Data Security Using TCG Self-Encrypting Drive Technology

Tom Coughlin, Founder, Coughlin Associates. Tom has worked for over 20 years in the digital storage industry as an engineer and engineering manager. He has over 70 published articles, books and reports and 6 granted patents. Coughlin Associates publishes reports on digital storage and applications as well as provides various types of consulting services. Tom is an active member in IDEMA, IEEE, SMPTE, SNIA and other technical organizations. Dr. Michael Willett, Storage Security Strategist, Samsung. Recently, Dr. Willett was a Senior Director at Seagate Research, focusing on security functionality on hard drives, including self-encryption, related standardization, product rollout, patent development, and partner liaison. Currently, Dr. Willett serves as a consultant on the marketing of storage-based security. Presently, Dr. Willett is working with Samsung as a storage security strategist, helping to define their self-encryption strategy across Samsung s portfolio of solid-state storage products. Hussein Syed, Director of IT Security, Barnabas Health. Hussein has over 18 years IT experience of which 10 years has been in IT Security. He has a thorough understanding of health care business enablement (both clinical and business-driven) focusing on secure practice and compliance. In his role he has to remain technical and understands its impact on risk, workflow, patient care/satisfaction and physician/clinician enablement. Hussein has also participated in Gartner and NJHIMMS roundtable sessions on HIPAA/HITECH and IT Security. Copyright 2013 Trusted Computing Group 3

Increasing world-wide financial and legal consequences for data loss and data breaches Safe Harbor laws in most of the US and the EU for loss of devices with secured and encrypted data Trusted Computing Group (TCG) standards for notebook/portable computers (OPAL) and Enterprise Storage Devices using FIPS compliant AES 128 and 256 bit encryption Lower overhead encryption and decryption for SEDs than software encryption SEDs allow fast Crypto-Erase that sanitizes drive data before drive replacement, repair, de-commissioning, re-purposing and end of life Copyright 2013 Trusted Computing Group 5

Most major storage device companies provide SEDs Seagate, Western Digital, HGST (part of WD) and Toshiba offer portable and/or enterprise TCG encrypted HDDs Micron and Samsung provide TCG OPAL compliant SSDs There are special advantages for TCG encrypted SSDs Crypto-erase may be the most effective way to sanitize an SSD The overhead penalty for software encryption vs. self-encryption is even more significant for SSDs than HDDs Copyright 2013 Trusted Computing Group 6

Million Units Shipped 450 400 350 300 250 200 150 100 50 0 High Median Low By 2017, all hard disk drives will be SED capable, with encryption integration into the controller (as a reference point, over 25% were SED enabled in 2011) 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Copyright 2013 Trusted Computing Group 7

Million Units Shipped 25 20 15 10 5 High Estimate Mean Estimate Low Estimate By 2013, 80% of SSDs will be SED capable and by 2016, penetration will near 100% 0 2009 2010 2011 2012 2013 2014 2015 2016 Copyright 2013 Trusted Computing Group 8

All Drives eventually leave the data center IBM estimates 90% are still readable Why secure data? Increasing global regulations for data security PCI, HIPAA regulations require data privacy 46+ states have breach notification laws with encryption safe harbor Increasing consequences of non-compliance from privacy protection and breach notification laws Ponemon Institute estimates $194 for US company per compromised customer record in 2011; Average total per-incident cost of $5.5 Million. Privacy Rights Clearinghouse reports 607,234,229 records have been breached as of February 2013 Copyright 2013 Trusted Computing Group 10

The Problem Since 2005, over 345,124,400 records containing sensitive personal information have been involved in security breaches In 2008, the average cost of a data breach was $6.65 million per affected corporation ($202 per record) $6.65 Million Per Incident Reported Data Breaches Since February 2005 to Now # of reported breaches per month 45 40 35 30 25 20 15 10 5 0 Feb-05 Apr-05 Jun-05 Aug-05 Oct-05 Dec-05 Feb-06 Apr-06 Jun-06 Aug-06 Source: Privacy Rights Clearinghouse http://www.privacyrights.org/ar/chrondatabreaches.htm Copyright 2013 Trusted Computing Group 11

Since 2005, over 345,124,400 records containing sensitive personal information have been involved in security breaches Legal The Problem In 2008, the average cost of a data breach was $6.65 million per affected corporation ($202 per record) $6.65 Million Per Incident # of reported breaches per month 45 40 35 30 25 20 15 10 5 0 Feb-05 Reported Data Breaches Since February 2005 to Now Financial Apr-05 Jun-05 Aug-05 Oct-05 Reputation Source: Privacy Rights Clearinghouse Dec-05 Feb-06 Apr-06 Jun-06 Aug-06 http://www.privacyrights.org/ar/chrondatabreaches.htm Copyright 2013 Trusted Computing Group 12

Threat scenario: stored data leaves the owner s control lost, stolen, re-purposed, repaired, end-oflife, Compliance (Breach Notification) 46+ states have data privacy laws with encryption safe harbors New U.S. Federal and EU data breach legislation Data center and laptop drives are mobile (HDD, SSD) Exposure of data loss is expensive ($6.65 Million on average per incident 1 ) Obsolete, Failed, Stolen, Misplaced Nearly ALL drives leave the security of the data center The vast majority of decommissioned drives are still readable 1. Ponemon Institute, Fourth Annual US Cost of Data Breach Study Jan 2009 www.ponemon.org Copyright 2013 Trusted Computing Group 13

