Ponemon SED Survey Report

Date Published: May, 01, 2011

The purpose of the Study on Self-Encrypting Drives, conducted by Ponemon Institute and sponsored by the Trusted Computing Group (TCG), is to understand organizations’ use of hardware-based encryption technologies, including self-encrypting hard and solid state drives.

Introduction

Organizations are using encryption to mitigate the damage caused by data breaches, comply with privacy and data protection regulations and preserve brand and reputation. However, there are many approaches and strategies for deploying encryption across the enterprise. The purpose of the Study on Self-Encrypting Drives, conducted by Ponemon Institute and sponsored by the Trusted Computing Group (TCG), is to understand organizations’ use of hardware-based encryption technologies, including self-encrypting hard and solid state drives.

Self-encrypting drives (SEDs) are a recent addition to the technologies used to protect stored data on drives. TCG published final specifications for client drives, data center drives and interoperability of self-encrypting drives in January 2009 and are widely supported by PC, server drive and applications providers. In March 2009, hard drive vendors started shipping selfencrypting drives based on TCG’s specifications.

The study surveyed 517 IT practitioners with an average of 10 years experience, most of whom report directly to the CIO or CISO in their organizations. To ensure a knowledgeable panel of respondents, only those who are familiar with self-encrypting drives were selected to complete the survey. All of the respondents work in organizations that use hardware-based and/or software-based encryption technologies.

More than one-third (37 percent) of respondents describe their information security and data protection as being at the late middle or mature stage. Those stages are achieved when the IT function begins to evaluate the effectiveness of key initiatives or they are focusing on program evaluation and refinement.

In the survey we included the following definition: SEDs provide hardware-based data security and enhanced secure erase capability. SEDs continuously scramble data using a key as it is written to the drive and then descramble it with the key as it is retrieved, giving users a high level of data protection. It also speeds and simplifies the drive re-deployment process. By deleting the encryption key, the data is rendered unreadable, eliminating the need for time-consuming dataoverwrite. The encryption logic is built into the drive electronics.

Thirty-five percent of IT practitioners in our study report that they are very familiar with SEDs and 53 percent say they are somewhat familiar. Approximately 85 percent say their organizations mostly use software-based encryption. When we asked why they were not using hardware-based encryption, 36 percent say they do not understand the hardware-based encryption options available for their organizations. We believe this response can be due to the fact, as we noted above, that this option became available only recently.

An important finding of this study is that IT practitioners view hardware-based encryption favorably but are uncertain about the cost. However, 37 percent believe their organizations would pay a premium to gain the extra security SEDs promise.

The majority of respondents agree that in terms of protecting data-at-rest, hardware-based encryption (including self-encrypting drives) are more secure than software-based encryption. In fact, 70 percent say that self-encrypting drives would have had an enormous and positive impact on the protection of sensitive and confidential information in the event that a data breach should occur.

Based on Ponemon Institute’s 2010 Annual Study: U.S. Cost of a Data Breach Study, the average cost per lost or stolen record is $214. In this study, it was shown that organizations lost on average approximately 16,000 records from a data breach. This translates to a cost of about $3.4 million for each incident. We believe the results of this research should be very helpful in making the business case for investing in SEDs.

To read the full report, please click here.

The purpose of the Study on Self-Encrypting Drives, conducted by Ponemon Institute and sponsored by the Trusted Computing Group (TCG), is to understand organizations’ use of hardware-based encryption technologies, including self-encrypting hard and solid state drives.

Introduction

Organizations are using encryption to mitigate the damage caused by data breaches, comply with privacy and data protection regulations and preserve brand and reputation. However, there are many approaches and strategies for deploying encryption across the enterprise. The purpose of the Study on Self-Encrypting Drives, conducted by Ponemon Institute and sponsored by the Trusted Computing Group (TCG), is to understand organizations’ use of hardware-based encryption technologies, including self-encrypting hard and solid state drives.

Self-encrypting drives (SEDs) are a recent addition to the technologies used to protect stored data on drives. TCG published final specifications for client drives, data center drives and interoperability of self-encrypting drives in January 2009 and are widely supported by PC, server drive and applications providers. In March 2009, hard drive vendors started shipping selfencrypting drives based on TCG’s specifications.

The study surveyed 517 IT practitioners with an average of 10 years experience, most of whom report directly to the CIO or CISO in their organizations. To ensure a knowledgeable panel of respondents, only those who are familiar with self-encrypting drives were selected to complete the survey. All of the respondents work in organizations that use hardware-based and/or software-based encryption technologies.

More than one-third (37 percent) of respondents describe their information security and data protection as being at the late middle or mature stage. Those stages are achieved when the IT function begins to evaluate the effectiveness of key initiatives or they are focusing on program evaluation and refinement.

