Disk-drive encryption gets boost from Opal standards effort

Addresses debate over application- vs. hardware-based encryption

The Opal industry-standards effort unveiled this week by the Trusted Computing Group should prove a boon to information technology professionals exploring desktop encryption options.

The Opal Security Subsystem Class Specification 1.0, as it's officially called, offers a set of mechanisms and protocols for disk-drive encryption, authentication, configuration and policy management. When implemented in disk drives and supporting client and security-management software, Opal would provide IT managers with flexibility and interoperability in managing computers using Opal-based encryption.

"That's what we expect with this, the ability to mix and match, and we're keeping an eye on it going forward," says Ken Waring, IT director at CBI Heath, the Toronto-based Canadian healthcare provider, which today uses Seagate's embedded disk-drive encryption in Dell computers, with Wave Systems management software, to protect sensitive data.

While CBI Health has found hardware-based disk encryption an excellent way to protect data, the only negative is "it's restricting us to one model," says Waring. Opal promises to bring a new level of interoperable security so that IT managers could mix and match manufacturers' Opal-based disk drives and vendor software management tools.

Backers of TCG's Opal initiative, which makes use of the Advanced Encryption Standard (AES), include disk-drive manufacturers Fujitsu, Hitach, and Seagate, as well as software vendors Wave, WinMagic, CryptoMill Technologies and others. Fujitsu, for instance, is promising Opal support in all of its Notebook drives, both the 5400 rpm and 7200 rpm, during the second quarter.

"The basic objective is how do we embed security in the drive, to have encryption and authentication, and do it in a standardized way so it works no matter what drive you have," says Lark Allen, vice president of development at Wave, which has demonstrated Opal-based interoperability with its Trusted Drive Manager working with Fujitsu's Opal implementations.

Opal is among the latest efforts to satisfy the growing corporate demand for disk encryption. According to Forrester's survey of 942 IT and security managers in North America and Europe,  full-disk encryption was cited as the top client security technology to be piloted or adopted this year.

Encryption is fast becoming a necessity for both stored data and in transit.

In some industry sectors, particularly healthcare, both in the United States and abroad, encryption has become a necessity to satisfy regulatory requirements.

"The Department of Health requires that no patient data be sent unless it's encrypted," explains Saeed Umar, the IT project manager at Lancashire Teaching Hospitals NHS Foundation Trust based in London.

The hospital system, which provides healthcare to hundreds of thousands of individuals and educates medical students from the University of Manchester and the University of St. Andrews, has a staff of 6,500 and about 4,000 PCs.

Umar says the healthcare organization two years ago settled on using Voltage SecureMail to encrypt sensitive information that was e-mailed, because it works without requiring client software on the receiving end. "I wanted e-mail anywhere, and this works to send e-mails anywhere securely," says Umar.

Umar says his next important encryption project involves deploying McAfee’s Endpoint Encryption (formerly called SafeBoot) on about 400 laptops for data protection, adding the British government's health authorities are mandating it.

But there's open debate over the perceived advantages and disadvantages of deploying software-based disk encryption, based on products from security vendors, vs. deploying hardware-embedded disk-drive-based encryption that’s become available from disk-drive manufacturers.

CBI Health's IT Director Ken Waring says his organization did adopt software-based encryption for its older computers. Preferring not to divulge the specific software vendor, Waring said his organization's experience with software-based full-disk encryption has been much less satisfactory than using the Dell computer Seagate-based disk-drive-based encryption.

"We had problems with the installation of the software-based product," said Waring. In a few instances, the encryption software was uninstalling itself, apparently due to bugs related to the software keys.

When he asks his IT staff today which they prefer to manage, the answer has overwhelmingly been the hardware-based encryption.

"It's been no stress," says Waring, predicting the future will likely see every disk drive capable of encryption, and the best direction for this would be less proprietary implementations for them if security standards efforts such as Opal truly work out in practice.

Learn more about this topic

Encryption top security initiative in '09, says Forrester

Opal promising interoperable disk-drive security

Coming soon: Full disk encryption on all computer drives

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies