In The Boardroom With...
Mr. Lark Allen
Executive Vice President
WAVE Systems Corp.
SecurityStockWatch.com: Lark, please give us an overview of your background and role at Wave.
Lark Allen: My primary IT industry background came from 28 years at IBM where I held a wide range of positions in sales and marketing, development and consulting. I joined Wave in 1998 after retiring from IBM having seen firsthand the dramatic impact that personal computers and distributed technologies had on highly centralized IT infrastructures, including mainframes. Wave was a vocal proponent for establishing “trust” in end user devices even back then. I fully realized the great potential that this strategic design represented to again revolutionize IT architectures, and I still believe that embedding “trust” in user devices is the future for all networks.
For the past 13 years at Wave, I have been involved in the business and corporate development activities associated with this vision. My focus has been on developing a wide range of relationships with technology providers, distribution chains and developing partnerships. Work in this arena has focused on the development of trusted applications in such areas as identity and access management, data protection, secure transactions and content distribution. I’ve also been fairly active on the company’s behalf helping form, and serving on, a number of industry standards groups, including the Trusted Computing Group, OpenID and Information Card Foundations, International Security, Trust and Privacy Alliance (ISTPA) and the Liberty Alliance.
Most recently, I’ve been involved in the industry initiative to move data encryption and platform authentication out of software and into the trusted hardware of storage devices. That work culminated in the publishing of the first open industry specifications around encryption and access control by the "Trusted Computing Group's Storage Work Group" in January, 2009, and announcements of self-encrypting drives by at least six major drive OEMs. Wave has taken a leadership role in this effort, working with most of the major storage vendors to develop the most robust management and control infrastructure for self-encrypting drives based on these standards.
SecurityStockWatch.com: Could you comment on the fundamental difference between software FDE and hardware FDE? Do you foresee self-encrypting drives taking up a larger share of the data protection market? What factors would you point to for this to happen?
Lark Allen: Performing sensitive operations which rely on protecting “secrets”— like encrypting data and authenticating users—in software such as Windows is very difficult, if not impossible, to do securely. That’s based on the open nature of software where all the other processes are sharing the system at the same time. Software is also vulnerable to incessant and pervasive attacks on the systems.
With self-encrypting drives or SEDS, both the encryption and decryption of the data and authentication of the users is removed completely from the operating system and is performed in the highly secure and trusted environment of the drive controller. This provides a dramatically more secure environment in which to protect all the secrets such as encryption keys and user passwords.
Self-encrypting drives are a relatively new technology, but SEDs are available from virtually all major drive manufacturers now and are offered as options by the major PC OEMs such as Dell, HP and Lenovo. The growth rate of SED deployment is very high and many enterprises have standardized on this technology. The overall growth of SEDs is tied heavily to the refresh cycles of new machines. Since SEDs are new hardware, the enterprises must make the decision to order new laptop and PCs with these drives.
While data protection is a high priority for almost every enterprise, the primary driving factor for full disk encryption has been the worldwide proliferation of data protection laws and regulations. As high profile data breaches have sky rocketed in the past few years, many countries have passed stringent data protection laws calling for the encryption of all sensitive data on customers, users, transactions, health records, etc. New laws such as the HITECH regulation, which is part of the new healthcare legislation, have significantly increased the penalties and consequences associated with data breaches. Complying with data protection laws is clearly a top driver of the market for self-encrypting drives.
SecurityStockWatch.com: Could you give us a brief overview of the contributions each of the drive vendors are making in the development of SEDs?
Lark Allen: Seagate Technology has been the industry leader in the development of self-encrypting drives and the company is now shipping its fourth generation of these drives. They are the clear volume leader in shipments. Wave has worked with Seagate for over six years in the development of this technology and the software infrastructure to manage and control self-encrypting drives, both locally in the PC and centrally from the data center. Seagate was the chair of the Trusted Computing Group Storage Work Group in the development of the storage specifications.
At the same time, Hitachi, Samsung, Fujitsu, Toshiba, Western Digital and other drive vendors all participated actively in the standards development. Hitachi and Fujitsu first shipped encrypting drive hardware and, subsequently, added support for the TCG standards along with Toshiba. Samsung introduced the first solid state self-encrypting drive based on the Opal specifications.
SecurityStockWatch.com: With data breaches becoming more frequent and more expensive, will simply claiming encryption was in place on a lost or stolen laptop be enough to satisfy the “safe harbor” provisions in most data breach laws in effect today?
Lark Allen: There’s been an evolution in data protection regulations and they’ll continue to get tougher. The first phase had regulations that recommended encryption. Safe harbor—where an organization wasn’t required to notify its customers—could be achieved by simply showing that encryption technologies had been utilized.
Subsequent data protection laws such as Massachusetts 201 CMR 17 mandated encryption of specific types of data. To meet the legal burden of proof, an organization had to show that encryption was deployed, turned on and in use at the time of the data loss. In some situations, centralized management is a requirement for Safe Harbor. Another major focus for the laws has been the toughening of penalties and disclosure laws for data breaches. Likewise, proof of compliance and stronger legal precedence are making Safe Harbor exclusions more difficult to achieve.
I expect to see the regulations continue to get tougher, encryption requirements get more specific and demand for stronger proof, such as audit logs from central management of encryption, will continue to grow.