As their name suggests, self-encrypting drives (SEDs) are designed to encrypt all the data written to them. They clearly represent a better form of encryption – unlike software, they aren’t vulnerable to traditional software attack, and don’t slow the operating system or require frequent updates.
Beyond the best-in-class data security that SEDs offer, however, they also enable capabilities that hold promise for tomorrow’s computing environment.
Strong Authentication and Multiple Partition Support
In short, Opal SEDs have a protected area of the drive that cannot be modified by users or unauthorized parties, and that keeps an alternate OS and a second or ‘shadow’ Master Boot Record (MBR). When an SED powers up, this secondary – or pre-boot – OS loads using the secondary MBR.
This allows the user to enter his identity credentials, which are authenticated inside the protected hardware of the SED itself. Only then will the SED unlock the user area of the drive, execute the normal MBR, and load the primary OS into the system.
Opal supports the capability for dividing the SED into multiple partitions. While this isn’t a new capability, with Opal, these partitions each have their own unique encryption keys, and each partition can have unique users with unique passwords for accessing the data in those encrypted partitions.
1. Supporting Personal and Business Uses on the Same Laptop
The ‘bring your own device to work,’ or BYOD, movement highlights the increasingly blurry line between personal and business computing. While it’s becoming a vexing problem for IT, SEDs enable the secure use of a single machine for both personal and corporate use by partitioning the user’s area into two drives. This allows for separate partitions for personal and business operating systems, files and applications.
You add an option in the pre-boot OS that unlocks the personal system if a user enters his personal password or the business system if he enters his business identity and credentials. Since there is no way to simultaneously unlock and load both the personal and the business systems, personal use of the machine with high-risk applications cannot infect that business system. Nor can data be moved from the business system to the personal system. This allows the simultaneous use of a single machine for both purposes –without any security exposures.
2. Trusted Virtual Machines
Virtualization, much like BYOD, has been a perennially hot topic for the IT press in recent years. Virtualization entails adding a layer of software or firmware between the hardware and the operating system layer. This allows multiple ‘virtual’ machines to coexist on a single physical machine. Providers of virtualization solutions claim that their technology is perfect for solving security issues by separating various systems and applications.
However, one of the remaining security challenges is ensuring malware or rootkits have not compromised the hypervisor, or virtualization software itself. Hackers typically attack a system by moving one layer down the stack of functions until they find a vulnerability. That potentially includes the hypervisor level. Since SEDs provide a highly secure place to store data, they offer the capability to store a copy of the hypervisor and load the protected, unaltered copy each time the system boots.
This gives trusted, virtual machines a strong foundation of security. Additional security is possible by using the Trusted Platform Module (TPM) in most PCs to measure the hypervisor each time it loads. This assures that it has not been hacked (i.e. the TPM provides a hardware root of trust for the hypervisor and therefore, trusted virtual machines.) Since all software is ultimately susceptible to being hacked, starting with a hardware root of trust is the only way to assure that even virtual machines can be trusted.
3. Self-Healing Systems
Most security solutions can detect a hack, but remedy it? Not likely. When used together with the Trusted Platform Module (TPM), SEDs can automatically self-heal without intervention from IT. The TPM has the unique ability to ensure a machine boots securely, measuring individual components as they load, and comparing them to known, good values.
Therefore, they can assure that no unauthorized malware is in the system’s BIOS, MBR or boot software. If a TPM ever detects an attempted hack, then the SED’s protected storage can be used to reload a safe, unaltered version of the hacked software. Thus, the protected storage of the SED enables ‘self-healing’ systems that respond to attacks before any damage is done.
4. SED – Platform Binding
For many organizations it is not sufficient to only authenticate the user before allowing a drive to unlock and the system to load. Many enterprises would like to assure that the drive can only be unlocked when it is in an ‘authorized’ laptop or desktop. This keeps employees from taking their disk drives out of their business machines and putting them in their personal machines and unlocking them.
Binding the SED to a specific platform or a specific group of platforms simply requires an added step so that the pre-boot authentication software exchanges an authentication key between the platform (TPM) and the SED. Thus, the SED will unlock only when BOTH the user and the platform have been successfully authenticated. Plus, adding a specific network stack to the pre-boot ensures the SED will only unlock when it receives authenticated user credentials to attach to that authorized network. Interconnecting multiple trusted components creates fully trusted platforms, including each element.
As you can see, you can extend the capabilities of Opal SEDs to provide solutions for a wide range of current and future security requirements.