Robert Thibadeau, Drive Trust Alliance; Michael Willett, Drive Trust Alliance

The recently-approved ISO/IEC 27040 (Information technology/Security techniques/Storage security) standard recognizes Cryptographic Erase as a valid means of sanitizing storage devices. Cryptographic Erase assumes that the protected data has been previously encrypted. Erasure results from deleting ALL copies of the cryptographic key. Without the key, the stored data cannot be read; thus, the storage device is sanitized. The emerging industry standard for stored-data encryption is Self-Encrypting Drive (SED), as technically defined and detailed in Trusted Computing Group (TCG) specifications and now provided by all the drive manufacturers, both rotating and solid-state drives. With SEDs, the drive encrypts all data written to the drive, using in-line hardware built directly into the drive electronics. The cryptographic key is generated on board during manufacture by a random process and never externally exposed. Cryptographic Erase is most effective with SEDs because the key is contained to the drive. Any/all copies of the key are on the drive and can be simultaneously deleted. Indirect, software-based encryption systems cannot guarantee that all copies of the key are even available, much less erased. The U.S. standard NIST SP800-88R1 (Guidelines for Media Sanitization) officially recognizes Cryptographic Erase using SEDs. SEDs are now 100% deployed in data center storage for data security and privacy and all client-side drives are SED-enabled. But, adoption of SEDs in the client/consumer space is not yet 100%. TCG is finalizing the SED compliance requirements, which include both certification to the specification and Common Criteria components. The Drive Trust Alliance (DTA; www.drivetrust.com) was recently formed as a member-driven alliance to promote adoption of SEDs in the consumer space. TCG is a member of DTA, for example, as well as SED makers, SED management vendors, and I.T. organizations. Collectively, we are tackling the obstacles to SED adoption in the consumer space. This presentation, by the inventor of the SED concept (Dr. Thibadeau), will introduce SEDs, summarize the mature history of SEDs in the marketplace, and highlight some of the DTA initiatives targeted at increasing SED adoption. These initiatives include: open-source code for management of SEDs across all operating systems, extensive and pragmatic education materials and activities, and particular focus on emerging markets for SEDs, such as IoT (Internet of Things) and the automobile of the future.