Government security officers may be rushing to buy a new drive from Seagate next year. The San Francisco Chronicle reports that Seagate Technology will start selling the world's first hard drive with built-in encryption technology in early 2007.
The loss or theft of laptops containing sensitive records has, of course, been a huge issue for federal agencies recently. The Veterans Affairs Dept.'s loss of a laptop with 28 million Americans' records exposed just how poorly much personal data is protected by government.
"That incident could have been resolved without public disclosure had they used an encrypted drive on that laptop,'' said Scott Shimomura, senior product marketing manager for Seagate.
The technical breakthrough means that government agencies can no longer forestall the use of encryption on laptops, says Chris Voice, chief technology officer for Entrust, an encryption software company.
The frequent and embarrassing revelations of data losses -- generally through lost laptops -- has put the heat on government and corporate officials to do whatever is necessary to protect sensitive information "The technology barriers are gone," Voice said. "Now it's a matter of changing organizational behavior."
Other manufacturers are working on the problem, as well, but says John Donovan, a vice president with TrendFOCUS, "there's no question Seagate is way out in front on this."
How does it work?
The heart of the new hardware-based system is a special chip. That chip, built into the drive, will serve to encode and decode all data traveling to or from the disk, he said. This encrypted drive will be installed in the laptop by the manufacturer. Once the user takes possession of the machine, the user or a system administrator will have to create a password in order to use the computer.
"You cannot boot up your system until you have loaded the password that unlocks the encryption,'' Shimomura said.
There are a couple of issues with the password scheme, though. For one thing, don't lose the password. It can't be changed and there's no way to access the disk without it. "If the password has been lost to the drive, then, yes, the drive becomes unusable," Shimomura said.
For another thing, users are notorious for using passwords that are easy to remember, such as kids' or pets names or simple runs of numbers like 123456. Even arcane but short passwords are not secure.
It's relatively easy for someone with the proper know-how to use computer programs to crack a simple password. Encryption expert Nate Lawson estimated that a seven-letter password could be broken in five or six minutes by a person who understood how to use computer programs to go through all the possible combinations of letters.Seagate hopes that once its drive-based encryption becomes available in laptops, the ease of use may remove the objections and drive the demand for data-scrambling systems. Seagate's gambit John Girard, a security analyst for Gartner, said the time is certainly right for Seagate's gambit, but the ultimate success or failure of encrypted drives will depend on how much they cost. Seagate is being mum on how much of a premium over regular drive costs it will seek for its encrypted drives. Nor is it revealing which computer-makers -- if any -- have agreed to ship laptops bearing the new safe drives. "They're trying to make (encryption) transparent to the user,'' said Kolodgy, the IDC analyst.
"It's extremely important that you use a long and random password phrase,'' Lawson said. How long is safe? He said it could take up to 16 randomly chosen letters to make a password crack-proof.