Small-to-medium businesses (SMBs) are facing many of the same security challenges that large corporations face. In fact, regardless of size, all companies are required to adhere to new laws mandating better protection for sensitive or confidential data. But, with small security budgets, a shortage of dedicated IT resources and limited experience with encryption technology, SMBs are less likely to take the necessary steps to protect against data breaches. Many SMBs feel that they are unattractive to thieves, when in fact criminals often target them with ‘smash and grab’ theft because they are easier to penetrate than large businesses.
These obstacles may have prevented SMBs from adopting or implementing new security technologies in the past. However, recent developments in disk encryption have made comprehensive data security both affordable and easy. Self-encrypting drives (SEDs) remove the complexity and high cost of obtaining and managing encryption technology, which virtually eliminates the risk of damaging data breaches.
So, why is now a good time for SMBs to invest in SED technology?
1. IT WILL SAVE THEM TIME AND MONEY WITH DRIVE RETIREMENT AND DISPOSAL Since the vast majority of retired drives contain sensitive data, companies should either remove the data or completely destroy the drive before it leaves the organization for repair, reuse, or retirement. But many organizations either fail to understand the risks of leaving data on drives and take no action to remove it, or mistakenly believe the data has been safely deleted when in fact it can still be recovered.
There are currently four approaches to retiring and disposing of hard drives, each with advantages and disadvantages:
- Destruction:Physical destruction is typically done by shredding the entire drive or the drive’s platters. At a minimum, the platters must be badly warped or distorted, rendering the drive and its components inoperable. This can generally be achieved by drilling the drive in several locations perpendicular to the platters and penetrating completely through from top to bottom. Hammering or crushing is equally effective but more labor intensive. Simply destroying the logic section of the drive without damaging the platters is insufficient and not recommended.
- Degaussing:Degaussing to erase the magnetic media on the drive requires specialized equipment designed and approved for the type of media being purged. Industrial degaussers rated for hard disks are very expensive. Further, their duty cycle is relatively short, making them questionable for deleting large numbers of drives in a short time. Drives that are degaussed will generally be unusable.
- Overwriting:Overwriting a hard drive requires a software program that writes a combination of 0s and 1s over each location on the hard drive multiple times. This process obscures the previous information under multiple layers of magnetic flux, rending the data unreadable. According to the Department of Defense, functional drives should be overwritten three times prior to disposal or reuse.
- Overwriting software costs between $50 for a single license up to $2,000 for professional versions. This is a less expensive alternative to degaussing or destroying a hard drive. Plus, overwriting does not destroy the drive, so the device may be reused.
- However, overwriting is very time-intensive and may not work if the drive has an error. Because overwriting tools repeatedly write data to every track, erasing a disk in this manner can take hours to days depending on the number of passes performed, the size of the drive, and the speed of the system. In the end, the amount of time that overwriting takes may offset the cost savings for many organizations.
- Instant Secure Erase:Instant Secure Erase on SEDs is the newest method of rendering hard drive data unreadable via a cryptographic erase of the data encryption key. This method is very effective, instant, and simple to administer. It works by first encrypting all data as it is written to disk. The only way to read or obtain data protected in this manner is to use a valid encryption key. Instant Secure Erase will render all data on the SED unreadable when the encryption key is destroyed.
Instant Secure Erase has many advantages for retiring or reusing hard drives as compared to the alternatives. First, it is instantaneous. A command can be issued by an administrator to instantly destroy the encryption key, making all the data immediately unrecoverable. Also, Instant Secure Erase can be performed remotely. There is no need to gather retired equipment into a secure location while awaiting erasure.
Instant Secure Erase with SEDs is also a very cost-effective solution. It allows reuse of drives and eliminates the expense and time required to destroy, degauss, or overwrite, and the cost of SEDs is only an incremental amount over non-SED hard drives. This marginal cost of SEDs more than compensates for the time spent retiring drives and the cost of a potential data breach.
