Finding Good Use for an Encrypted Drive

The time may be ripe for hard drives with built-in encryption. Or at least that's the opinion of Storage Supersite readers, who saw openings for the storage in medical offices, departments and even for Web services.

Out of sight is not necessarily out of mind when it comes to your data. At least, that was the sentiment of a number of readers as they considered applications for hard drives that come standard with hardware-based encryption. This security technology could be a summer sleeper hit.

The question surfaced in a recent column on WiebeTechs new FireWire Encrypt and USB2 Encrypt lines of external hard drives. The drives firmware offer various levels of DES encryption. According to the company, the encryption firmware doesnt impact the data transfer performance of the drive and the security is transparent to users and software. (See "Tales of the Encrypted Drive" for more information.)

WiebeTech was looking for additional market applications for the drive, beyond some potential government customers. Still, one analyst thought the need for hardware encryption was overblown, even calling it "neurotic."

Samuel Adams, a military contractor (his e-mail sported a .MIL domain) agreed with the criticism, even for use in a government facility. "Most government organizations that would want an encrypted drive are locked down pretty tight—so the risk of someone coming in and stealing a drive seems pretty low. I would think this would have much more useful applications for a laptop or for some other type of portable device."

Offering contrary opinions, many of you thought that the drive addressed quite a number of specific security needs in small and mid-sized businesses to keep private data private. It also would ease concerns when data moves off the premises.

Jeff OByrne pointed to HIPAA requirements for protecting health information. "Although too small at this level for hospital storage, it would be ideal for a doctors office."

At the same time, OByrne observed that the convenience of wireless security and telecommuting may be in conflict with the goals of data security in the HIPAA environment.

"Wi-Fi security is being worked on and can be expected to improve, but [wireless connections] should not be assumed to be greater than experienced in a TCP/IP glass network," OByrne said. "The legislative and regulatory initiatives are based on the sanctity of data, not of the communication, ergo the mobile workers using laptops or PDAs are holding corporate assets of significant value and legal liability. A properly constructed VPN should satisfy the regulators of the sanctity of the data in transit. A hard drive with encrypted data should withstand the inevitable Federal audit."

Some data wants to be kept confidential, even within a company, a number of you observed. And the price for drive-level encryption seemed reasonable.

"Real data security for $400 will appeal to top corporate users, software developers in highly-competitive areas, and for human relations directors, given the legal requirements they have to live with," John Christie observed. "When the technology is proven in the market, we will incorporate it in our management systems information, particularly for marketing development."

Several of you thought encrypted hard drives would be useful for off-site storage. However, Jim C., a "startup Webmaster," saw a use for encrypted storage, albeit in a different form, when dealing with Internet collocation companies.

"I can see encrypted drives being put into Web servers for companies to use at collocation facilities," Jim C. said, describing a secured server with a locked rack-mount case. "No exposed ports for video, keyboard, USB or other dongle. The collo folks would be able to swap failed hard drives and major components, but wouldnt be able to get at the data, even by copying the hard drives."

"Theres no reason for the collo folks to have access to the data! Whos working there late at night, anyway? Can you trust complete strangers with your customers credit-card numbers? Companies do all the time, and I think well start hearing horror stories about internal security at (less expensive) collocation facilities in the future," Jim C. predicted.

At the same time, perhaps hardware encryption wouldnt be necessary in this application. The data stored in a single drive of a RAID Level 5 array is already "encrypted" by being striped. You cant recover any data from it apart from the other mechanisms in its set. However, hardware encryption could give some extra assurance to customers of mirrored configurations that store data in a readable format.

Without a doubt, trust is difficult to find, whether in personal relations or between business partners. My guess would be that Jim C. will sleep easier if his customers data was located closer to his home base. Much closer, like in the closet down the hall. Of course, that would bring its own share of expenses and management headaches. But some value sleep over all.

David Morgenstern is a longtime reporter of the storage industry as well as a veteran of the dotcom boom in the storage-rich fields of professional content creation and digital video.

More from David Morgenstern: