Ruben Dennenwaldt, Senior Product Marketing Manager at Western Digital examines the infrastructures for storing data and how they can be improved.
With data security such a big talking point of late, many of the discussions around protecting data have focused on securing the network. At a time of increased remote working and reliance on cloud technology, perhaps this is understandable. However, a key consideration should also be how best to secure the devices that hold this data.
To ensure data is protected, device systems, hardware and software applications all have to be analysed thoroughly in order to see where improvements can be made to existing infrastructures. Furthermore, new state-of-the-art security techniques need to feel virtually seamless for end users to help ensure the best results.
The advantages of hardware encryption
Encryption is important to both the confidentiality of data and the drive where that data resides. Strong hardware-based encryption can help to increase security without impacting speed.
These days, people have become accustomed to using their mobile phones for authentication as many of us now keep our phone with us at all times. We pair our phones with external devices such as headphones and log in with biometrics such as fingerprint or facial recognition; using these actions seemed like the ideal way to add security features in a way that felt very natural and intuitive.
Hardware-based encryption is different than encryption which takes place within software. In software-based encryption, the host computer has access to the encryption key for the disk which means that malware on the host can steal that key. With many forms of hardware-based encryption, the key used to encrypt data on the drive stays isolated within the drive itself.
Hardware-based encryption therefore helps provide a secure method of establishing trust whilst also eliminating a traditional point of friction and weakness within the verification process.
Application security through sandboxing
One of the security measures that must be met by apps listed on official app stores is application sandboxing. Sandboxing supports built-in operating system checks to limit an app’s use of system resources to only those features that the app developer intends. This helps prevent inserted malicious or faulty code from being used to access additional system resources.
For instance, a sandboxed application cannot corrupt other applications’ files or spoof operating system level security dialogues. By contrast, an app which contains a kernel level driver has full control over an operating system as well as all the applications and files on a computer – any security bug in this driver might allow malware to take over the entire computer.
Sandboxed applications include an entitlement list that enumerates the set of system resources that the app requires. This list is checked by the operator of the app store to ensure that it matches the features of the application. If the application attempts to access a resource that it does not have permission to use, such as a microphone, then the operating system’s sandbox will prevent the application from continuing.
This keeps an app from being used to access resources and data on devices. When it comes to ease of use, the key is applying the best practices of mobile device security to external drives. If the drive is uniquely linked via an app on a user’s compatible smartphone through an encrypted wireless connection it helps bring enhanced security and a great user experience.
Traditionally, there are two methods to unlock a drive and authorise other users: wirelessly via Bluetooth technology and by using a wired method, such as via a USB port. No matter which method is chosen, the same technologies are used to help secure connection to the device.
The Bluetooth pairing process requires a pairing code to be entered on both devices. Nowadays, Bluetooth security can provide a “point and pair” connection process which makes it easier to pair and also helps improve security by verifying the authenticity of the drive when connecting to it.
Drives can contain a label with a unique key that is used to locate and secure the connection. When connecting via Bluetooth technology, simply scanning the QR code on the label and then on the phone finds and connects to the drive using the key embedded in the code. When connecting via a USB port, a separate, shorter code is used which is printed next to the QR code. This code serves as validation that the user is connecting to the right drive, and also helps prevent malicious applications from connecting to it.
Data protection through hardware-backed encryption
These days, hardware-backed encryption is based on a new approach to public key management, one which allows data to be self-secured by the hardware-based key storage in smartphones or computers.
Not only can passwords be a weak link in security but they can also interfere with the usability of a device. Simply put, people may choose weak passwords or they forget them; once the password of a self-encrypting drive is lost, the data on the drive could be lost as well.
To address these issues, there is a new approach to securing data on a self-encrypting drive whereby a smartphone or laptop can be used as a “key” to unlock drives. Specifically, this is done through a hardware-backed key storage on the device. This hardware protection enforces the use of a mobile device’s passcode or the biometric used to unlock the private key.
There are clear advantages to using hardware for data security over solely relying on secure networks. Hardware products can push the boundaries of state-of-the-art security techniques while maintaining ease-of-use that feels virtually seamless. These products are designed by choosing existing, proven security concepts, improving them whenever possible and creating innovative solutions where they are needed. Ultimately, by weaving concepts together, a next-generation architecture is created that helps provide security over many technology layers.
To find out more information, visit: www.westerndigital.com
This article was originally published in the July edition of Security Journal UK. To get your FREE digital copy, click here.