Published: 12 Aug 2007
Industry standards body The Trusted Computing Group (TCG) has released a specification that bakes some useful security functionality into storage devices. Analysts think it will roll out quickly, given the onerous implications of lost or stolen data.
"Vendors are looking for any hook into the security space, and this spec hands them the building blocks," says Jon Oltsik, senior analyst at the Enterprise Strategy Group, Milford, MA.
Announced in June and dubbed Trusted Storage, the spec offers a unified implementation of security and encryption functions for hard drives, tape drives and other storage media. It's an extension of TCG's Trusted Platform Module and TCG Software Stack, which is built into cryptographic chips that have shipped in more than 200 million PCs and notebooks worldwide.
Seagate's Momentus 5400 FDE.2 2.5-inch hard drives, and Hitachi's Travelstar 5K200 and 5K250 2.5-inch laptop hard drives meet the requirements of the specification and are already shipping.
The Trusted Storage spec provides three main benefits, according to Oltsik: It limits who can read or write to a device through identification and authentication; it allows control over specific configurations or security features for specific users, systems or apps; and it creates secure communications between storage devices and hosts.
"It will mean no additional user drag on the experience of adding security to storage," says Mike Karp, senior analyst at Enterprise Management Associates, Boulder, CO. "It forces vendors to deal with basic security stuff in a consistent way." There will always be individual interpretations of the spec, says Karp, but he believes it still goes a long way toward making things easier for administrators.
The Trusted Storage spec isn't the only attempt afoot to bring storage and security closer together. Upek, a biometric scanner company in Emeryville, CA, has announced integration efforts with storage controller manufacturer Oxford Semiconductor to provide biometric authentication for encrypted external disk drives. Instead of encryption keys being stored in a token that can be lost or stolen, or using passwords that can be forgotten, the Oxford/Upek reference design allows encryption keys stored in dedicated hardware to be released only upon successful biometric authentication.
The biometric reader packs more than 100,000 sensors into the width of a human hair. Users swipe their finger across a light beam that senses the proximity of each finger ridge and then converts that information to grayscale images for identification.
Oltsik believes this is probably "overkill" for most storage devices, however. "If you can't manage who has access to a storage device and what they do, you have bigger problems than two-factor authentication," he says. Because biometric technology hasn't solved the problem of false rejects, which occur when a handprint, fingerprint or face scanning device can't read temporary changes in physical data like cuts or scabs, it's more likely that the Trusted Storage spec is the direction most of the industry will go. --Jo Maitland