The loss of data is a concern for pretty much everyone. It can affect you and your business in many ways. Inability to find data can affect being able to call people, treat patients, produce products, fill orders, send invoices, and much more. Taking measures to keep this from happening is a prudent step toward avoiding downtime and having peace of mind.
One effective step you can take is incorporating Self-Encrypting Drives (SEDs). SEDs as compared to your standard Hard Disk Drive (HDD), have a circuit built into the drive's controller chip. The circuit encrypts all data that is processed through the drive, eliminating the need for third party software to encrypt your data on standard HDDs.
SEDs work by effectively having two keys. One key is called the MEK or Media Encryption Key, and the other key is the KEK or Key Encryption Key. These keys work in tandem to encrypt the drive. The MEK is the key that actually encrypts and decrypts the drive and it's set at the factory. The KEK is a key you set during the configuration of your system. What the KEK does is encrypts and decrypts the MEK. Without the KEK installed (correct word?) during initial setup, there is no way for the drive to decrypt the MEK and your data becomes unrecoverable.
Benefits of SED’s:
- Limit Attack Surface - SEDs enable you to limit the attack surface of the encryption. Encryption is all done locally on the drive, and nothing is processed within the processor or RAM limiting the attack surface of the encryption. The process is also completely transparent to the user outside of providing the KEK. Furthermore, no applications or programs need to be run locally within the Operating System.
- Secure Erase in Seconds - SEDs give you the ability to Instant Secure Erase a drive within seconds rather than hours. It clears the KEK and resets the encryption effectively wiping the drive. It saves hours of time, especially for businesses that wipe drives prior to reuse or destruction. By running the instant secure erase command, you effectively change the key used to decrypt the drive rendering all the previous data unrecoverable.
Deployment strategy with SED’s should be a well thought out plan. The right attention to the specific security problems they mitigate, can be useful, but they’re not by themselves a defense against data theft or loss, nor are they by themselves a compliance procedure.
Security is a process, not a product, and while you can buy products that make the process easier, the majority of the heavy lifting is still yours to do. With SED’s the only way to protect against data theft is still the combination of firewalls, SED’s, actual monitoring (not just software), but actual eyes on monitoring. Annual, biannual or monthly penetration testing.
Remember, the hack comes before the fix. Although the costs are high for security, how much would the cost be to a company for a breech or for theft?
Looking to add SEDs to your current network?