Related Resources
Questions and Answers from the October 5 Webcast with Trusted Computing Group and Dr. Tom Coughlin, Coughlin Associates
On October 5, 2011, Trusted Computing Group (TCG) hosted the webcast "Why SEDs Soon Will Be the Defacto Drive - Industry Forecast and Predictions” with Dr. Tom Coughlin, Coughlin Associates, to highlight new research on self-encrypting drive adoption and market forecast.
On October 5, 2011, Trusted Computing Group (TCG) hosted the webcast "Why SEDs Soon Will Be the Defacto Drive - Industry Forecast and Predictions" with Dr. Tom Coughlin, Coughlin Associates, to highlight new research on self-encrypting drive adoption and market forecast.
The following are questions posed during that webcast with answers provided by experts from the Trusted Computing Group.
Q. A large cost of a deployment is the software. When do you project this will become commoditized?
A. Any encryption in the enterprise must be managed, whether that encryption is software or hardware-based.
There are several options for managing SEDs. For an individual drive, the least expensive option is to set a user password in the BIOS in order to lock the drive in the ATA security mode. Encryption is always ‘on' in the SED drive. Opal management software from ISVs for client level management only is relatively inexpensive and in some cases it is bundled in with the SED drives at no extra cost.
At the top end of the management spectrum is the software to centrally manage large numbers of SEDs. Functionality includes integration with the policy management servers, support for multiple users and administrators from the identity and access management servers, audit logging for compliance reporting, and authentication key backup and recovery are all essential corporate functions. While it is not likely that fully functional remote SED management will be commoditized, there are few customers who have adopted the SED technology who have identified this as an inhibitor to buying the technology.
Q. For enterprise SEDs, can you talk about the different approaches to key management? Is it managed at the controller level?
A. In SEDs based on the TCG Opal specification, the ENCRYPTION key is not externalized by the SED, so there is no encryption key management needed. The AUTHENICATION key is externally managed and is used to unlock the SED, among other functions. In current implementations of data center / enterprise SEDs, the authentication key is managed from the RAID controller, which is optionally tied into an enterprise key manager. For client PC SEDs, user authentication key backup, recovery, and management are provided by ISV software.Q. I'm interested in how encryption keys are stored, how they are protected, and whether they can be refreshed. Also. Are there special backup utilities that handle the task of backing up and protecting the key?
Q. I'm interested in how encryption keys are stored, how they are protected, and whether they can be refreshed. Also. Are there special backup utilities that handle the task of backing up and protecting the key?
A. The encryption key (EK) is generated in the factory by an on-board random number process and is never externalized. The externally managed authentication key (AK) is used by the drive to encrypt the EK. Thus, the EK is stored on the drive, in encrypted form only, in hidden (i.e., non-addressable) memory. The EK is not backed up, since it is not externalized.
However, the AK is externally managed and can be backed up and protected by a variety of means. For the laptop (TCG Opal) SED, the ISVs providing SED management also provide backup and recovery. For the enterprise (data center) SEDs, the key manager being used can also backup and recover the AK.
The internal EK can be 'refreshed' using an authenticated command. The old key is replaced with a new and random key. Thus, the old data is no longer available (called Crypto-Erase), but the SED continues to be operational with the new EK.
Q. Why do you anticipate most HDDs will be SEDs?
A. Most/all HDDs and SSDs will be SEDs for a number of reasons:
• Stored-data encryption is an explicit business requirement mandated by breach notification laws and other regulations and legislation.
• Hardware-based self-encryption has numerous advantages over software-based options.
• The additional cost of an SED will be steadily pro-rated into the overall cost of the drive and will thus diminish.
Q. What do you see as being the main driver for SED adoption?
A. The report notes a number of reasons, but among them are increasing compliance requirements and data protection regulations and legislation;
Significantly improved performance over software only encryption; and superiority of security over software and diminishing delta cost.
Q. Where can I find the full report?
A. The archived webcast and PowerPoint presentation are available here