Why Drive-Based Encryption Is Safest and Best
Why Drive-Based Encryption Is Safest and Best
What's this
In early 2003, MIT researchers Simson Garfinkel and Abhi Shelat published the results of a study in which they bought 158 used hard drives. The team spent less than $1,000 on eBay and similar sources, ultimately finding that 129 of the drives were operational. Of these, 55% still contained information. Twenty-eight of the drives showed that little to no attempt had been made to erase their data, and those that had been formatted were still easily readable with common analysis tools. One of these 28 had come from an ATM machine and contained a year of transaction data. All told, the 128 drives yielded corporate financial records, medical records, loads of private and/or pornographic photos, and over 5,000 credit card numbers.
All of this from only 128 discarded drives? Now consider that the U.S. Environmental Protection Agency estimated that in 2007 Americans discarded over 41 million PCs—over 112,000 systems containing at least one hard drive per day. Only about 15% to 20% were recycled, which includes being pumped into the second-hand market. The remaining systems were disposed of, according to the EPA, “largely to landfills,” where anyone could literally walk in and pick up terabytes of private data off the ground.
www.epa.gov/osw/conserve/materials/ecycling/docs/fact7-08.pdf
Source: www.epa.gov/osw/conserve/materials/ecycling/docs/fact7-08.pdf
This covers drives that are intentionally discarded. How about drives that unintentionally vanish? The FBI claims that over 600,000 laptops are stolen each year, accounting for over $5 billion in proprietary information losses. Ninety-seven percent of these laptops are never recovered. In a joint FBI/CSI survey in 2005 of companies with over $1 million in annual revenue and at least five employees, 15.5% had experienced laptop, desktop, or PDA theft within the prior 12 months. The average cost of this loss per company was nearly $32,000. This even trumps Ponemon’s Second Annual Cost of Cyber Crime Study (2011), which notes an average annualized cost of nearly $25,000 per company in stolen devices. The unbelievable truth, according to a similar 2009 Ponemon study, is that “more than 31% [of organizations] do not know how many laptops were missing or stolen during the past year. As a result, organizations do not have a clear understanding of the potential risk of a data breach and how to prevent the breach.” Is it any surprise, then, that only 8% of reporting enterprises had no laptop thefts in the prior 12 months?

Source: http://bit.ly/qtk1sv
Most sources agree that the data on a typical business system is far more valuable than the hardware replacement cost of the system itself. Is there an inexpensive, nearly foolproof way to protect data against all of this risk? Yes. The situation is analogous to people knowing that one pill a day would ward off cancer for the rest of their lives—and then not bothering to take the pill.
If the prior statistics seem too focused on the end-user or SMB segments, consider this: Seagate estimates that 50,000 drives exit data centers every day. Computing doesn’t get any more enterprise-oriented than IBM’s System z mainframe platform, and in the September 2010 issue of IBM Systems Magazine, IBM senior technical staff member Gordon Arnold notes that “about 90 percent of disk drives that go out for repair still have readable customer data on them.” Even with 4K block sizes within a striped array, Arnold states that “you can still get a lot of credit card numbers or Social Security numbers in that large of a block. That’s an audit and compliance exposure; it would trigger the disclosure requirements that are now in 45 U.S. states.”
Clearly, a lot of well-intentioned IT managers are living under the delusion that their data is safe. The reality is quite different, but fortunately there is easy help waiting just around the corner.
The miracle cure for data loss through disposal, loss, and theft is drive-based encryption. The underlying technology is remarkably robust and complex, but the implementation from a user’s perspective is ridiculously simple. In the following pages, we’ll delve into the essential details of encryption, how drive-based encryption differs from software implementations, and some options for making sure that your organization keeps its data under airtight but convenient and manageable lock and key.