Sign in with
Sign up | Sign in

Other SED Advantages

Self-Encrypting Drives: Security for Every System
By
Brought to you by What's this

As mentioned earlier, the encryption functionality of SEDs can be centrally managed by remote IT staff. As examples, Seagate has validated third-party solutions from SECUDE International, Wave Systems, TrendMicro, SafeNet, and WinMagic (to name a few) for use with its Momentus and Momentus Thin SEDs. Centralized management can help enterprises with encryption policy enforcement and lower overall security risk. Additionally, most relevant consumer protection laws state that if an organization can prove that the data on a lost drive was encrypted, the organization is not liable for damages resulting from drive’s loss. This factor alone has moved many vertical markets to mandating SEDs on all present and future systems.

One of the most useful and advantageous SED features that can be managed is Instant Secure Erase (ISE). Remember that all data written into an SED is encrypted and the encryption key is stored within the drive. Without that key, the stored data cannot be decrypted. Instant Secure Erase is a command that instructs the drive to delete its encryption key. In only a second or two, the drive goes from having your full library of content (personal banking, photos, etc.) to a drive that looks like it just came of the manufacturing line – no data, no OS, no applications. Compared to traditional disk wiping methods (degaussing, overwriting, etc.), ISE is elegant and practically instantaneous. Any enterprise wanting to dispose of or repurpose its drives stands to benefit considerably from the time savings and impeccable reliability of ISE. And again, ISE can be centrally administered with the help of software security management. Rather than having to run one drive through a degausser at a time, hundreds or thousands of SEDs can be wiped with the click of a mouse.

Different drive vendors approach supporting their SEDs in different ways. Seagate offers its SeaTools for Windows, which gives individual users ISE capability, as a free download. Each Momentus SED features a unique physical security identifier (PSID) on its label that works in conjunction with SeaTools, or users can simply scan the label’s barcode. The intent is to make wiping and drive disposal as quick and reliable as possible.

The U.S. government is reviewing ISE as a cryptographic erase process, and there are few self-encrypting SSDs and HDDs in the pipeline for FIPS 140-2 approval, the required certification for government-level drive encryption. Seagate currently has the only FIPS validated hard drives on the market for both enterprise and laptop applications. In the meantime, industries are grappling with whether and how to let businesses provide “proof” of data encryption via hand-written logs or through third-party management application logs. Consider being a sole proprietor contractor who encrypted his laptop’s data on an SED and implemented a password. How can you prove the password was implemented if the laptop is stolen? Such issues remain under heated discussion, but standards bodies and vendors remain committed to finding answers soon.