SEAhawk and Self Encrypting Drives (SED) Whitepaper

Similar documents
Product Brief. Circles of Trust.

Trusted Computing As a Solution!

Self-encrypting drives (SED): helping prevent data loss, theft, and misplacement

The Intel SSD Pro 2500 Series Guide for Microsoft edrive* Activation

Challenges Managing Self-Encrypting NAND Flash Devices

HDD Based Full Disc Encryption

Disk Encryption Buyers Guide

Trusted Computing Today: Benefits and Solutions

Make security part of your client systems refresh

Table of Contents. Table of Figures. 2 Wave Systems Corp. Client User Guide

Why Implement Endpoint Encryption?

Choosing a Full Disk Encryption solution. A simple first step in preparing your business for GDPR

A Guide to Managing Microsoft BitLocker in the Enterprise

Mobile Data Security Essentials for Your Changing, Growing Workforce

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

In today s business environment, data creates value so it s more important than ever to protect it as a vital business asset

Seagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide

How Secured2 Uses Beyond Encryption Security to Protect Your Data

A practical guide to IT security

Data Security Features for SSDs

DELL EMC DATA DOMAIN ENCRYPTION

Storage as an IoT Device Roundtable Walt Hubis, CISSP Tom Coughlin

Single Secure Credential to Access Facilities and IT Resources

The Lord of the Keys How two-part seed records solve all safety concerns regarding two-factor authentication

NexentaStor 5.1 Data-At-Rest Encryption With Self-Encrypting Drive Reference Architectures Configuration QuickStart

WHITEPAPER E-SERIES ENCRYPTION

SECURITY PRACTICES OVERVIEW

SECURE DATA EXCHANGE

BitLocker Encryption for non-tpm laptops

CISCO SHIELDED OPTICAL NETWORKING

SECURITY AND DATA REDUNDANCY. A White Paper

Short Public Report. 2. Manufacturer or vendor of the IT product / Provider of the IT-based service:

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

How to Build a Culture of Security

IBM System Storage Data Protection and Security Chen Chee Khye ATS Storage

ATA DRIVEN GLOBAL VISION CLOUD PLATFORM STRATEG N POWERFUL RELEVANT PERFORMANCE SOLUTION CLO IRTUAL BIG DATA SOLUTION ROI FLEXIBLE DATA DRIVEN V

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

ARM Security Solutions and Numonyx Authenticated Flash

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Complete document security

Global security intelligence. YoUR DAtA UnDeR siege: DeFenD it with encryption. #enterprisesec kaspersky.com/enterprise

Virtual Machine Encryption Security & Compliance in the Cloud

Who s Protecting Your Keys? August 2018

SECURING DEVICES IN THE INTERNET OF THINGS

Five Reasons It s Time For Secure Single Sign-On

Mobile Devices prioritize User Experience

White paper: Agentless Backup is Not a Myth. Agentless Backup is Not a Myth

Using SimplySecure to Deploy, Enforce & Manage BitLocker

Enhancing Virtual Environments

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Securing Office 365 with MobileIron

User Guide. IronKey Workspace Models: W700 Updated: September 2013 IRONKEY WORKSPACE W700 USER GUIDE

Designing Secure Storage for the Cloud Jesus Molina Fujitsu Laboratories of America

Mobility, Security Concerns, and Avoidance

Guide. A small business guide to data storage and backup

CYBERSECURITY RISK LOWERING CHECKLIST

Integrating Password Management with Enterprise Single Sign-On

A HOLISTIC APPROACH TO IDENTITY AND AUTHENTICATION. Establish Create Use Manage

Modern two-factor authentication: Easy. Affordable. Secure.

FDE itc: Encryption Engine (EE) cpp Functional and Assurance Requirements

Rethinking VDI: The Role of Client-Hosted Virtual Desktops. White Paper Virtual Computer, Inc. All Rights Reserved.

Copyright 2013

SecureDoc: Making BitLocker simple, smart and secure for you. Your guide to encryption success

May 2016 If you have questions regarding a particular customer situation, please reach out to DL-SYMC- Encryption-Ask-PM for guidance.

