Friday, January 30, 2009

Trusted Computing Group spec to be foundation of storage encryption

Every day it seems like there is a new and significant data breach in the news. In fact, organizations like ChoicePoint, TJX, the Department of Veterans Affairs, or Heartland Payment Systems have become poster children for the sorry state of information assurance. Recognizing the risks to sensitive data, many companies have implemented full-disk encryption software from companies like PGP, PointSec, SafeBoot, and Utimaco. Still, this means purchasing, deploying, and managing add-on software on lots of PCs--a cumbersome operational task. For a number of years, I've been writing about a superior alternative, hard drive-based encryption. Fitted with self-encrypting drives, PC-based disks are encrypted from the get-go. What's more, disk-based encryption is more secure than add-on software with virtually no impact on system performance. So why haven't PCs with encrypting hard drives become a de facto standard? Users were afraid of proprietary hardware implementations and a lack of software management support. These were valid concerns--until now. This week, the Trusted Computing Group (TCG) announced the publication of three new standards for storage encryption. One is for PC hard drives (aka Opal), one is for enterprise hard drives (aka the Enterprise Security Subsystem Class Specification), and one is for secure interoperability with other storage standards like SCSI and ATA. All of the large hard drive vendors, including Fujitsu, Hitachi, Seagate, and Toshiba, will deliver hard drives that support these standards, and management software vendors like Secude, Wave Systems, and WinMagic are also on board. Others will surely follow. What do these new TCG standards mean?

  1. Software encryption is all but dead. Soon, most business laptops will be offered with encrypting hard drives at a nominal premium over a standard system. Heck, Dell already has about 12 models available. In three to five years, every disk drive may be encryption-enabled as it rolls off the production line. Encryption software fades away--quickly.
  2. CIOs and purchasing managers need to develop a plan. Many IT and security managers have no idea that TCG even exists, but this is no longer acceptable. Since laptops and desktop PCs will come with encryption "baked in," it is incumbent upon IT and endpoint management and security teams to create a plan for phasing in systems with self-encrypting drives and phase out encryption software over time.
  3. Expect encrypting drives in enterprise arrays. This will take a bit more time, as demand for array-based encryption isn't nearly as high. Nevertheless, every storage system produced by EMC, Fujitsu, Hitachi, HP, and IBM may eventually follow this path.
  4. Federal endpoint security initiatives must shift direction. I'm thinking specifically about the Federal Desktop Core Configuration effort and the Data at Rest SmartBuy program. Each of these efforts should be updated to emphasize disk-based encryption over software. The National Institute of Standards, the National Security Agency, and the U.S. General Service Administration must lead the effort to qualify, certify, and build procurement tools for self encrypting drive technologies soon.
There is a common IT evolution where software replaces hardware in order to offload processing, enhance performance, and lower overall system costs. This cycle is exactly what is happening here, and there is no turning back. My suggestion is that IT and security decision-makers come to terms with this ASAP. Your long-term information assurance strategy may depend on this.


No comments: