Encryption of stored data is widely accepted as an effective and efficient way to protect sensitive information. In some industries, such as finance and health care, encryption is rapidly becoming a requirement as government regulators strive to ensure personal privacy regarding the data that consumers share with these types of institutions.
Self-encrypting drives, or SEDs, were first adopted in mobile computing because of the ease in which mobile devices (such as laptops, tablets and phones) can be easily lost or stolen. The need to encrypt the data on these devices was obvious: even though the loss of an expensive computer is painful, losing control of the data on board could be financially devastating. Encryption is now becoming accepted, and even expected, in enterprise computing; however, myths and misconceptions remain. We'd like to dispel the five most common myths about encrypted SSDs, particularly for enterprise and data center environments.
1. I don't need encryption; the physical security of my data center is adequate.
Physical security is always of great importance, and stories of drives and even whole servers going missing from data centers are very rare, even if dramatic. While having a "bad actor" come through a secure data center and physically remove drives is a serious threat, it is not the only one, nor is it the most prevalent.
According to some estimates, at least 50,000 drives are removed from data centers every day for wholly legitimate reasons. These reasons include efficiency improvements, maintenance or technology upgrades, and device failures. Regardless of the reason for the decommissioning, these drives will then move beyond the physical security perimeter of the data center.
When drives are removed from the data center, it is important -- sometimes mandated -- that all data be eliminated from the drives before they're disposed of or repurposed. This process is known as data "sanitization." SEDs make this end-of-life activity much easier, faster and cheaper.
One way SEDs accomplish this is through the simple implementation of strong authentication and strong passcodes. When an SED with proper authentication is removed from its host computer, and the passcode is kept secure, there is no way to read the data from the drive without using that passcode. The data is inaccessible and effectively gone.
An even more secure way to sanitize an SED is known as "cryptographic erase" or "crypto-scramble." On SEDs, data sanitization is as easy as sending an authenticated SANITIZE command to the drive, which instructs the drive to destroy its current encryption key and generate a new one using government- and industry-approved random-number-generation algorithms. After this process is complete, in only a second or two, all the data on the drive is completely undecipherable, even if the passcode has been compromised. Now, the devices can be disposed of or recycled normally, or safely repurposed.
As an added benefit, expensive grinders and other exotic means of physical destruction are no longer necessary.
Recently, the United States government released a document entitled "Guidelines for Media Sanitization" (NIST SP800-88 Revision 1), which includes provisions officially approving cryptographic erase as a method for eliminating data, even in high-security environments.
2. SEDs require complicated and expensive key-management software
One of the biggest advantages of SEDs is greatly simplified key management. During the manufacturing process for an SED, the initial encryption key or keys are generated by the drive's true random-number generator (TRNG), which resides in the drive's controller. The factory is never capable of reading or recording the encryption key, as it is not possible to read the key through the data interface. Because the key is created and stored securely by the drive, the host computer is no longer responsible for encryption-key management, only for authentication (the management of passcodes and passwords that are used to open access to the encrypted drive).
In hardware RAID systems, this is accomplished by generating a security code at the time the RAID is configured. The IT manager, or management software, generates and securely stores this security code for future use. Once configured, and for the remaining deployment of the system, this security code is used as a password for the drives in the RAID every time it powers up, automatically, with no intervention from IT technicians. If new drives need to be added to the array, the RAID controller automatically initiates the encryption features on the new drive, using the same security code for the new drive. From the IT tech's viewpoint, the process is the nearly same as it would be for any RAID.
If the RAID card ever fails, upon replacement, the recorded security code from the failed card can be programmed into the new card, and the system will continue to operate as before.
3. Encryption will rob my system of performance
If the ease of key management is the biggest advantage of SEDs, then performance is a close second.
When investing in the superior performance of solid state storage, you certainly don't want to have to give back some of that performance because of encryption. This performance penalty is certainly true of software-encryption schemes. In software encryption, in nearly all cases, the higher math functions involved with encryption must be performed by the system's CPU. The encryption operation uses processor bandwidth that could otherwise be used for improved application and data processing, hosting additional virtual machines, or a litany of other business functions. This problem becomes magnified as the number of drives in a storage system grows.
