Self-encrypting Drives Will Bolster Security, Compliance, but Questions Remain
Insurance Experts' Forum, August 12, 2010
To most of us who live in the world of technology, it is a widely known—if little discussed—fact that data, once written to a drive, continues to live there as long as we allow it to. That’s fine, until you need to make a change—say, switching out a defective drive for a new one or junking an older computer to make room for a new machine.
One of the consequences of such changes is that data existing on those old or defective drives is forgotten. Perhaps we foolishly assume that chucking an old hard drive into the garbage forever destroys the data that it holds. Maybe we just forget about that data in the excitement and busyness of setting up a new system. Our little oversight could turn out to be a doozy, however, if those unwanted disks contain information that someone else—such as a criminal or industrial spy—may find valuable. Such data, which could include passwords, bank account numbers, company secrets or personal information, may also become fodder for criminal websites that offer illegally procured material for sale.
It seems unlikely, however, that we will ever persuade everyone to remember to permanently wipe data off discarded drives. There is a proposed solution, however. Toshiba Corp. has announced Wipe for Toshiba Self-Encrypting Drive (SED) models, a technology that allows special security capabilities, such as “the world's first ability for sensitive user data to be securely erased when a system is powered-down or when [the drive] is removed from the system.”
The feature also can be used to securely erase user data prior to returning a leased system, system disposal or repurposing, Toshiba says. The company adds that this feature will help address the increasing need for IT departments to comply with privacy laws and regulations governing data security. That’s good news for insurers, who handle volumes of sensitive data on a daily basis, and are thus ultra-sensitive to the need to comply with data security measures.
Designed to the Trusted Computing Group "Opal" Specification, Toshiba says its SED models provide advanced access security and on-board encryption for client systems such as notebook computers. “But lost or stolen notebooks are not the only security risk that IT departments must address,” the company says. “Today, most office copier and printing systems utilize HDD capacity and performance to deliver a highly productive document imaging environment. Many organizations are now realizing the critical importance of maintaining the security of document image data stored within copier and printer systems. Wipe is a technology that can automatically invalidate an HDD security key when its power supply is turned off, instantly making all data in the drive indecipherable.”
This sounds great, and while Toshiba did not indicate how this new feature affects pricing, it would seem to pay for itself in terms of peace of mind. But not so fast. What, exactly, do they mean when they say that data are “securely erased?” The answer may depend on how determined crooks are to get at information that is, or was, on a particular drive. Even if data have been deleted from a drive, federal agencies (and probably crooks, as well) are capable of recovering data from media that have been wiped as many as seven times. One has to wonder how well the Toshiba defenses will hold up against a determined effort by an expert hacker. We really don’t know until the technology is used in the real world.
This is not to say that we should avoid purchasing and using drives with Wipe technology. On the contrary, the technology should help avert information thefts by amateurs and perhaps lazy experts. I liken it to anti-theft devices available for cars, many of which exist on my current vehicle. To my inexperienced eye, my car appears to be difficult to steal, but as my expert mechanic son assures me, given enough time and skill, all protections can eventually be defeated.
If we can prevent data thefts by, say, 90%, wouldn’t that be worth the cash outlay? Do we not lock our doors at home because we know that someone could pick the lock or break in the door? Common sense dictates that those to whom valuable information is entrusted do all that they can to protect that information. So there is really no excuse for failing to put every available and affordable safeguard in place.
Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.
Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.