Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

Mobile Security: A Surefire Laptop Encryption Strategy
http://www.enterprisemobiletoday.com/features/
By Laura Taylor

Enterprise Mobile Today.com

February 8, 2010


Mobile computing brings increased productivity to the enterprise, but it also opens up businesses to mobile security risks. One of the biggest problems mobile IT departments face is figuring out how to secure confidential information stored on laptops and netbooks. These mobile devices are often stolen or lost no matter how careful the owner, and it's safe to say that laptop theft and loss will continue to be an ongoing challenge for mobile device managers.

There are different security controls mobile IT can put in place to secure the private information on laptops, including personal firewalls, passwords, recovery software (e.g. LoJack for Laptops) and end-user "Rules of Behavior" explained in corporate policy. However, none of these security controls come close to providing the security that self-encrypting drives offer.

The hardware-based, self-encrypting drive solution is so effective, that I'm fairly confident that this nascent market will become a huge trend and be widely adopted in the enterprise. Here I'll outline the reasons why this strategy is so sound -- and why software-based disk encryption is not -- and will also provide an overview of the top vendors in this sector. Finally, I'll also list the types of businesses and agencies that can benefit from this mobile security approach.

In 2008, according to a study done by the Ponemon Institute, 12,000 laptops were lost in U.S. airports each week. According to DatalossDB, 20 percent of all security incidents are due to stolen laptops. When a laptop is lost or stolen, obviously all of the information on it is at risk. In addition to the owner's personal data, national security secrets, patents, original source code and authoritative records can be exposed.

If losing the laptop and information were not bad enough, nothing is more embarrassing to an organization than having to make a public announcement about it. Government agencies and publicly traded companies are required by law to report such security incidents. Laptop encryption can help enterprises avoid security risks and the associated consequences, and there are two commonly practiced approaches -- software-based disk and hardware-based disk encryption.

Software- vs. Hardware-Based Full Disk Encryption
Software-based full disk encryption is not actually new. It's been around for a few years, and while it does appear to work, it has not been adopted on a large scale. Managing software-based full disk encryption at the enterprise level is cumbersome, which is one of the reasons that it has not been widely deployed. Many users refuse to use software-based encryption and disable it after it has been setup.

One reason that users disable it is because the performance for software-based encryption is sub-optimal. Disks that are encrypted by the software have much slower throughput than disks encrypted by the hardware.

The time it takes to perform the initial encryption for a software-based full disk encryption solution takes hours. In a recent analysis done by Trusted Strategies, one software-based full disk encryption product took almost 24 hours to encrypt a 500 GB drive. In this same lab test, the software-based full disk encryption product that worked the fastest took a little over three hours. For hardware-based full disk encryption, the encryption time is virtually instantaneous.

There are other performance issues, too, once the encryption is completed. With software-based full disk encryption, it takes approximately 17-18 seconds longer to boot a system. Yet with hardware-based full disk encryption, the additional boot time is only about 2 seconds longer.

Another problem with software-based full disk encryption is that for many software-based encryption products, the keys used to perform the encryption are stored in dynamic RAM. This means that there is the potential to access the keys, and thereby defeat the encryption mechanism, just as researchers at Princeton University proved with the cold-boot attack on encryption keys. With hardware-based full disk encryption, the encryption takes place in the ASIC and the encryption key never leaves the drive and is never launched into memory.

Systems using hardware-based full disk encryption use one password to authenticate before the master boot record is launched. Unless you can authenticate with the proper password, the data on the disk is completely inaccessible. For that reason, with hardware-based full disk encryption, the information on a lost or stolen laptop is completely secure.

Using full disk encryption enterprise management software, from vendors such as Wave Systems, the IT department can look up the configuration of a lost laptop. In this example, IT staff can then use the Wave Embassy Remote Admin Server (ERAS) to find out immediately if full disk encryption was deployed. If the laptop had full disk encryption deployed, it is not necessary to report the loss to authorities. All the IT department has to do is restore the user's files from backup onto a new laptop and the user is ready to go.

Once users are setup for hardware-based full disk encryption, most will not even know the difference, and none of them will be able to disable it. They will login to their laptop using their password, and the encryption will work continually without any action needed from the user. If a user forgets his or her password, the IT admin team can use ERAS to obtain an emergency access recovery password. (If you have ever been a system administrator, you know that everything works better if the users have as little involvement as possible.)

Vendors to Watch
The vendor that is the leading innovator in full disk encryption is Seagate, which was founded in 1979, and first started shipping drives with hardware-based full disk encryption in March of 2007. Seagate's current market cap is 8.8 billion. Though Seagate's net income in 2009 came to a 3.8 billion loss, its most recent quarter (MRQ) showed a net income of 179 million and most financial analysts are predicting a positive outlook and bullish ratings for Seagate in the upcoming year. As of Jan. 15, Seagate was showing a 307 percent return on investment.

Vendors who will be challenging Seagate for a share of the market include Samsung, Hitachi, and Toshiba all of whom have more recently started offering hardware-based, self-encrypting drives. Samsung offers a solid-state solution while Hitachi and Toshiba offer traditional, spinning hardware based self-encrypting drives. The Trusted Computing Group's (TCG) free, non-proprietary Storage Architecture Core Specification has enabled more hardware vendors to jump into the self-encrypting storage market.

All of Seagate's disks have to be managed by software drivers such as those made by Wave Systems. Wave Systems, headquartered in Lee, Massachusetts, was founded in 1988. Wave Systems specializes in management software for hardware security such as self-encrypting drives and Trusted Platform Modules. Their full disk encryption drivers for Seagate's disks that offer full disk encryption integrate with Active Directory and can be centrally managed.

While the encryption hardware in the self-encrypting drive is always on and cannot be turned off, mobile managers must set the security for accessing the drive. When you first get your new computer, you use the Wave EMBASSY Security Center to turn on the security settings, assigned users and set the passwords required to access the self-encrypting drive. These functions are under the Manage tab of the Trusted Drive screen.

Once you have the self encrypting drive initialized and configured, you have a secure vault for all the data you send to the drive and you are actually logging onto the hardware that unlocks the drive and releases the data. You have one password that logs you into your computer, your drive, and your Windows session. Wave supports sleep mode, so you can slap the lid closed, and your drive will be locked. The drives use AES but only Seagate's solution is FIPS 140-2 compliant. (There are other configuration options available through the EMBASSY Security Center, but those are outside the scope of this article.)

The Seagate and Wave Systems full disk encryption solution is currently being bundled together and sold by Dell. Self-encrypting drive volumes are seeing quarterly growth rates of 40-50 percent or more.

Who Needs Hardware-Based Full Disk Encryption?
If you don't want to worry about losing your company's sensitive information, a self-encrypting hard disk will put that worry to rest.

Hardware-based, full disk encryption is ideal for the following uses:

Federal agencies subject to OMB Memo M-06-16
Healthcare providers employing telehealth or telemedicine that have private patient information on laptops
Intelligence agencies with classified information
E-mortgage financial institutions that have eNotes on laptops
Anyone with credit card or bank account information on their laptop
People with company patent or proprietary secrets on their laptops
Consultants who work with sensitive customer information
DoD agencies with National Security Information on laptops
Organizations subject to compliance with Gramm-Leach-Bliley
Organizations subject to PCI compliance
Organization subject to the Base 1 II regulation
Organizations subject to HSPD-12 and HIPAA
While still a nascent market, the hardware-based self-encrypting drive market will likely prove to have more impact on the mobile security in the years to come than any other technology.