Guest Column: When to Use Software versus Hardware Encryption for Data Storage?

By Richard Kanadjian, Encrypted USB Business Manager of Kingston Technology

How businesses store, transport and manage sensitive consumer and company information has become critical for not only large companies but small- and medium-sized businesses (SMB) as well. Encryption technology has evolved to meet the unique requirements of different storage media. The question for users becomes: What are the most effective forms of encryption for the data storage solutions I am using?

What is the difference between hardware and software encryption?
Not only is encryption vital in securing and protecting data, how that encryption is performed is likewise essential. Users have two choices: hardware- and software-based encryption.

Hardware-based encrypted drives are self-contained; they don’t require a software element on the host computer to decrypt the files, though software management is implemented.

Software-based encryption relies solely on the resources of the host device to decrypt the data. Software on the host device encrypts the data, and then stores it on the drive.

Solid-State Drives: Encryption for Internal Storage

Solid-state drives (SSD) are becoming the data storage medium of choice for everything from client computers to data centers and a company’s internal servers. In a corporate setting, encryption of the hard drive is an effective solution for data security beyond the standard network security firewalls because the computer doing the decryption is a known entity. To securely store the data, a software program on the computer encrypts the data, then stores it on the SSD. To read back the encrypted data, the same software program decrypts the data.

Many modern permanent storage media are built with hardware-based (256-bit AES) storage encryption, though hardware-based encryption requires a software-based security program to activate and manage encrypted SSDs. Sole reliance on encryption software running on the operating system may be seen as an added point-of-failure (vulnerability) to the process of data securitization.

SSDs with encryption support full security suites including TCG Opal 2.0 and eDrive which are standards based on the IEEE1667 protocol governing storage device interaction with the host client. One of the most popular encryption services is BitLocker as it ships with the Professional and Enterprise versions of Windows 8 and 10, in addition to Windows Server 2012 and newer. Other solutions include offerings from Symantec™, McAfee™ and WinMagic®. While the management program on the host side is software, data is still encrypted and decrypted in hardware on the storage media.

USB Drives: Hardware Encryption for Removable Storage

Removable storage such as USB drives present a unique challenge when securing data. USB drive encryption can be done either through the device’s hardware or software. A hardware-centric / software-free encryption approach to data security is the best defense against data loss, as it eliminates the most commonly used attack routes. This software-free method provides comprehensive compatibility with most OS or embedded equipment possessing a USB port while diverting resource requirements for encryption away from the operating system.

Hardware-based encrypted USB drives are self-contained, do not require a software element on the host computer, and are the most effective means in combating ever-evolving cyber threats. Hardware-encrypted USB drives protect against the possibility of brute force, sniffing and memory hash attacks due to their security being self-contained inside the drive.

Software encryption for USB drives is not effective or secure because of operating system compatibility issues. In addition, users can reformat a drive before storing data on it thus removing all encryption on the USB, essentially turning an encrypted drive into a standard, open drive.

Data security and customer privacy are not only concerns for large businesses, SMBs also face the same issues with smaller budgets, so identifying cost-effective ways to mitigate the risk is paramount as more compliance regulations go into effect. Privacy laws are always changing, and in the way of getting stricter rather than more lenient. Customer and other sensitive data need to be stored on encrypted drives to reduce any risk of a data breach, data loss and liability.

About the Author
Richard Kanadjian is currently the Business Manager of Kingston Technology’s Encrypted USB unit. He joined Kingston in 1994 and has served the company in a variety of roles for both the Flash and DRAM divisions. Among his many positions, Mr. Kanadjian was a field applications engineer in the company’s strategic OEM division, where he helped build relationships with leading PC and chipset manufacturers. Prior to his current role, Mr. Kanadjian was part of the SSD product engineering department helping develop and support Kingston’s enterprise SSDs on both a technical and customer level.