Simon Says – Musings of a Technology CTO

This week CNET News contributor Jon Oltsik blogged about how he believes that now there’s a unified standard for hardware disk encryption, governments should lead the transition to self-encrypting hard disks. Jon makes the point that hardware encryption is simple, fast, and generally more secure than software encryption.

While it would be admirable to see any government protect their data, Jon in my opinion missed the big point: the benefit of the standard is really common key management between all the different vendors. No one really gets any benefit from the drives doing the encryption the same way – as long as it’s a “good” way, who cares? But, if all the drives have a common key management architecture, it makes the provisioning and, more importantly, the recovery of data much simpler.

One of the challenges companies such as McAfee face is where to spend our R&D budget, providing unified encryption management for hardware encryption is one of those areas. As each vendor traditionally has different capabilities, different key management proposals etc. Historically we’ve had to decide who we support and who we don’t (yet) support.

Having one common standard means two good things: Any drive written to that standard will be manageable (and recoverable) through our ePO console and, perhaps better still for administrators, there will be a common user, admin and helpdesk experience, regardless of who the actual hardware is provided by.

So, back to Jon’s article, his closing point particularly interested me:

“Wouldn’t it be more efficient to purchase systems with self-encrypting drives once rather than purchase systems and then purchase software? Oh, and self-encrypting drives would also eliminate the systems integration burden as well.”

Yes, indeed it would be more efficient to purchase systems with self-encrypting drives if they already had some enterprise-wide system to manage them. Do you think any government wants, or would allow users to set up the protection (or not) themselves, or if the user forgot their password, suffer the total loss of all the data on the drive? Of course not – the only way any organization will allow encryption is if the organization itself retains control of the access at all times.

For individuals, yes, hardware encryption is great – buy it, set it up, use it. Simple. For larger organizations though there needs to be a strong management, audit and compliance backbone in place to look after the keys, reset forgotten passwords, and recover data – That’s where McAfee comes into play.