Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

Protecting Data-at-Rest with Next-Generation Encryption Technology: Making a difficult task look easy

By Joseph Belsanti, Vice President - Marketing, WinMagic Inc.

http://advice.cio.com/protecting_data_at_rest_with_next_generation_encryption_technology_making_a_difficult_task_look_easy?page=0%2C0

With Privacy Rights Clearinghouse(1) reporting over 251,164,141 instances of compromised data records since 2005, clearly today’s highly-portable computing environments not only increase productivity, but also make it extremely difficult to protect personal identifiable information and other sensitive data. The fact is that over half of corporate data resides on mobile endpoint devices in some sort of redundant or original format.

With more data residing on portable devices such as laptops and removable media (USB storage devices, CD/DVDs, etc.), unintentional and intentional security breaches are becoming commonplace. As a result, eliminating data theft and its damaging consequences is now a top priority for all organizations. But, how is this best accomplished?

Sector-by-sector, full-disk encryption is the recognized industry best practise and most effective method for protecting data-at-rest stored on hard drives and removable media. Unlike file encryption, it encrypts all stored data, including file names and associated metadata, rendering them “invisible” to unauthorized users.

Full-disk encryption has three main components: A pre-boot authentication methodology, with single- or multiple-factor authentication (password, USB token, smartcard, biometrics, PKI and/or TPM); an AES encryption engine; and a management server.

International privacy initiatives are helping drive the demand for strong user authentication. Government, finance, and healthcare sectors are increasingly utilizing multiple-factor authentication, consisting of combinations employing passwords, smartcards, USB tokens, biometrics, PKI and TPM right at pre-boot – often leveraging the same technology to make it simple for users to authenticate themselves for both physical and network access with a single device. This holistic approach to security is far easier for the user as only one device/password is required. As a result, organizations are increasingly looking for encryption software that is simple to integrate with authentication technology at pre-boot – making the encryption process transparent to the user.

Due to the increased demand for data security, AES encryption has reached a commoditization state, and is increasingly bundled within commercially-available operating systems and hardware. Today’s encryption software must also be able to seamlessly integrate with these technologies.

Without the third component, the management server, large enterprises would find it virtually impossible to configure, deploy and manage data-at-rest security for large numbers of users/user groups. In addition, it would be impossible to effectively mange the heterogeneality of the enterprise network with MAC encrypted computers, hardware-based encrypted hard drives and software-based encrypted hard drives. Ideally, the management of user groups can be synchronized with LDAP servers, such as MS Active Directory in order to shared encryption keys, eliminate passwords, and provide a more positive experience for the end user through seamless access to data for authorized users.

Additionally, management servers should enable organizations to label encryption keys in human readable text to make it easy to identify/access encrypted archive data stores over time, and also should provide central management and dynamic provisioning of encryption keys so that secure data access can be extended to clients/consultants.

As a result, organizations should look for a full-disk encryption solution that makes it simple to comply with all international privacy and security regulations by protecting all data-at-rest on endpoint devices, and removable media – without sacrificing administrator or end-user productivity.

The selected full-disk encryption software should not only provide a highly-secure AES encryption engine, but also the versatility and ease of use to enable organizations to tailor data protection to meet both security and productivity requirements. Whether bundled with hardware-based solutions, such as Seagate’s Momentus 5400 FDE.2 self-encrypting hard drive, or added as a stand-alone software security component, the encryption software should enable organizations to seamlessly integrate full-disk encryption with other technologies,

such as multiple-factor authentication, and also makes it simple to extend end-point security to include increasingly-popular removable media.

Widely dispersed computing environments have made it more difficult to protect data-at-rest. Successful encryption must be able to seamlessly integrate with existing applications, such as multiple-factor authentication, at pre-boot; must be able to centrally-manage multiple encryption schemas and their associated keys; and must be able to provide encryption for all data on all devices, including removable media. Thanks to innovative improvements in security, versatility and ease of use, next-generation encryption solutions now make this difficult task look easy.