Security context. Technology. Solution highlights

Storage Security Best Practices Martin Borrett, Lead Security Architect NE Europe, WW Tivoli Tiger Team IBM Corporation

Security Enhancements

Evolved Backup and Recovery for the Enterprise

Implementing Disk Encryption on System x Servers with IBM Security Key Lifecycle Manager Solution Guide

SECURING DEVICES IN THE INTERNET OF THINGS

Security Challenges: Integrating Apple Computers into Windows Environments

Integrated Access Management Solutions. Access Televentures

Data Protection and Synchronization for Desktop and Laptop Users VERITAS BACKUP EXEC 9.1 FOR WINDOWS SERVERS DESKTOP AND LAPTOP OPTION

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Enhancing Virtual Environments

Mitigating Risks with Cloud Computing Dan Reis

FIVE REASONS IT S TIME FOR FEDERATED SINGLE SIGN-ON

iphone Encryption, Apple, and The Feds David darthnull.org

Securing Devices in the Internet of Things

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Kaspersky Small Office Security 5. Product presentation

Cipherchain-e kit with Single CipherChain-e

System Security Features

Cloud Communications for Healthcare

Trusted Computing Group

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Network Security Protection Alternatives for the Cloud

MigrationWiz Security Overview

ENTERPRISE PASSWORD RESET. ReACT. So your Help Desk doesn t have to.

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

CipherChain Kit on SCSI-1 or PCI bracket

Certified Information Systems Auditor (CISA)

Single-Tenant vs. Multi-Tenant Enterprise Software

Advances in Storage Security Standards

Endpoint Protection with DigitalPersona Pro

KuppingerCole Whitepaper. by Dave Kearns February 2013

HIPAA Compliance Checklist

Transcription:

Suite 301, 100 Front Street East, Toronto, Ontario, M5A 1E1 SEAhawk and Self Encrypting Drives (SED) Whitepaper This paper discusses the technology behind Self-Encrypting Drives (SEDs) and how Cryptomill SEAhawk makes use of the drives features to provide a highly secure data-at-rest protection offering.

Introduction With high-profile data breaches making headlines regularly, organizations are carefully evaluating their options for protecting mobile data. For years, software full disk encryption, (FDE), has been the preferred means of addressing this threat. But widespread adoption has been hampered by the complexity and cost surrounding these software-based FDE deployments. Self Encrypting Drives (SEDs) Many new generation laptops are now carrying Self Encrypting Drives. A Self-Encrypting Drive (SED), is a Hard Disk Drive (HDD) 100% compatible with the SATA specifications which can be accommodated in lieu of a regular HDD on any computer. These drives offer hardware-based data security by encrypting any and all the data that is written to the disk. Unlike typical hard drives, SEDs have built-in encryption that scrambles all stored data so it is completely unreadable to all unauthorized persons or devices, by default. The encryption is internal to the disk, transparent and automatic. There is no way to turn it off. The SED will encrypt all data that it receives. The growing presence of SEDs in the data protection market can be attributed to several drivers including: Federal regulations increasingly require public disclosure in the event personally identifiable information has been mishandled; Storage technology is getting faster Growing awareness from IT that costs related to encryption encompass more than simply licenses; there s significant expense related to management and integration, as well as the cost of acquisition. With SEDs, the encryption keys are generated in the drive itself and access control/ authorization also takes place in the drive. The drive-embedded encryption executes below the partition table and below the file system. Hardware-based self-encrypting drive technology enables always embedded key management, which, when managed properly, does not expose the encryption key outside the drive hardware. This protected key management effectively creates multi-factor security for drive data. To access the data, both access credentials and the original drive hardware are required (i.e., something you know and something you own). In contrast, software-encrypted partitions can be copied and attacked offline (this becomes even easier if the keys are centrally stored and accessible through insider attack) Today almost all hard drive vendors have developed their own versions of Self Encrypting Drives, spurred by the passage of a single industry standard, Opal, published by the Trusted Computing Group in January 2009. Currently, Seagate, Hitachi, Toshiba and Samsung are offering OPAL-compliant SEDs. Management of Self-Encrypted Drives By default the drive doesn t have any authentication turned on and will initially look and feel like a regular HDD, with all security turned off. The drive still encrypts everything that it stores, but all authentication is disabled. A software component needs to take ownership of the drive and enable the authentication, a process we call activation.

