Self-encrypting data center drives
- By William Jackson
- Apr 09, 2008
SAN FRANCISCO ' Seagate Technology LLC, of Scotts Valley, Calif., has announced plans for a new line of self-encrypting drives that could help secure critical information through the life cycle of the data-center hardware on which it resides.
Seagate unveiled the plans at this week's RSA Security conference.
'A lot of effort is made to ensure that data stays on drives for years,' said Gianna DaGiau, the company's senior product marketing manager.
But that persistence can create vulnerabilities when a drive leaves its protected environment. 'Every single one of the drives eventually leaves the data center' when it reaches the end of its life, if not before, DaGiau said. Effectively overwriting or magnetically erasing the data to completely eliminate it can be time-consuming. A study by IBM Corp. found that 90 percent of drives returned to the manufacturer contained readable data.
The new feature planned for Seagate drives would automatically encrypt all data using 128-bit Advanced Encryption Standard encryption when the drive is removed or shut down. 'The minute that drive loses power, it is encrypted,' DaGiau said.
Similar functionality for notebook, desktop and USB drives was announced earlier and is close to shipping. The self-encrypting data-center drive is expected to be available late this year.
The tool is a response in part to state data breach notification laws that require organizations to notify individuals if their personally identifiable information is leaked or exposed. Many of the laws have a safe-harbor provision for encrypted data. The Payment Card Industry standards, a major driver for digital security in commercial and government environments, also require encryption.
'There is a lot of motivation for looking at encryption,' DaGiau said. Most organizations have physical security for their data centers and manual processes for ensuring that data does not travel with the drives, but experience has shown that those processes can often fail. 'We're getting rid of that weak link. There is no thinking involved.'
The feature will be included as an option on 15,000 RPM models of Seagate's Cheetah family of 3.5-inch drives for server and storage applications.
The encryption key is created on the drive during the manufacturing process. The customer can change it, but it never leaves the drive, thereby reducing key management overhead. Security is enhanced by not allowing the encrypted text to be displayed unless the system authenticates an authorized user with a randomly generated 32-byte key.
DaGiau said the government is adapting its standards to accept the deletion of a strong encryption key as effectively destroying some classes of data. The system has not yet been submitted for validation under the Federal Information Processing Standard 140-2, which is required for government use of cryptographic modules.
'The process of certification takes longer' than the product development cycle, DaGiau said, adding that the National Security Agency is interested in the product and is helping shepherd it through the certification process.
William Jackson is a Maryland-based freelance writer.