The views expressed on this post are my own and do not necessarily reflect the views of TAIS or Toshiba.
In my previous post, "The Core Principles of Improving Data Security at the Source," we established our "three pillars" (encryption, access authentication and data life cycle management) – let’s continue by considering some of the choices and challenges organizations face when using and managing encryption, authentication and data life cycle management technologies.
Data encryption is widely deployed today by organizations that are subject to data privacy compliance policies, laws and regulations (which is just about every business or institution in the developed world). The vast majority use software encryption, which has been broadly available for more than a decade. Software encryption redirects storage I/O to a software encryption application that uses the host CPU and runs in system memory as a "background" task. It should be obvious that this approach impacts system performance. It also poses some security risks since the encryption keys and encryption technology reside in system memory. Software encryption utilities need to be written specifically for the host OS and file system, and must be compatible with other applications running in the I/O stack.
Other software security utilities such as virus checkers may also increase complexity and compatibility concerns when used with software encryption. System deployments should include testing of the various software security components to assess their impact on performance, and to ensure they do not introduce application compatibility risks; such tests may need to be repeated when vetting new applications or maintenance releases. Security components also should be integrated into security management systems so that compliance with security policy can be audited and continually verified. The IT pros should ensure that security policies are enforced and that application deployments and data storage systems are in compliance with data protection (encryption), data access (authentication) and data management (life-cycle) policies and procedures.
Like encryption, access authentication is another pillar for data protection. The ability to prove that "you are who you say you are" is a key enabler of today’s digital business infrastructure. In the context of data storage, access to the storage device (e.g. the hard drive in your PC) should remain "locked" until access security checks are able to confirm that the person asking for access is properly authenticated and authorized. Proper management of access permissions is important for maintaining the legal "safe harbor" provided by encryption. Put another way, it is vital to protect access credentials so that an evil doer cannot unlock the protected storage device and gain access to decrypted data. When software encryption solutions use only a user password to validate user access, the risk of a data breach is increased. Many organizations use multi-factor authentication schemes to ensure that access is only unlocked for authorized users. The security of the authentication process can be improved using hardware security components, like TPMs together with secure storage hardware like self-encrypting disk drives. New concepts such as pairing the storage device with the host system are also gaining attention as security solutions providers seek to protect against new security threat scenarios.
We cannot forget that all this attention to security and data privacy compliance costs money and man-hours. For example, software encryption is usually licensed on an annual basis, and on PC systems it cannot be installed until after the initial data load has completed (and then it must spend time completing the initial encryption pass on the initially loaded data...). System rebuilds also should account for re-encryption cycle time before systems can be put back into service. The tools used to protect the security of data need to do more to address deployment resource burdens and solutions complexity, as well as reduce their potential to negatively impact compatibility and performance. An obvious way to positively impact these concerns—to go beyond the traditional model of software as the sole line of defense-- is to remove software encryption from the equation and replace it with cost-effective hardware encryption in the form of self-encrypting disk drives (SEDs).
We’ll have more to say about SEDs in a future post.
Disclaimer
The views and opinions expressed in this blog are those of the author(s) and do not necessarily reflect those of Toshiba America Electronic Components, Inc.