lack of interoperability” is the most significant factor deterring people from deploying encryption. Concerns about deployment and management costs are the next two factors listed.3
While these concerns are legitimate, they are often clouded by misperceptions and misunderstandings, or based solely on experiences with software-based FDE technologies.
Interoperability concerns: Software-based FDE technologies can conflict with applications on the endpoint, slowing performance or creating problems. With Self-Encrypting Disks (SEDs), encryption is
completely transparent to the application and operating system. Interoperability and performance related issues are nonexistent with SEDs.
Misperceptions about SED acquisition cost: Those IT executives that are aware of the SED alternative for endpoint encryption often believe that SED technology is expensive or uncommon. Only recently has
production and support for SEDs become widespread in the PC industry, so they still have an outdated reputation for being expensive and scarce. SEDs are now available from a wide range of PC suppliers, including Dell, HP, Lenovo and others, for little to no incremental cost.
Negative experiences: Some organizations have had poor experiences with full disk software encryption, and that colors their perception of endpoint encryption as a whole. For example, software-based FDE is time-consuming to install on client devices, requires an initial configuration, and often introduces performance and compatibility problems with applications.
Hardware-based encryption with SEDs addresses many of these key concerns, and is worth further investigation for any organization looking to address the security of data on desktops and laptops.
3 Data Encryption: Ushering in a New Era, Michael A Davis for InformationWeek
According to a survey conducted by the
Ponemon Institute, 36% of the organizations
that choose not to use hardware-based
disk encryption admit that they do not fully
understand the hardware-based encryption
option.
Self-Encrypting Drives
An SED embeds encryption within the drive’s micro-controller chip so that encryption is always on, offering certainty that data is encrypted and the ability to confirm encryption for compliance reasons.
SEDs offer significant advantages over software-based encryption alternatives, including: • Better performance: Because encryption happens on a chip within the drive, it
doesn’t compete for processing cycles with the laptop’s CPU or slow down running applications. Encryption is completely transparent to the OS as well as its applications. As a result, end-user satisfaction is higher than with software-based encryption. • Faster deployment: SEDs do not require an initial encryption cycle, which can take up
to 24 hours using software-based solutions. IT can execute data encryption initiatives in less time.
• Enhanced security: Using SEDs encryption is always on and cannot be turned off or otherwise compromised by the end user. SEDs are also impervious to cold-boot or side channel attacks.
From the end user’s perspective, hardware-based encryption simply works and never interferes with their productivity. From the administrator/management perspective, there’s no lengthy initial encryption process, and no software installation/configuration cycle of encryption software.
Companies in search of an endpoint encryption strategy or struggling with the effort of software-based encryption should evaluate the SED alternative for its lower long-term costs and ease-of-use when compared with software encryption.
Cloud-Based Management of SEDs
IT needs central visibility and management of devices and control over the security policies that govern them. If a user forgets their password, for example, the PC is unusable until the password can be reset.
Endpoint encryption is typically a part of a compliance effort, and thus requires audit and reporting capabilities. If a laptop is lost or stolen, organizations need to be able to demonstrate that the data remains protected.
Wave Cloud offers cloud-based management of all self-encrypting drives, including:
• User and password management
• Windows password synchronization and SSO
• Visibility and reporting
• Web-based APIs for integration with enterprise applications
As a cloud-based service, Wave Cloud does not require any server infrastructure, so pilot programs can be up and running in minutes.
Wave Systems has been pioneering SED management since 2007. Since then, the Trusted Computing Group (TCG) has defined an SED standard called Opal. Leading hard drive manufactures like Seagate and Hitachi, flash vendors like Micron and Samsung and external drive leaders like CMS have built a wide-range of Opal-based SEDs. PC vendors like Dell, HP and Lenovo offer these SEDs on a variety of systems, for little to no additional cost. Gartner estimates that in five years all drives will be hardware encrypted.
Reducing the Risk and Time of Pilot Projects
The best way to overcome misperceptions about SEDs and get a true sense of their potential role in business security is simply to try them out. Using Wave Cloud, pilot programs don’t need to include provisioning servers, installing management software and training for IT staff.