An SED-based system moves the encryption function from the CPU to the drive. The encryption engine on the drive is designed to run at the same speed as the storage interface so that encryption happens in-line, without slowing I/O speeds.
Although the very design of SEDs ensures that there is no performance loss due to encryption, we validated this point with a series of performance tests on a RAID array of Micron® M510DC SEDs. The results are shown in Figure 1. As measured, any difference in performance between an unencrypted system (standard SSD) and a system encrypted with an SED is negligible, within the measurement error of the test system.
4. Encryption will negate my data dedupe and compression efforts
Many enterprises gain great efficiency and cost savings by using data deduplication and/or data compression (using less storage for a given amount of information). But countering that is the mathematical fact that encrypted data is effectively the same as random data, and therefore cannot be deduplicated or compressed. This means that the data-storage system designer must take care in properly designing where and when deduplication takes place.
In designing systems with both deduplication and encryption, we find another advantage of SEDs. In software encryption systems, it can be critical that encryption is done only after deduplication to ensure storage efficiency, requiring significant design modifications when software encryption is implemented. On the other hand, by doing encryption only at the endpoint -- at the drive -- the system designer can take full advantage of the deduplication function, without design compromises, because the SED doesn't treat deduped or compressed data differently than any other data. An SED-based encrypted system that features deduplication will look very much the same as an unencrypted system with deduplication, with the simplest design path.
5. All these advanced security features are too expensive for my data center
Micron is tackling that problem for you. With the advent of Micron's 3D NAND, solid state performance is more cost-effective than ever. Even though SSDs still cost more on a per-gigabyte basis, raw price should be only the start of the discussion of total cost of ownership, or TCO. The combination of Micron's latest NAND technology with SED features can help reduce TCO in a number of ways:
- Micron co-sponsored a study with our colleagues at WinMagic, Inc. and the Ponemon Institute laying out the cost advantages of SEDs. Specifically, worker productivity gains can be seen by the improved performance and simplicity of SED-based systems. Important savings can be achieved by not having to re-encrypt data when keys must be occasionally changed.
- Simplified end-of-life management using cryptographic erase greatly reduces the cost of data purging, helping to reduce the risk of a costly data leak or breach.
- The cost of not implementing encryption can be high. Many highly sensitive environments already have regulatory requirements for encryption, and IT managers in other industries are wise to see the value in protecting all the data across the business. The cost of even one data breach can be millions of dollars, especially in lost future business due to a damaged reputation for security.
- In many HDD-based storage systems, system designers work with new configurations like RAID-10 compensate for the bandwidth limitations of HDD, but that sacrifice as much as 50% of the native storage space of the HDD array for redundancy and performance enhancement. Because SSDs are so much faster, simpler configurations are becoming viable again. RAID-10 exhibits faster performance than RAID-5 for a given drive type, but speedy SSDs may be able to compensate not only for this, but also for the slower rebuild times for a RAID-5. Therefore, a RAID-5 or RAID-6 can be used with your SSDs, and in an eight-drive array, for example, only one or two drives need to be sacrificed for redundancy instead of four as in a RAID-10. Suddenly, the per-gigabyte cost of usable storage can swing in favor of solid state.
IT managers may have concerns about implementing SEDs, but these concerns are often founded in misconceptions about how SEDs work. As discussed, SEDs:
- Are very important to data security, even in environments where physical security measures are strong. There are legitimate reasons for drives to move outside security perimeters, and SEDs can ensure that sensitive data doesn't leave with the drives.
- Greatly simplify the key-management process by generating and keeping encryption keys securely on the drive. The host computer needs only to manage passcodes or passwords.
- Take on the encryption function, so the CPU is free to run normal computing operations and suffers no performance loss.
- Can operate in systems using data de-duplication with no special design requirements, unlike software-encrypted systems.
- Can be implemented very efficiently with regard to TCO.