In the survey we included the following definition: SEDs provide hardware-based data security and enhanced secure erase capability. SEDs continuously scramble data using a key as it is written to the drive and then descramble it with the key as it is retrieved, giving users a high level of data protection. It also speeds and simplifies the drive re-deployment process. By deleting the encryption key, the data is rendered unreadable, eliminating the need for time-consuming dataoverwrite. The encryption logic is built into the drive electronics.

Thirty-five percent of IT practitioners in our study report that they are very familiar with SEDs and 53 percent say they are somewhat familiar. Approximately 85 percent say their organizations mostly use software-based encryption. When we asked why they were not using hardware-based encryption, 36 percent say they do not understand the hardware-based encryption options available for their organizations. We believe this response can be due to the fact, as we noted above, that this option became available only recently.

An important finding of this study is that IT practitioners view hardware-based encryption favorably but are uncertain about the cost. However, 37 percent believe their organizations would pay a premium to gain the extra security SEDs promise.

The majority of respondents agree that in terms of protecting data-at-rest, hardware-based encryption (including self-encrypting drives) are more secure than software-based encryption. In fact, 70 percent say that self-encrypting drives would have had an enormous and positive impact on the protection of sensitive and confidential information in the event that a data breach should occur.

Based on Ponemon Institute’s 2010 Annual Study: U.S. Cost of a Data Breach Study, the average cost per lost or stolen record is $214. In this study, it was shown that organizations lost on average approximately 16,000 records from a data breach. This translates to a cost of about $3.4 million for each incident. We believe the results of this research should be very helpful in making the business case for investing in SEDs.

To read the full report, please click here.

The purpose of the Study on Self-Encrypting Drives, conducted by Ponemon Institute and sponsored by the Trusted Computing Group (TCG), is to understand organizations’ use of hardware-based encryption technologies, including self-encrypting hard and solid state drives.

Introduction

Organizations are using encryption to mitigate the damage caused by data breaches, comply with privacy and data protection regulations and preserve brand and reputation. However, there are many approaches and strategies for deploying encryption across the enterprise. The purpose of the Study on Self-Encrypting Drives, conducted by Ponemon Institute and sponsored by the Trusted Computing Group (TCG), is to understand organizations’ use of hardware-based encryption technologies, including self-encrypting hard and solid state drives.

Self-encrypting drives (SEDs) are a recent addition to the technologies used to protect stored data on drives. TCG published final specifications for client drives, data center drives and interoperability of self-encrypting drives in January 2009 and are widely supported by PC, server drive and applications providers. In March 2009, hard drive vendors started shipping selfencrypting drives based on TCG’s specifications.

The study surveyed 517 IT practitioners with an average of 10 years experience, most of whom report directly to the CIO or CISO in their organizations. To ensure a knowledgeable panel of respondents, only those who are familiar with self-encrypting drives were selected to complete the survey. All of the respondents work in organizations that use hardware-based and/or software-based encryption technologies.

More than one-third (37 percent) of respondents describe their information security and data protection as being at the late middle or mature stage. Those stages are achieved when the IT function begins to evaluate the effectiveness of key initiatives or they are focusing on program evaluation and refinement.

In the survey we included the following definition: SEDs provide hardware-based data security and enhanced secure erase capability. SEDs continuously scramble data using a key as it is written to the drive and then descramble it with the key as it is retrieved, giving users a high level of data protection. It also speeds and simplifies the drive re-deployment process. By deleting the encryption key, the data is rendered unreadable, eliminating the need for time-consuming dataoverwrite. The encryption logic is built into the drive electronics.

Thirty-five percent of IT practitioners in our study report that they are very familiar with SEDs and 53 percent say they are somewhat familiar. Approximately 85 percent say their organizations mostly use software-based encryption. When we asked why they were not using hardware-based encryption, 36 percent say they do not understand the hardware-based encryption options available for their organizations. We believe this response can be due to the fact, as we noted above, that this option became available only recently.

An important finding of this study is that IT practitioners view hardware-based encryption favorably but are uncertain about the cost. However, 37 percent believe their organizations would pay a premium to gain the extra security SEDs promise.

The majority of respondents agree that in terms of protecting data-at-rest, hardware-based encryption (including self-encrypting drives) are more secure than software-based encryption. In fact, 70 percent say that self-encrypting drives would have had an enormous and positive impact on the protection of sensitive and confidential information in the event that a data breach should occur.

Based on Ponemon Institute’s 2010 Annual Study: U.S. Cost of a Data Breach Study, the average cost per lost or stolen record is $214. In this study, it was shown that organizations lost on average approximately 16,000 records from a data breach. This translates to a cost of about $3.4 million for each incident. We believe the results of this research should be very helpful in making the business case for investing in SEDs.

To read the full report, please click here.

Tags:

Join

Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more

Specifications

Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read more
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.