Almost all drives eventually leave the enterprise or data center. Still, the corporate data resides on such drives, and when most leave the data center, the data they contain is still readable. Even data striped across many drives in RAID protection is vulnerable to data theft because a typical single stripe in today’s high-capacity arrays is large enough to expose sensitive and secured data.
IT Faces the Problems of Retired Drives
When disk drives are retired and moved outside the data center into someone else’s hands, the data on those drives is put at significant risk. IT administrators routinely retire drives for a variety of reasons, including:
- Returning drives for warranty, repair, maintenance, or expired lease agreements
- Removal and disposal of disk drives
- Repurposing drives to another storage
Drive Control Challenges and Disposal Costs
To avoid data breaches, corporations have tried many ways to erase the data on retired drives before they leave the houses and potentially fall into the bad guy. Current retirement practices are all expensive and time-consuming, such as:
- Overwriting drive data
- Degaussing or physically shredding
- Hire professional disposal services
These designed to make data unreadable rely on significant human involvement in the process and are thus subject to technical and human failure.
The Invention of SED and ISE Drives
Thousands of disk drives leave data centers daily as old systems are retired. But what if all those disk drives had been automatically and transparently encrypting that data, enabling it to be instantly and securely erased? SED comprehensively resolves these issues, making encryption for drive retirement easy and affordable.
SED (Self-Encrypting Drive) Introduction
SED has a built-in encryption controller and an encryption key on the disk drive itself. It can provide instant secure erase (cryptographic erase or making the data no longer readable) and enable auto-locking to secure active data if a drive is misplaced or stolen from a system while in use. SED has two functions. There is authentication which is operated by AK (Authentication Key) and encryption data which is operated by DEK (Data Encryption Key).
ISE (Instant Secure Erase) Drive Introduction
While ISE provides instant secure erase only. When it’s time to retire or repurpose the drive, the owner sends a command to the drive to perform a cryptographic erase. Cryptographic erase simply replaces the encryption key inside the encrypted drive, making it impossible to ever decrypt the data encrypted with the deleted key. ISE drive has encryption data only by DEK but no authentication.
Benefits
SED and ISE reduce IT operating expenses by freeing IT from both drive control headaches and disposal costs. By using SED and ISE, they are without hindering IT efficiency. Furthermore, SED and ISE simplify decommissioning and preserve hardware value for returns and repurposing by:
- Securing warranty and expired lease returns
- Eliminating the need to overwrite or destroy the drive
- Enabling drives to be repurposed securely
In addition, the drive owner may choose to employ the SED in the auto-lock mode to help secure active data against theft. Utilizing the SED in auto-lock mode simply requires securing the drive during its normal use with an authentication key. When secured in this manner, the drive’s data encryption key is locked whenever the drive is powered down. In other words, the moment the SED is switched off or unplugged, it automatically locks down the drive’s data.
When the SED is then powered back on, the SED requires authentication before being able to unlock its encryption key and read any data on the drive, thus protecting against misplacement and insider or external theft.
Conclusion
As data security becomes more popular, storage systems need to provide secure data to ensure peace of mind, compliance, and general security use cases that are cared for by companies. Regardless of whether disk drives are lost, stolen, or failed, unauthorized persons cannot compromise the security of the organization by accessing any sensitive data.
Data encryption ensures that all sensitive user data stored on the array is encrypted as it is written to disk so that private data does not fall into the bad guys. With SED and ISE technology support, it is a simple and useful function for protecting your data.
