At Micron, we are striving to make “SSD Management Made Easy” more than just a catch phrase. It is driving our efforts to bring the very latest and best technology to market, along with the features and tools that IT managers and end users need to support their Micron SSDs during deployment and throughout the years of useful life which follow.
Encryption and Self-Encrypting Drives
IT managers in organizations from SMBs to enormous multi-nationals often have specialized feature requirements for their mobile data storage. One of the key features that Micron SSDs bring to market is the world-class encryption offered in our M600 SSD. The M600 supports the Trusted Computing Group (TCG) Storage Subsystem Class Opal specification for data security in mobile applications, especially for notebook computing. The Opal specification is now on its second revision, and Micron has been building and supporting TCG Opal SSDs for many years. The M600 self-encrypting drive (SED) provides always-on hardware-based encryption built on our Advanced Encryption Standard (AES) 256-bit encryption engine. This gives the drive top-of-the-line encryption capability without having to use CPU bandwidth on the host system for encryption operations, as you’d see with 128-bit software encryption deployments. Hardware-based encryption gives superior encryption protection without the performance penalty that software encryption incurs.
Encryption is actually only part of the story. The TCG Opal specification also provides for strong authentication, which prevents anyone without the proper credentials from accessing the data on the SED. Because the specification provides for pre-boot authentication, the authentication process is completed before the operating system starts. This means that no OS-level application can be used to attempt to break the authentication key (e.g., password, passphrase, biometric, or smartcard).
Even so, SEDs by themselves do not provide a full measure of protection. The corporate IT manager will also need software at the client level and at the company IT level which will initiate the encryption protection, manage the organization’s fleet of mobile computers, and ultimately protect any sensitive data. To this end, Micron engineers work daily with the major software vendors in this field. In particular, we have very close engineering relationships with Wave Systems and WinMagic.
Together, Micron’s SED and a software encryption management package provide the IT manager with a complete solution to protect data-at-rest, especially in an age when mobile computers (and sensitive data) can be anywhere in the world. This ensures that data stored on these mobile computers is completely protected behind strong authentication when the system is powered off or in a sleep or hibernate state.
As Greg Kazmierczak, the Chief Technical Officer of Wave Systems tells us, “Wave provides IT managers with a complete data protection solution for their organization’s SEDs, all from a single remote console—either on-premise or in the cloud. Wave EMBASSY® Remote Administration Server (ERAS) and Wave Cloud solutions were specifically tailored to manage superior encryption options such as SEDs from Micron. ERAS and Wave Cloud give the organization the means to manage and actively monitor the data-at-rest encryption status of the entire organization, even when those devices venture outside the firewall. And it’s important to note that ERAS and Wave Cloud provide verifiable compliance with information security laws and regulations—an absolute necessity for medical, financial, and government-affiliated organizations.”
Device-Level Management and the Micron Storage Executive
Micron’s SEDs conform to Microsoft’s specification for Encrypted Hard Drives, also known as eDrive. This eDrive feature is supported in Microsoft BitLocker in Windows 8 and 8.1, Professional and Enterprise editions, and will carry forward into future Windows releases. Implementing eDrive allows the end user to take advantage of hardware-based SEDs using device-level authentication.
We know the importance of having simple-to-use methods to manage SSDs at the device level and at the desktop level. That’s why we’re introducing our first SSD management application, which we call Storage Executive. Storage Executive is a desktop application which allows users to monitor the SSD’s health status, report the SSD’s firmware revision, automatically check Micron’s web site for new firmware updates, and manage the download and installation of new firmware.
Storage Executive is not intended to manage encryption features, but it can take advantage of some encryption features to ease the overall management of the SSD and can provide another measure of data protection.
In any organization which manages sensitive data, secure elimination of sensitive data is just as important as keeping such data safe. Because of this, we have given Storage Executive the capability of executing the sanitize operation on any Micron SSD attached directly to a computer’s SATA port. Sanitize will permanently eliminate any user data on the SSD. This is not simply an operation which removes pointers to data; rather, all of the 1s and 0s associated with user data, partition information, and file system information are completely ERASED, in under one minute, for all but our biggest SSDs. This function is critical when the SSD needs to be retired or redeployed. It is a simple and inexpensive alternative to the elaborate data elimination methods that have traditionally been used for HDDs, like long internal data overwrite processes, expensive de-gaussing machines, and grinders and shredders.
Finally, Storage Executive can take advantage of another encryption feature, via a function with the unassuming name of “PSID REVERT.” The PSID is a physical security identifier. This is a 32-character code which is printed on the SSD’s physical label. Modern encrypted storage devices are a true boon to data security, but unfortunately, sometimes passwords are forgotten and smart cards are lost. Sometimes workers leave an organization and leave behind locked computers. In cases like these, Micron doesn’t provide a “factory backdoor” by which a lost authentication key can be broken, so the data on the drive will be lost. But in this type of case, Storage Executive’s PSID REVERT function could be used to re-initialize the SSD, perform a CRYPTOGRAPHIC ERASE on the SSD (erasing and replacing the encryption key, to make the data unreadable), and reset the drive to factory-new settings. Although this operation can’t recover data, at very least, you can re-deploy the SSD or securely erase the drive before disposing of it.SSDs have been lauded for the tremendous performance and power savings they provide for many years. At Micron, we are investing in product development to continue the advancement in these key areas, while also providing customers with the tools to effectively manage all of the extended features that our SSDs provide.