2. SEDs are one of the easiest and most cost-effective security measures SMBs cna implement
Data encryption technologies separate into three classes: host-based, appliance-based, and SED-based. All of them have their benefits and drawbacks, but encryption using SEDs is an easy, secure, and affordable method of protecting critical data:
Host-based Software Encryption is implemented using software. In some cases, businesses may already be using software that has encryption capabilities. The benefits of software encryption are that it is affordable and may already be included in software that companies are using.
However, it has major drawbacks. The most obvious is related to performance. Because host-based encryption uses the host CPU, processor cycles are taken away from other host-based applications. This puts a major drain on system performance, which leads businesses to encrypt only a small percentage of sensitive data. This requires data classification, which is time-consuming and error-prone. What’s more, it leaves data unencrypted, which makes businesses more vulnerable to data theft or software attacks.
Host-based encryption also raises concerns for manageability. SMBs that do not have dedicated security or IT resources will struggle encrypting large amounts of data. Since host-based solutions are system-dependent, they will require regular updates. For example, if the operating system is patched, the encryption software may need to be updated. Lacking rigorous maintenance practices, encrypted data and keys are vulnerable to unauthorized access.
Appliance-based encryption is accomplished by inserting an encryption appliance into an existing network or infrastructure. Appliance-based encryption overcomes many of the shortcomings of host-based encryption but still has many drawbacks when compared to using SEDs.
While host-based encryption uses CPU cycles to secure data, appliance-based solutions use microprocessor-based hardware systems fully dedicated to encryption. This eliminates the performance degradation issue. Another benefit of an encryption appliance is its ability to protect data in transit and at rest since all data passing through the appliance is encrypted at that point.
However, encryption appliances can cost tens-of-thousands of dollars. And as an SMB's storage requirements grow, it will need to purchase additional encryption appliances, which complicates management of data encryption, requiring SMBs to contract with a consultant or hire an expert full time. This approach is financially impractical for many SMBs, therefore.
SED-based Encryption has revolutionized security by encrypting every piece of data on the drive itself. Thus costly data classification is avoided. Unlike other encryption methods, SEDs offer affordable data security with no impact on performance. The SED’s hardware encryption engine, which resides in the drive, matches the drive port’s maximum speed and encrypts all data with no performance degradation. This performance scales linearly and automatically with each drive added to the system.
And, while appliance-based encryption requires an additional investment each time storage volumes grow, SEDs can be added with only a small, incremental cost over the hard drives that the SMB is already buying for additional storage. It requires no other expense.
Some other benefits of SED-based encryption are manageability and interoperability. SED encryption is automatic and transparent, which eliminates many of the costs associated with other forms of encryption, including complicated installations and changes to the system, software, or applications. And for additional ease-of-use and familiarity, SEDs appear just like any other hard drive when viewed with management software such as LSI SafeStore™ Encryption Services.
3. THE PRICE IS RIGHT
Investing in SEDs can save businesses up to millions of dollars by protecting against a data breach. And with incremental solution costs approximately 10% higher than comparable non-SED hard drive options, even one-man IT operations can afford this powerful security technology.
With host-based encryption options, companies will incur costs for the additional storage required to hold uncompressed data and compensate for diminishing performance. Similarly, appliance-based encryption can be very expensive. As storage requirements grow, so does the need for additional encryption appliances to support a growing infrastructure.
In addition to the upfront software and hardware costs of host- and appliance-based encryption, there are also the overhead costs associated with classifying, monitoring and maintaining the data. Since SEDs encrypt every bit of data on the drive, there is no additional expense required for classification, maintenance, etc. Also, SEDs make drive retirement and disposal easy by eliminating the need for manual data destruction processes which can be expensive, complex and prone to error. In the end, the incremental cost of SEDs is offset by the savings realized by avoiding these costly alternatives.
For more information on SED technology, please visit http://www.lsi.com/DistributionSystem/AssetDocument/LSI-Seagate_SED-SafeStore_LSI_110609.pdf and http://www.lsi.com/channel/support/marketing_resources/index.html