This is a clearly serious issue and I’m going to forward this thread over to the bloggers at blogs.cisco.com/datacenter to see if they have some input.

Cisco recently produced a 60 minute show on data center efficiency that will feature APC, VMWare, and John Morley of EMC at the end of the month.

It’s more focused on energy efficiency but I thought I would let you know about it.

Thanks and best regards,

Ethan Bauley
ethan /at/ m80im.com
M80 (on behalf of Cisco)

To shed light on a few issues presented….

When handling secret and top secret level data, decommissioning must assure absolute destruction of the data beyond reconstruction by any means. Accordingly, key destruction is not considered acceptable in this situation as a key can decrypt the encrypted data. Yes, I appreciate that complex key lengths make this virtually impossible but as long as a key can exist, it is not acceptable.

The other issue is enterprise key management. Hardware based encrypted drives offer a good means to protect data. However, if the key is lost, so is the data. I am sure that you can envision hte vulnerabilities here. WE do not need another San Francisco.

Statement #4 from the Storage Anarchist is incorrect. Drives with embedded encryption features are compliant to government encryption specifications that require the key to reside in a device that has no accessible or externally addressable circuitry. Rather, you can not connect a logic probe to any pins to intercept the key. Reference the Center for Magnetic Recording Research at the UCSD.

The folks at Seagate see embedded encryption as the panacea of security, despite the fact that the inability to implement enterprise key management will be a real show stopper for most enterprises. They refuse to believe that encrypted hard drives will be anything more than a great feature for consumer PC’s and notebooks.

BTW, according to the CMRR and the US government, when physically destroying a hard drive, the particles from the media must be of a diameter no larger than the space to accommodate a single data block. This specification was 1/125 of an inch up to early this year. However, due to higher media densities, the spec is now 1/250th of an inch. Many shedding facilities are capable of attaining the 1/125th of an inch screen size. The new spec caused a lot of consternation from the folks at a couple major service providers and at the RCMP in Canada, as the procedure to handle EOL top level classified drives must be updated.

One concept that has been put up for consideration is decommissioning the devices with Secure Erase (in ATA compliant devices), and then sending it in for shredding to the 1/125th screen size. Alternately, attaining the 1/250th spec will require the much more costly process of disintegration.

If anyone wants a copy of the best practices guide, please e-mail me at ryk@converge-net.com and I will be glad to forward a copy.

Additionally Wave System’s (and Dell) provide Wave system’s ERAS server. This is an nterprise class server for the central management of the Seagate trusted drives as well as for the management of all brands of Trusted Platform Modules (TPM).

TPMs are standard equipment of practically all enterprise class notebooks.

And while I can’t argue that some customers may want to protect their information out of sheer paranoia, the financial, government, retail and health care industries are actually mandated to do so, and they are required to adhere to specific requirements in doing so.

So far as I am aware, encrypting disk drives and key destruction BOTH are not an approved protection in any of those industries at this time, while secure erasure is approved for at least some classes of protected information. And it’s not that these technologies are new and not yet approved – they have actually been evaluated and deemed insufficient by the organizations setting the requirements.

Your goal is inarguably commendable, but the actual solution may not be encrypting disk drives as you propose.

I don’t disagree with any of your points, however like all technologies, there must be a starting point and not all organisations need the level of paranoia protection the DoD prescribe to.

EMC also offers Secure Drive Erase within the Symmetrix, which performs a DoD-compliant erase of all data on a failed drive before it is removed from the system (if possible). EMC also offers an on-site drive erasure appliance that can DoD secure erase a drive removed from the array (if it will still spin, that is).

Still, most financial (and all DoD) customers tend to retain all failed drives – some don't even believe grinding them up into little pieces is sufficient. So they store failed drives in secure warehouses somewhere.

But your post really wasn't about all that now, was it :>)

When it comes to encrypting data stored on disk drives, there are numerous considerations beyond the drive suppliers’ perspectives, including:

1 – Encrypting drives are today being offered at a price premium to standard drives;

2 – The drive-based encryption implementation is not identical across drive suppliers (or drive types within a supplier), and there are no standards (yet)

3 – none of the drive vendors are offering identical encryption capabilities across their entire product lineups (SATA/SAS/FC, 7200/10K/15K rpm, capacity points, etc.)

4 – most of the current encrypting drive algorithms store the actual keys within the device itself, in a manner that can (at least theoretically) be accessed given physical access to the drive

5 – some of the current encrypting drives also include a “back door” manufacturer’s key to protect against accidental loss of the end-user keys (a real no-no in crypto-land),

6 – none of the encrypting drives have successfully attained security certification or approvals (such as FIPS-140, etc.)

7 – US Federal Government procurement and security standards do NOT acknowledge Key Destruction as sufficient to protect against data theft for ANY class of information stored on disk (or tape, for that matter). This is partially because it is known to be impossible to prove a) that all copies of the keys have been destroyed and b) that a given security algorithm is unbreakable given access to the device with unlimited time and/or CPU power

8 – a company’s liability for data loss and information security is currently not reduced or abdicated through the use of encrypting disk drives. The disclosure and liabilities are the same for an encrypted and an unencrypted disk.

As a result of these consideration, the approach of drive-based encryption merely adds end-user cost, increases drive supplier margins and reduces the customer’s flexibility to use multiple different tiers of storage. In return, there is no significant improvement or change to the risks of unintended access to information.