Freely subscribe to our NEWSLETTER

The data storage industry, working collectively in the Trusted Computing Group, has standardized and deployed innovative, simple and powerful technology to secure data where it lives – in storage. Encrypting directly on the drive offers many benefits, and standardizing that functionality provides a common interface for management software and for interoperability.

Previous-generation software encryption solutions typically have had cost, complexity, and usability issues. In contrast, new self-encrypting drives (SEDs) put the encryption engine in hardware, directly inside the storage system. From the outside, an SED functions as an ordinary drive, processing reads and writes. But, deep inside the drive electronics, just before the data ‘bits’ are written to the physical media, an encryption engine applies real-time encryption to the data stream, so that the ‘bits’ on the media are encrypted and therefore unreadable to an unauthorized adversary. Conversely, ‘bits’ read from the media are decrypted before leaving the drive, completely transparent to the end user.

In the enterprise, drives are managed by an array controller, or RAID (redundant array of independent disks) controller. RAID enables the connection and communication with the enterprise storage disks. For a data center, the array controller allows the implementation of self encrypting drives.
Research and testing by Trusted Strategies reveals stark differences in performance for SEDs versus software full-drive encryption (FDE). Three leading FDE software products were pitted against an SED, using a series of intensive read/write tests. In a typical test, the SED was 79 percent, 132 percent and 144 percent faster than software-based encryption.

Other benefits of self-encrypting drives include:

• Transparency: SEDs come from the factory with the encryption key already generated on-board and the drive already encrypting. The drives are always encrypting; conversely, software-based keys are provisioned by the user.

• Ease of management: No encrypting key to manage externally.

• Life-cycle costs: The cost of an SED is pro-rated into the initial drive cost; software has continuing life-cycle costs. Additional savings result from higher reliability and lower maintenance of SEDs.

• Disposal or re-purposing cost: With an SED, erasing the on-board encryption key renders the encrypted data unreadable in microseconds. The “clean” drive can be re-used, disposed, or shipped out for warranty repair; software-based encryption often relies on lengthy data-overwriting procedures or even destruction of the drive itself.

• Re-encryption: With an SED, there is no need to ever re-encrypt the data; software-based encryption key changes require whole drive re-encryption.

• Performance: No degradation in SED performance.

• Standardization: The whole drive industry is building to the TCG SED specifications; software is proprietary.

• No interference with processes, like compression, de-duplication, or DLP (data loss prevention); software encryption is necessarily upstream from storage and can interfere with such processes.

Eric Ouellet, Senior Vice President of Gartner, has noted, “Many organizations are considering drive-level security for its simplicity in helping secure sensitive data through the hardware lifecycle from initial setup, to upgrade transitions, and disposal”.

In summary, self-encrypting drives are widely available, as is management software that supports them and the TCG specifications. Given their availability, benefits and protection against potentially crippling data breaches, SEDs should be part of a top-down review and risk assessment for sensitive and personal corporate data.