Page 1
    Page 2
  Page 3
   

 
 
By William Van Winkle		  
 
Chipset and CPU

In the early 1990s, Pretty Good Privacy (PGP) became an Internet wonder for those who wanted to keep their email encrypted. The problem was that integrating it required command line knowledge, and proper use was beyond the patience of most mainstream users. As such, encryption got off to a rocky start in the workplace, and it was saddled with the stigma of being too complex for ordinary use. One can't help wondering how much of this stigma and how many flawed preconceptions still pervade the industry at all levels today.
This Time,
It's Personal
With the profusion of sensitive data being toted about on personal notebooks, Seagate's (re)release of the Momentus FDE line should give resellers an unfair advantage among security-minded clients.

"There was a survey done called the Poneman Institute's 2005 National Encryption Survey," says Joni Clark, product marketing manager for Seagate's notebook product line, "partly in response to all these companies sending out letters to their clients having to explain that their security was breached and the clients' personal information may have been comprised. Here's the crazy thing: Upon getting those letters, 20% of those clients said, ‘Forget it, I'm not doing business with you.' They just went away. Forty percent were considering terminating the relationship because they were no longer sure if they could trust the company. And 5% were considering legal action and wanted to sue. On average, these folks said they lost about $14 million because of the data breach. So the next survey question was: ‘Why the heck didn't you encrypt?' Sixty-nine percent said because it would have slowed down their performance. Forty-four percent said it was too complicated. Twenty-five percent said it was too expensive."

You could make a list of the fallacies here, right? Just in the example of VIA's PadLock, we could do away with the performance and cost objections. As for complexity, we've used products like Digital Persona's U.are.U Fingerprint Reader (the same technology Microsoft licenses for its own Fingerprint Reader) and witnessed first hand how a single fingertip touch is all it takes to encrypt/decrypt files and folders using the encryption built into Windows XP. A simpler solution is hard to imagine. Clearly, the reasons for non-adoption are not rational, or at least not informed. It follows that resellers who devise and evangelize simple, cost-effective encryption solutions stand to make a mint.

Finding such solutions may be even easier than you think. Take the example of Seagate's Momentus 5400 Full Disc Encryption (FDE) 2.5" notebook hard drives. Originally announced in 2005 with Triple DES encryption (the government standard before AES' adoption) implemented via a discrete encryption processor in each drive, the FDE drives have yet to go into full production for several reasons. The mundane reason is that when FDE was being developed, parallel ATA notebook drives were the norm, and now most laptop designs are shifting to SATA. The real reason has more to do with software.

Because FDE technology encrypts the entire disk—master boot record, OS kernel files, and everything else often skipped by software-only solutions—there needs to be integration between the system BIOS and the hard drive. FDE begins with user authentication during the POST, and that password is hashed and stored on the drive. A pre-boot partition of perhaps 10MB serves to handle the authentication process before the user can gain access to the main partition and the rest of the operating system. The end result is that unless the user authenticates, the usable parts of the FDE drive are completely inaccessible.

This sounds pretty slick in theory, but implementing it in the real world proved more difficult than Seagate had anticipated. A wealth of BIOS compatibility issues had to be overcome, installers needed a more streamlined system configuration process, and users needed more robust, friendlier integration between FDE drives and other security applications. As such, Seagate pulled back on FDE deployment and is targeting a 1Q07 ramp-up—a date that meshes with the proposed Vista launch window. Seagate isn't linking the two events directly, but Joni Clark notes that the new FDE platform software Seagate is preparing will allow for drive unlocking via the Windows logon as well as seamless integration with biometric and other security devices. And while FDE doesn't yet have a single, system-wide authentication wherein the user only needs to enter his password once, this is in the works. By first quarter, the Momentus FDE drives will have also transitioned to SATA and adopted 128-bit AES encryption.

Of all the potential advantages we've seen for whitebooks over tier-one portables, the FDE drive is among the most compelling. The fallout from the May theft of a Veteran's Adminstration laptop containing private data on over 26 million veterans continues. In June, the President issued a directive requiring that all sensitive data on mobile government devices must be encrypted. The California Security Breach Notification Act (Senate Bill No.1386) states that encrypted data loss is not required to be reported as a security breach to customers, and in the last two years 24 states have enacted similar laws relating to data encryption. So any company responsible for maintaining the confidentiality of stored data would be negligent if not downright stupid not to implement encryption, if only to mitigate the potential embarrassment and customer loss entailed with being required to admit security incidents.

"The message we're trying to get out to resellers is that there are lots of people who have to comply with these state or government regulations," says Seagate's Clark. "Banks, health offices, schools—all these institutions have to comply. Everyone's going mobile. They need encryption. They can do it through software, which may be painful, or they can do it the really easy way. And a software encryption package is going to cost anywhere from $99 to $250. Getting one of our drives with FDE may be like only $20 more than a non-FDE drive. That's how little it is."

Seagate has not announced plans to take FDE into its 3.5" drives, although the move seems obvious provided there's sufficient interest on the mobile side. Still, you don't have to wait for secure Barracuda drives. With Momentus models already reaching up to 160GB capacities, a productivity desktop can go encrypted simply by applying a 2.5"-to-3.5" internal drive adapter. This makes even more sense for low-noise/low-power SFF configurations. The less your "secure PCs" look like standard desktops, the less anyone will expect them to use conventional desktop components.
Good to
Grab 'n Go
You could devise the most intricate, crack-proof solution in the world, but perhaps a DataPort with integrated 128-bit encryption will serve as well. Drives slide out for secure transport and off-site storage.

A discussion of security peripherals goes beyond the scope of this article, but one bears mention in this context: external hard drives. Some customers will outgrow their internal FDE drives, and some are going to want secure external storage for backup purposes. At present, we're unaware of any major hard drive manufacturer with a highly secure external, direct-attach SKU—another industry weirdism that leaves us baffled. The best secondary brand product we've seen is the Outbacker from Memory Experts International (www.mxisecurity.com), which incorporates a fingerprint scanner tied to 256-bit AES encryption. But as a 2.5" drive-based solution with a top capacity of 60GB, the Outbacker's suitable niches are getting narrower.

Our favorite pick for external disk security is CRU-DataPort's Encryption models (www.cru-dataport.com). CRU-DataPort specializes in industrial-grade hard drive carriers that can slide in and out of frames typically installed in either 3.5" or 5.25" external PC drive bays or external enclosures. Several carrier models integrate an onboard chip to perform 64-bit DES and 128-bit Triple DES encryption in realtime on read/write functions with the drive. The front panel of the carrier sports a USB port meant for a matching thumb drive that unlocks the drive's encryption. Without the security key inserted in the carrier, the hard disk is a sealed vault. This way, when a drive is removed for offsite storage or transport to another office, there is no risk of data theft if the drive is lost or stolen. According to the company, plans to migrate the encrypted product line over to AES are in the works, but even Triple DES is considered secure in practice despite the existence of theoretical attacks.

"As mundane and old school as it is, the reality is that the removable drive still answers a lot of concerns," says CRU-DataPort president Randy Barber. "We're meeting with legislators in Oregon right now who are trying to address identity theft, and what we keep hearing is that solutions are just too expensive. I don't agree with that. If we could provide a secure solution for a desktop that's under $100, maybe it's only 99.5% secure, but that's a heck of a lot better than what's in place today. And it doesn't require six-digit financing for small businesses to put in place. I think sometimes people get so wrapped up in the fancy ways to address the problem that they lose track of simple answers."

...more
  
         
    Back to top
Page 1 2 3
   
   
Copyright © 2007 RAM Magazine. All rights reserved.
Do not duplicate or redistribute in any form.