Self-Encrypting Hard Drives Face Perception Challenge

  /     /     /  
Publicated : 22/11/2024   Category : security


Self-Encrypting Hard Drives Face Perception Challenge


IT professionals see benefits, but questions linger over the cost, manageability, and speed of self-encrypting hard drives, says a Ponemon Institute survey.



One-third of security professionals who handle encryption dont understand self-encrypting hard disk drives. In particular, theyre unsure whether the drives are better or worse than software-based encryption for preventing tampering, managing encryption, or handling authentication keys.
Those findings come from a recent survey of 517 IT practitioners who are at least familiar with self-encrypting drives, conducted by Ponemon Institute, and sponsored by the Trusted Computing Group (TCG), which promotes hardware-based, vendor-neutral security specifications.
Today, when
full disk encryption
is used on a PC, software-based approaches are the norm, with 85% of survey respondents saying thats their primary approach. According to the survey, however, 70% of IT professionals also think that self-encrypting drives would help their organization to protect data, but many worry about the related hardware cost. Perhaps counter-intuitively, 37% of respondents also said that they would pay a premium for related data security improvements, according to the study.
As that range of responses and awareness levels suggests, self-encrypting drives currently face an awareness challenge. There are real advantages to hardware-based encryption solutions, which are obvious, but there are perceptions that theyre costly, unwieldy, … or might even cause diminished end-user productivity, said Larry Ponemon, chairman and founder of the Ponemon Institute, in a telephone interview.
Perhaps the lack of understanding isnt surprising, since self-encrypting drives remain scarce in enterprise circles. For starters, thats because the underlying, de facto industry standard for hardware-based full disk encryption--the
Opal specification
for hardware-based full-disk encryption from TCG--was only finalized in 2009. Since then, Hitachi, Samsung, Seagate, and Toshiba have begun releasing drives which comply with Opal, and six software vendors have released or updated their disk encryption software to manage such drives.
One driver for using any type of hardware-based encryption is that it
prevents users from tampering
with the encryption, for example if they think its impeding their speed. Notably, the survey found that 61% of respondents said employees in their organizations turn off their laptops security protection without obtaining advance permission to do so.
We know that the jailbreaking phenomenon is real, said Ponemon. Thats another big motivator here, since hardware-based encryption cant be deactivated. In fact, users shouldnt even know its there.
That said, any type of encryption must surmount the stigma that it will noticeably slow disk read and write access. But Ponemon said that his survey turned up no users reporting drive performance issues. In addition to the survey responses, we also do a debriefing--34 people, in this case, who are more than knowledgeable users of [self-encrypting drives]… and we didnt get any feedback at all, zero, about the robustness of the technology. He suggested that one explanation for the
performance degradation
noted with one older type of self-encrypting drive may have been because it was an earlier generation solid state flash drives.
In addition, he said, the read we got from people who were familiar with both hardware-based and software-based encryption was that hardware-based encryption improved their management ability. Notably, survey respondents with self-encrypting drive experience reported that they were easier to deploy than software-based full disk encryption approaches, in part because the drives come preloaded with encryption keys.
Regardless of the choice of encryption, when it comes to securing data at rest, Ponemon said hes still amazed by how many organizations choose to use no encryption at all. Organizations are subject to PCI DSS, or there are other compliance regimes, laws like in Massachusetts and Nevada, and its amazing to me that organizations are not considering the best possible encryption solution.
Whats the culprit? He suspects it could be a lack of
executive-level visibility
into the problem, or a lack of resources. But when you talk to IT professionals, they do understand that … its like playing a game of poker. Sooner or later, youre going to lose.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Self-Encrypting Hard Drives Face Perception Challenge