Hardware-based encryption will win in the laptop market

Last week, McAfee bought SafeBoot, while Check Point Software Technologies grabbed PointSec a few months back. Why are we seeing a PC-encryption shopping spree? Because large organizations are no longer willing to gamble with lost or stolen laptops. For $200 or less, I can encrypt each laptop that goes out the door. This seems like a better use of money than coughing up $250 million of unanticipated CYA spending as the result of a data breach.

So here's the problem with this scenario and software-based encryption. Software utilities are about to hit a wall called Moore's Law. Cryptographic processing is getting cheaper and cheaper and it is always better to off-load encryption operations than delegate them to a system CPU in order to maximize system performance.

I recently witnessed a test between hardware- and software-based encryption that leaves no doubt about this physical fact. Software-based encryption required about 20 to 30 percent CPU utilization for cryptographic operations. CPU utilization using a Seagate encrypting hard drive was zero percent. What about overall system latency? The hardware introduces almost none; you are talking microseconds.

In the next few years, laptops will come with encrypting hard drives as standard equipment. At first, these systems will carry a minimal price premium but ultimately the delta will diminish. Since software encryption isn't free either, IT managers will have to choose between a "no fuss" encrypting hard drive and software licenses, installation, maintenance and costs as well as up to 30 percent CPU overhead on each device.

This is a no-brainer to me.

[skswave]

Hardware full disk encryption is easier to prove

Another key benefit for hardware full disk encryption is that it is easier to prove it was in place if a machine is lost. Due to the fact that the control of the encryption is in the drive and that the drive can be managed by a central server, it is possible to have a complete transaction log for a specific drive from the day it is enabled to the day the drive encryption key is deleted. Software full disk encyrption is running within windows and is open to a greater array of weaknesses. When a server manages the secure drive, local administration can be disabled ensuring that the current state of the drive is always known by the server. This is critically important because proving a lost machine was encrypted is how a corporation can avoid the embarassement of telling the world they lost everyone's data.

So the key is to make sure that every new laptop is purchased with a Seagate FDE drive.

Steven Sprague
CEO
Wave Systems Corp.
providing the tools to manage TPMs and Trusted Drives

[Rock_Pool]

Maybe how the encryption's performed is not the key point?

While it's true that for you and I as individuals unmanaged hardware encrypted drives may be a simpler and free solution, is that really the case for the average enterprise managing thousands, or tens of thousands of devices possibly in many countries?

At the moment (though this may change over time) encrypted disks are unmanaged (unless you buy additional software from people such as Wave), and authentication to them is little more than a BIOS password.

Most software products which do the same thing can work in dozens of languages and support hundreds, or in one case tens of thousands of users with complex passwords and even token based logons all at the same time, and will synchronize these credentials across tens, hundreds or thousands of PC's..

It may take some time until the drives you buy from vendors such as Seagate can handle this kind of sophistication out of the box, but then again, do you and I really need that?

For the enterprise market, expect to see very valuable encryption management software start taking responsibility for these great (but management limited) hardware systems, but I don't think you'll see Seagate providing enterprise class encryption management for their drives free any time soon - that would be way outside their core business.

What's more interesting than the encrypted drive discussion, is the Intel Danbury proposal that will move encryption of storage into the chipset - why be constrained by one drive manufacturer when you can buy a motherboard which will transparently encrypt any drive regardless of maker or capabilities? Will there be a role for Seagate if Intel (and probably AMD in the future) provide chipset storage encryption? Maybe it's the purchase of encrypted disks which we should be skeptical about, not the enterprise management of encryption and authentication.

[tigereye7]

Well done article. Hardware-based encryption also opens the doors for more effective multi-factor authentication methods. Some manufacturers are even putting the encryption into an external hardware device (like these guys). With more and more regulations requiring multi-factor authentication in addition to encryption, I think we'll see more and more of this.

[tigereye7]

(http://www.goldkey.name)