Global Sources
EE Times-India
Stay in touch with EE Times India
 
EE Times-India > Memory/Storage
 
 
Memory/Storage  

Boost system security with better data-at-rest encryption

Posted: 10 Apr 2012     Print Version  Bookmark and Share

Keywords:data-at-rest  encryption  self-encrypting drive 

In 2010, the United States-based television network CBS aired a program demonstrating how discarded office copiers are gold mines for private information, trivially harvested from disc drives within the machines.1 From copiers randomly selected from a used copier warehouse, investigators recovered lists of wanted sex offenders, drug-raid targets, architectural design plans, personal identification information (name, address, Social Security number), and medical records—including blood-test results and a cancer diagnosis.

When asked whether this could be prevented, one copier company said that customers could purchase a $500 option that will erase copied images from the hard drive after use. Give the guy who wrote those couple lines of code a bonus!

Another obvious solution to this problem is data-at-rest protection. Data-at-rest protection is a when data stored on a device and not in transit, known as data at rest, is either encrypted or follows certain protocols that include encryption to protect the data from unauthorised access. The storage media for an embedded system may include hard disc drives, flash memory, and attached USB thumb drives.

As witnessed by the photo copier story, seemingly benign, mundane office equipment is often vulnerable and not protected. On the other hand, many modern embedded systems do have encrypted storage-protection requirements, driven by intellectual property protection, digital rights management, sensitive customer information, and more. Compliance regulations in certain industries require that sensitive stored data be protected with appropriate data-protection protocols that include encryption. This article discusses approaches for protecting data-at-rest.

Figure 1: Data-at-rest protection choices by layer.

Choosing the storage layer
As shown in figure 1, developers may choose from multiple layers in the data-storage stack to apply data-at-rest protection protocols.

Hardware layer: With full-disc encryption (FDE), the entire medium used for storage is encrypted. All the data that goes on the storage medium is encrypted, including certain hidden files, such as the operating system's temporary files and swap space. The advantage is such files are not exposed. However, the drive itself is not encrypted, leaving the master boot record exposed.

When FDE is handled within the medium peripheral itself, it's referred to as a self-encrypting drive (SED). SEDs are common in the laptop market. The advantage of SEDs for the embedded systems developer is that little or no new software must be written to take advantage of the data-protection facilities. Encryption is performed with specialised hardware within the storage device, offloading the main embedded applications processor. If self-encrypting storage media is feasible, it's an excellent choice due to ease of use, excellent performance, and the ability to hide the storage encryption key from the main applications processor and memory. Unfortunately, many embedded systems will be unable to use the available stand-alone SED products due to form-factor limitations.

Block manager layer: Encryption can be performed at the next level up, the device-management layer, typically a block-oriented driver. Protection at this level may cover the entire managed device (FDE). The performance implications of this approach vary. If the embedded platform contains a symmetric encryption accelerator, the overhead is likely to be reasonable, while a purely software cryptographic implementation may cause a dramatic loss in performance. Embedded systems developers can architect the encryption facilities such that the device driver calls out to generic medium block encryption routines, ensuring that software is easier to maintain across different generations of the embedded product that may use different types of storage.

1 • 2 • 3 • 4 • 5 Next Page Last Page



Comment on "Boost system security with better da..."
Comments:  
*  You can enter [0] more charecters.
*Verify code:
 
 
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

 

Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

 
Back to Top