Security Pro VIP Update--April 3, 2008

In this Issue
--Perspective: Moving Toward Self-Encrypting Drives Everywhere
--Coming this Month
--March 2008 Articles in Print-Friendly Format—with Bonus Article on Security Logging
--Share Your Security Tips and Get $100
--The Security Pro VIP Forum

Perspective: Moving Toward Self-Encrypting Drives Everywhere

Last month, I wrote about a disk encryption vulnerability in "Keep Your Encrypted Data Encrypted." This month, more disk encryption news—of a more positive sort. Seagate Technology will soon announce what it calls a self-encrypting full-disk encryption (FDE) hard drive for the data center. Seagate says its self-encrypting disks are not vulnerable to the cold-boot vulnerability because the encryption key isn't stored in memory—it's stored on the disk itself.

Seagate has made a string of announcements about its line of self-encrypting disks over the last year. In July 2007, Seagate said that the National Institute of Standards and Technology (NIST) had certified the Advanced Encryption Standard (AES) encryption chip built into Seagate’s Momentus 5400 FDE.2 disc drive, which Seagate described as "the world’s first laptop hard drive with native encryption." In January 2008, the company announced Maxtor BlackArmor, a 160GB USB 2.0–attached portable storage device that uses the same built-in encryption. In October 2007, Seagate, with partners LSI and IBM, announced that it would extend its hardware-based FDE technology to its enterprise-class hard drives, with "plans to deliver ... to customers in 2008."

Gianna DaGiau, a Seagate product marketing manager, recently explained why encrypting data stored on disks in the data center is important. For one thing, federal and state legislation requires protecting sensitive customer data. If data is somehow lost, you must notify customers, which can be a costly endeavor. However, if the lost data is protected by encryption, the notification isn't necessary. You might think that the data at rest in your data center is protected by lots of layers of security and thus doesn't need encryption, but eventually, all disks leave the data center when they're decommissioned. The decommissioning process, which relies on people handling disks and destroying them or their data, exposes unencrypted data to theft and accidental loss. Fully encrypted disks with the encryption key stored on the disk can be safely and easily decommissioned by deleting the encryption key.

DaGiau also said that Seagate's self-encrypting disks overcome some of encryption's highest hurdles. Key management is simplified because the encryption key never leaves the drive. However, DaGiau and Bret Weber, chief architect and fellow in LSI's Engenio Storage Group, did explain that the administrator would set the authentication key in the storage management system and would of course need to establish a backup for authentication key management. Performance can be another issue with encryption, but DaGiau said that in Seagate's self-encrypting drives, the encryption engine speed matches the disk performance, so encryption won't slow data processing down.

Recent data breaches in the news make it seem inevitable that we're headed for encryption everywhere: across communication lines and on our notebooks, desktops, external personal storage devices, and network storage systems. It's good to hear about a technology like self-encrypting disks that appears to make encryption easier to use.

—Renee Munshi, Security Pro VIP Editor

Coming this Month

"SP3 Adds NAP to XP" by Damir Dizdarevic
WPA, MMC, RDC, PNRP, and BITS get updates too, but if you're looking for a lot of new functionality, buy Vista. XP SP3's main virtue is combining the many patches since SP2 in one package.
This article is now live on the Web.

"PowerShell Makes Security Log Access Easy" by Robert Sheldon
Security event logs contain valuable information about attempted system assaults and account and group policy modifications. PowerShell gets you access to the security logs and allows you to shape the data to match your needs.
Coming April 10.

"Windows Server 2008’s RemoteApp" by Damir Dizdarevic
RemoteApp enhances end users’ experience while using terminal applications and gives administrators more detailed control over terminal resources and security.
Coming April 17.

Windows Gatekeeper by Jan De Clercq
New this month, this question-and-answer column from frequent Security Pro VIP contributor Jan De Clercq replaces Randy Franklin Smith's Access Denied. Longtime subscribers might remember Jan's NT Gatekeeper column in the Security Administrator print newsletter. We're happy to be reviving the Gatekeeper column.
Coming April 24.

March 2008 Articles in Print-Friendly Format—with Bonus Article on Security Logging

Did you notice that we posted an extra article on the Security Pro VIP Web site in March? It's "Are Your Event Logs Recoverable and Viewable?" by Jim Turner. Get this article plus all the other March articles in .pdf format by clicking here. The .zip file contains a .pdf file of all the articles and code files that accompany two of the articles. Print the .pdf and enjoy!

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

The Security Pro VIP Forum

The Security Pro VIP forum is your place to ask questions about security topics and about articles posted on the Security Pro VIP Web site and to get answers from other forum members, including Orin Thomas, forum moderator, and article authors. Let's talk!

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.