End-to-end encryption in store?
Encryption could soon become a standard feature in hard drives of all kinds, after an industry standards group and some heavy-hitting technology vendors agreed on common cryptographic standards for protecting data at rest.
Should the new standards be widely adopted as expected, disks would effectively be locked without the use of a password, and would require the use of a password before a system even starts. Encryption would be built-in at the firmware level and be completely transparent to users.
The Trusted Computing Group, whose members include Fujitsu, Hitachi, IBM, Seagate Technology, Samsung, Toshiba, Wave Systems and Western Digital among others, has announced three non-proprietary specifications.
These outline encryption standards for secure storage in both PCs and servers. There is also a proposed standard for the SCSI and ATA protocols used by hard disks and other storage subsystems.
Adherence to the new Opal standard should ensure storage hardware manufacturers start to build some common security safeguards into their devices. These would protect the confidentiality of stored user data against unauthorised access once it leaves the owner’s control. The measures will also provide for some user definable features such as access control, locking ranges, or user passwords, etc.
As well as Opal, the Storage Interface Interactions specification details how all of the specifications interact with storage connections and interface specifications, including ATA, ATAPI, SCSI, Fibre Channel, and others.
An Enterprise Security Subsystem Class specification takes aim at drives used in data centres and high-volume applications, where typically there is only minimum security configuration at installation.
Encryption is fast becoming a necessity for both data at rest and in transit. Its use looks increasingly likely to feature as part of an organisation’s information security policy, particularly to to protect confidential company and customer information and ensure compliance with laws like the Data Protection Act of 1998 in the UK.
“Lost and stolen data costs industry and consumers hundreds of millions of dollars, not to mention loss of credibility, legal issues and lost productivity,” said Trusted Computing chair Robert Thibadeau.
Interestingly, encryption is not a requirement of the Payment Card Industry Data Security Standard. This is something businesses are now calling to be mandated. Robert Carr, chief of the Heartland payments processing business that was hacked last year, has recently called for better industry cooperation and new operational procedures to prevent future data compromises, including industry wide, end-to-end encryption to fully protect sensitive financial data.