An SED pilot program should include a small number of candidates. These might include frequent travelers with laptops containing sensitive corporate data or others that frequently store sensitive data on their PCs. The pilot program can use new systems equipped with SEDs or you can retrofit existing systems with internal or external SEDs.
To accelerate the pilot, set up Wave Cloud to centrally manage SEDs as users receive PCs equipped with them. The users can run their actual applications and devices using encrypted storage, verifying the fact that encryption is truly seamless and transparent when using SEDs.
Once the devices are in place, use Wave Cloud to test the basic administrative capabilities:
• Add initial users and passwords for the drives
• Synchronize drive-level passwords with Windows passwords,
• Turn on single sign-on with the Windows login • Reset user passwords with secure challenge/response
Using a cloud-based management solution delivers significant benefits for the pilot project: • It reduces the risk of the pilot by eliminating investments in server equipment or
software and training management staff.
• It speeds testing and assessment. The easy-to-use interface requires no training for administrators, and there’s no waiting to purchase, install and deploy server hardware and software.
Supporting SED Adoption with Scalable,
Subscription-Based Management
If the pilot is successful, the next step is to make SEDs part of your endpoint encryption policy and start deploying them throughout the organization.
Deployment strategies will vary according to budget, compliance requirements, and equipment refresh lifecycles. A conservative, phased deployment approach might use the following strategy:
• Retrofit or replace ‘high-risk’ devices – for example, laptops belonging to senior executives or frequent travelers and desktops containing highly sensitive data in remote or insecure areas.
• Replace existing laptops and desktops with SED-equipped systems as part of your equipment refresh policy
If SEDs are part of the
equipment refresh policy, then every new desktop or laptop system deployed will have an SED. In this way, encryption is essentially built into the desktop and laptop fleet. This results in a gradual ramp-up of SEDs within the organization, with administrators adding new users and devices as they come on-line.
Wave Cloud offers a scalable platform that adjusts as needs grow. Using Wave Cloud, administrators can:
• Automatically set and enforce SED
password-related policies for all new laptops and desktops.
• Use role-based administration to delegate administration tasks or offer read-only access to encryption information
• Enable Windows directory synchronization and single sign-on • Create reports for compliance purposes
“Already, the majority of IT
practitioners in this study
predict that SEDs will become
the standard of excellence
in desktop and laptop drive
security in the very near
future.”
03-000328/ version1.00 Release Date: 06-01-2012
Wave Cloud APIs offer deeper integration of SED management with existing enterprise processes. For example, use APIs to integrate SED password recovery with internal employee portals or other corporate applications.
Using cloud-based services to manage SEDs supports a gradual SED deployment with:
• Capital efficient ramp-up: Pay for what’s needed as it’s needed
• Scalability: Scale up to millions of devices if necessary, with no server infrastructure to maintain
Summary
Organizations that are struggling to secure data on laptops and desktops should seriously evaluate the role of self-encrypting drives (SEDs) in their endpoint encryption strategy. SEDs offer many benefits over software-based encryption, including better performance and reliability for the end users, and greater security and compliance for the organization as a whole.
Once perceived as an expensive and hard to find technology, SEDs are now available from major PC suppliers such as Dell, HP and Lenovo at little to no additional cost. And cloud-based management capabilities make them even easier to pilot and roll out to your distributed network of users.
About Wave
Wave Systems Corp. (NASDAQ: WAVX) reduces the complexity, cost and uncertainty of data protection by starting with the device. Wave leverages the hardware secu-rity capabilities built directly into endpoint computing platforms themselves. Wave has been among the foremost experts on this growing trend, leading the way with first-to-market solutions and helping shape standards through its work as a board member of the Trusted Computing Group.
When it comes to SEDs, Wave has been among the earliest pioneers, promoting, managing and supporting SEDs from major storage vendors for more than six years. Wave offers a complete suite of products to support the transition and migration to an embedded security model, starting with existing devices, including Wave EMBASSY® Remote Administration Server for managing self-encrypting drives, and Wave Cloud for the cloud-based management of SEDs. For more information, visit www.wave.com.