Once the drive is activated, all the data present on that drive will become protected by two ways: 1. The encryption key used internally by the drive will be unknown even to the drive until the user authenticates and CryptoMill s SEAhawk software unlocks the drive. 2. The drive itself will block access to the encrypted data (cypher text) until the user authenticates. In contrast to the SED management software, a Software FDE solution does not rely on the drive capabilities to achieve protection. It is fundamentally different in both approach and implementation compared to a Hardware-based solution like SED. Using a Software-based solution in conjunction with an SED drive negates all advantages that come from using an SED. The drive would then be used simply as storage and none of its security features would be leveraged. CryptoMill s data security software SEAhawk initiates encryption on these SEDs and allows for organisations to centrally manage data protection. SEAhawk and its SED management capabilities CryptoMill Technologies manages the SEDs through its SEAhawk software, which enables easy provisioning and secure configuration by organizations. Encryption and decryption are instant, automatic and seamless. Because it is hardware-based, the security of the encryption is stronger and there is no performance degradation. SEAhawk SED capabilities are: Authentication Single sign-on Multi-user support Logging and reporting Secure Erase Access recovery CryptoMill SEAhawk for SEDs is a client application that activates embedded security features of SED drives providing authentication to protect the entire content of the drive including the Windows operating system. It also enables the secure erase feature that allows for fast and safe retirement or disposal of machines and drives. SEAhawk also supports single sign-on to Windows, providing a simple, easy and elegant user experience. Integration with Windows authentication allows the drive access policies to be automatically updated with Windows, ensuring compliance to company password policies. Protecting critical information through robust, end-to-end security will allow organizations to provide credible assurances, achieve new efficiencies, earn the confidence of regulators and customers, and maintain leadership that supports their brand. CryptoMill SEAhawk provides just that.

Benefits of SEDs SED drives provide extremely important benefits. SEAhawk SED management facilitates all these SED benefits to an organisation. 1. Superior performance All the encryption and decryption is done in line with the data fetching within the drive itself. Most of these drives utilize a specialized chip that implements an extremely fast and low power AES engine. Data throughput is not limited by the speed of the cryptographic operations and the main CPU is never used for encryption. We have not found any performance differences between a regular HDD and an SED. 2. Superior security The actual encryption keys never leave the drive enclosure so the protected machine is immune to evil maid and cold boot attacks. 3. Instant activation With the Software FDE one would typically have to wait for 3-36 hours while the computer would go through all the existing data on the HDD and encrypt it on the fly. This process is slow and in order to prevent any data loss (e.g. in the event of power failure) there is a lot of redundant disk I/O going on. In contrast, SED drives are already encrypted from the factory. All that is needed is to turn on the authentication. There is no need to re-encrypt. Therefore activating the protection takes seconds. 4. Instant deactivation The authentication can just as quickly be deactivated when needed (given proper authorization). This is important in some situations where the security has to be immediately disabled to perform maintenance on the Operating System in case it is suffering from boot failure or data corruption. After the maintenance task, reactivation is also fast. With Software FDE the process of decrypting the disk, fixing the issue and reencrypting the disk could take days to complete. 5. Instant secure erase To prevent data leakage and to ensure conformity with corporate governance practices, IT must have a means of effectively wiping sensitive data from a machine. With an always embedded key architecture, data can be cryptographically erased just by destroying the key.by sending a command to the drive to destroy its key, all content of the drive becomes undecipherable, random data. This process is extremely fast as the key data is relatively small. 6. Clean Windows boot environment With SED you don t need custom boot loaders or custom filters loaded during Windows start-up. No INT13 filters are required either. This allows for easy repair operations even on an encrypted and activated SED, something that is impossible with Software FDE.

7. Auto-locking The drive will automatically revert to the locked state once it loses power, like on shutdown, without any other input. The event of losing power is the terminal point of the encryption key life-cycle. Benefits of SEAhawk Compliance SEAhawk comes with extensive logging and reporting which ensures compliance, especially in the case of suspected lost or stolen laptops Simple Deployment and Management With automatic enrollment, and instant SED activation, you are protection right away. SEAhawk keeps management to the bare minimum to get you working as fast as possible. Multi-user support, single sign-on Cryptomill SEAhawk supports up to 13 independent users on each machine equipped with an SED drive. Each user has their own password and has the option of signing on directly to their Windows desktop through single sign-on. Painless access recovery for enterprises Cryptomill SEAhawk provides three ways of unlocking the SED without knowing the user credentials: Personal recovery Help Desk recovery Admin Login Low Total Cost of Ownership No key servers Centralized recovery Admin Login for IT convenience Instant activation Secure erase How does Hardware FDE compare to Software FDE? Built-in Dedicated CPU Hardware - Encryption operations are performed by the hard drive itself, preventing performance loss Software - Encryption operations are performed by the main processor, causing performance loss The Best Security

Hardware - Encryption keys are locked securely within the drive and are never released to main memory at any time Software - Keys are stored in computer memory. This is vulnerable to attacks like Cold-boot and Evil Maid Activation is Instant Hardware - Encryption is always on, making activation instantaneous Software - After installation, the hot encryption operation can take hours or days. No Performance Impact Hardware - 0% to 1% Software - 20% to 25% Contact Information For more information please contact us: info@cryptomill.com 416-241-4333 ext 101

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback