In a provocative article on data encryption, the author wonders if self-encrypting drives cam prevent data breaches. The scale of the problem (267 million records containing sensitive information were compromised in 2012) would suggest that the response to data security concerns should be proportionally substantial. Recently Samsung went on record championing self-encrypting drives (SEDs) as a solution for enterprises wishing to prevent data breaches and extolling their benefits.
The benefits, which we detail below, can also be expressed as a substantial cost savings. In 2012, the average cost of a data breach was more than five million dollars. And while it is easy to assume that these scenarios only apply to large enterprises, small- to medium-businesses (SMBs) are often victims of attacks targeting larger enterprises, as in the data breaches of Target, Nieman Marcus, Twitter, and J.P. Morgan Chase. SMBs are generally used as gateways to accessing the networks of large enterprises.
In the hospital sector (as in many others), data security vulnerability is widespread. A 2012 independent study of eighty healthcare organizations found that less than half felt their organizations could detect “all patient data loss or theft”. Sixty-seven percent didn’t feel their organizations had suitable controls (or procedures) in place.
These concerns are compounded by the emergence of BYOD in the workplace. Despite concerns about data security in BYOD, (65% of data breaches reported to HHS [Health and Human Services] between 2009 – 2011 occurred on laptops and mobile devices), the majority of businesses (81% percent of participating organizations) allow their employees and medical staff to connect to provider networks or access company email via BYOD.
In a 2013 report issued by Cisco, the majority of companies surveyed said their employees used smartphones to access PHI (patient health information) via unsecured or foreign Wi-Fi networks and that they were not password protected.
Advantages of SEDs
Removable Media Encryption (RMEs) supports encryption of portable storage devices (such as USB drives, CDs and DVDs) by interacting with the read/write processes on the host computer, defining policies for all removable media, and including restrictions based on encryption status. Any files copied onto RMEs are automatically encrypted (Source: WinMagic's Removable Media Encryption). What makes this different from traditional removable media encryption, is that users aren’t required to encrypt all media stored on a device. Rather they can create containers that are encrypted, leaving the remainder unencrypted.
Another solution is pre-boot network authentication, which will not open a device until credentials are verified and allows credentials to be remotely invalidated or amended. This is an ideal solution for companies where BYOD (laptops, desktops, servers and on removable media) are widely used.
Because SEDs encrypt data stored at the hardware level (circumventing software, which is easily compromised), data encryption is always on, users do not have to access encryption keys (which makes them vulnerable), and authentication occurs outside the operating system (OS).
One of the most common reasons of data security breaches is employee negligence or circumvention of data security best practices. Several studies have shown that the common employee practice of turning off software-based encryption is one of the main causes of data breach. Because SEDs cannot be disabled, and encryption occurs invisibly, it is an optimal way to mitigate this practice.
SEDs enable organizations to comply with government and industry requirements (i.e., FACTA and HIPAA), circumvent employee bad practices, and give companies an exemption from claims of negligence (the “Safe Harbor” convention for encrypted data), in the event of an actual data breach. All of these advantages make a sound argument for implementing SED as an organization’s standard data security protocol.