Transparency: SEDs come from factory with encryption key already generated Ease of management: No encrypting key to manage Life-cycle costs: The cost of an SED is pro-rated into the initial drive cost; software has continuing life cycle costs Disposal or re-purposing cost: With an SED, erase on-board encryption key Re-encryption: With SED, there is no need to ever reencrypt the data Performance: No degradation in SED performance Standardization: Whole drive industry is building to the TCG/SED Specs No interference with upstream processes ISSUE: Hardware acquisition (part of normal replacement cycle) Copyright 2013 Trusted Computing Group 15

Pre-boot Authentication AK Authentication Key DEK Data Encryption Key Correct AK? Clear Data Drive does NOT respond to Read or Write Reqs Hash AK No = Yes Clear AK decrypts DEK Unlock HDD DEK encrypts and decrypts User Data Hashed AK Encrypted DEK Encrypted User Data Copyright 2013 Trusted Computing Group 16

Stored Data Protection Should equipment be lost, data is not exposed All user data is always encrypted Encryption function cannot be turned off Immediate Data Erasure (Crypto-Erase) When drives are to be retired, relinquished or repurposed Data can be destroyed instantaneously Even if drive is inoperable Recommended by NIST (see SP 800-88 Guidelines for Media Sanitization) Not Addressed Protecting data in flight Prohibiting unauthorized user access after drive is unlocked Copyright 2013 Trusted Computing Group 17

Performance Each SED encrypts all data transferred to it transparently and fast. As SEDs are added, the encryption performance scales linearly. No re-encryption necessary when external credentials (AKs) need changing Security No back doors No access without authentication resistant to evil maid attack All user data encrypted, always Encryption cannot be turned off by user; not exposed outside drive Crypto-Erase of data Manageability No OS or Master Boot Record modification Standard protocol, multiple sources - All drive manufacturers support TCG standard No interference with storage management functions: RAID, backup/restore, compression, de-dup, DLP Lower cost disposal, no hazardous waste created Copyright 2013 Trusted Computing Group 18

Organization New Jersey s largest integrated healthcare system 25 functional facilities total Provides treatment for >2M patients/year 18,200 employees, 4,600 doctors Environment 2380 laptops Adopted SED as standard for desktops this year, used by healthcare professionals and executives distributed across 25 functional facilities Protecting PII/PHI/diagnostic information HP shop using Wavemanaged Hitachi SEDs Copyright 2013 Trusted Computing Group 20

Barnabas Health New Jersey s largest integrated health delivery system Implemented SEDs in 2380 laptops used by doctors, nurses, administrators and executives across 25 facilities Will be encrypting 13,000 desktops used is the hospitals, via the asset lifecycle process in 4 years, 400 units expected to be done this year. Key Findings: 24 hours faster deployment on average per user over previous software-based encryption Negligible boot time versus up to 30 minutes to boot a PC with software encryption Copyright 2013 Trusted Computing Group 21

Identify the data protection risks/requirements Regulatory requirement for data protection Safe harbor exemption Intellectual property/ Proprietary information protection Build a business case Market place analysis Embed into the asset lifecycle program to manage expense

Implementation of SED drives Phase in the SED into asset lifecycle Configuration, setup, rollout Support Communication Encryption Drive password Management Ability to provide encryption proof if the asset is lost Governance Ability to provide report Manage device lifecycle Copyright 2013 Trusted Computing Group 23

Encryption everywhere! Data center/branch office to the USB drive Key Management Service Notebook Desktop USB USB Standards-based Multiple vendors; interoperability Unified key management Authentication key management handles all forms of storage Simplified key management Encryption keys never leave the drive. No need to track or manage. Transparent Transparent to OS, applications, application developers, databases, database administrators Automatic performance scaling Granular data classification not needed Standard Key Mgmt Protocol OASIS KMIP Tape Trusted Computing Group T10/T13 Security Protocol Data Center Application Servers Network Storage System, NAS, DAS Authentication Key Flow Branch Office Storage System Local Key Mgmt Data Flow Authentication Key (lock key or password) Data Encryption Key (encrypted) Copyright 2013 Trusted Computing Group 25

1. Purchase all new laptops and enterprise data storage with SED drives 2. Retrofit high-risk legacy machines with SED drives 3. Restrict access to stored sensitive data to machines with SED drives in early rollout 4. When adding more drives to array to the data center, use SEDs to avoid concerns for balancing encryption workloads 5. Phase in SEDs into the data center 6. Avoid or minimize the need for data classification 7. Be aware of and accommodate other data security contexts Copyright 2013 Trusted Computing Group 26

Data Security Architect s Guide: https://www.trustedcomputinggroup.org/resources/tcg_data_security_architects_guide Self-Encrypting Drive Market and Technology Report, Tom Coughlin, Coughlin Associates: http://www.tomcoughlin.com/techpapers/2011%20self- Encrypting_Drive_Market_and_Technology_Analysis%20Brochure,_092011.pdf Saint Barnabas Health Care System Case Study: http://www.wave.com/buzz/pr/saint-barnabas-health-care-system-selects-wave-protectpersonal-health-information-laptops Storage Specifications: http://www.trustedcomputinggroup.org/developers/storage/specifications Interested in Getting Involved with TCG Join Us: http://www.trustedcomputinggroup.org/join_now Copyright 2013 Trusted Computing Group 28