With data theft coming under the spotlight recently, IT executives say they are in favor of self-erase hard-disk drives, but reiterate the human element remains critical in any information security policy.
In April, Toshiba announced Self-Encrypting Drives (SED) that includes hardware encryption and data invalidation technology, where data stored in a "self-erase" area can be wiped automatically once the host system is switched off, the drive is powered off or if the drive is removed.
According to the vendor, the erase process is performed by deleting the encryption key for the self-erase area, which is generated by the host each time the drive is powered up. Therefore, the next time power is re-established to the drive, the self-erase area will rely on a new key, with all previous data eliminated along with the old cryptographic key.
Users of SEDs have the ability to customize the level of data erase, whether to wipe out all information or simply restrict access to particular data, according to an Information Ground blog post. Wiped data is not be completely destroyed, as the drive could still be recovered with the use of administrator credentials.
Thumbs up for more security
Thio Fu Wang, senior manager for domains and technology at CrimsonLogic, noted that such HDDs are a step forward in light of increasing data breaches.
"This device provides distinct advantage of relatively little performance degradation as compared to software full-disk encryption that is offered in the market, while still ensuring strong protection of the data in storage," he said in an e-mail.
Organizations such as banks, investments firms, government agencies, security companies and R&D (research and development) facilities that deal with sensitive information, are more likely to adopt SEDs in their printers or PCs, he added.
Kevin Low, an IT executive with a local small and midsize business, told ZDNet Asia in an e-mail the device would make perfect sense if it is installed in laptops which contain corporate information that would otherwise be privy to competitors. There is assurance that in the event of a theft or loss of device, sensitive data will remain safe from outsider access, he explained.
"However, [even] with the fail-safe device in place...I worry that hackers might have a way to gain access to my data even it is self erasing," said Low.
Consider human factor, holistic perspective
C.K. Lee, Singapore country manager for data recovery vendor Kroll Ontrack, similarly emphasized the need for such devices to better secure sensitive data, since stored information in devices are typically still easily retrievable.
The general attitude toward data security and disposal of storage devices, he pointed out, remains "careless" and self-erase features of such HDDs will help to protect sensitive data.
Lee added his company has witnessed many cases of data loss and information security issues. "The majority of these are still caused by human error or technical failures.
"Although technological advances and features will increase data security and prevent data loss up to a certain level, the human element remains the most critical in any information security policy," the executive said.
CrimsonLogic's Thio highlighted the need for a "holistic data leakage prevention" framework, which encompasses the entire architecture of data creation, transit and storage.
He also noted that most data thefts do not occur in the form of digital data or media but physical documents. There is hence a need to plug the gap in physical security, he said.
Low expressed preference for secure portable drives over built-in devices, citing Datalocker as one such provider.
Its DL3 HDD comes with a touchscreen keypad and requires two-factor authentication for access. The user has to swipe a card equipped with radio frequency identification (RFID) technology and thereafter enter a password on the touchscreen alphanumeric keypad. Once successfully authenticated, the drive becomes visible on the computer system.
Jay Kim, DataLocker's COO said in an article on PCMag that hardware-based authentication is more effective than software-based authentication, adding such products can be used in environments that do not allow software installation.