• United States



Contributing Writer

I Was Wrong About Self-Encrypting Hard Drives

Jul 27, 20114 mins
Cisco SystemsData and Information SecurityEncryption

Security and performance benefits seem irrelevant to the market

A few years ago, the EVP of marketing at EMC gave me some grief about analyst predictions. He said something like, “if I bet on your predictions and you’re incorrect, I spend millions of dollars on the wrong stuff and lose my job. All you have to do is change your PowerPoint slides and move on.” He was right. We analysts are always forecasting what will happen in 3-5 years but its rare that anyone looks back at these predictions and then calls us on it. Given this, allow me to call myself on a predication I made several years ago — I said that self-encrypting hard drives would become ubiquitous and thus assume the position as the default way to encrypt PCs, servers, etc. History has proven me completely wrong. Why did I predict such a bright future for self-encrypting drives? Well this seemed like an obvious call for several reasons. First, cryptographic processors were following Moore’s Law and becoming faster and cheaper. This meant that processor-intensive encryption software could be replaced with cheap fast hardware. This transition actually happened when LTO and IBM mainframe tape drives added cryptographic processors in the devices. All of a sudden the bottom dropped out of the backup encryption software market. At the same time as cryptographic processing prices were sliding, the Trusted Computing Group (TCG) came up with a standard for self-encrypting drives called Opal. This meant that Seagate, Hitachi, Western Digital, etc. would manufacture self-encrypting drives with the same APIs and create developer programs for device manufacturers and management tool vendors. It seemed like all of the technical stars were aligned then for hardware to replace software as it so often does in our industry. Well, it hasn’t happened yet and I have no reason at this point to believe it will. Why? In this case, hardware superiority and logic have been trumped by market reality. Self-encrypting drives remain a niche because of:1. Poor timing. By the time the Opal standard was ratified, many large organizations had already purchased full disk encryption software from the likes of PGP, SafeBoot, or Utimaco. Replacing existing technologies is always harder than making the initial sale.2. A lack of compelling functionality. Compared to encryption software, self-encrypting drives are faster and more secure but most users seem apathetic about these advantages. For the majority of organizations, PC encryption is an insurance policy against a lost laptop leading to a breach disclosure. In their minds, encryption is encryption.3. No market push. With few exceptions, PC and server vendors haven’t pushed devices with self-encrypting drive. When users ask their Dell rep about encryption, its likely that he or she provides a list of available options rather than leading with a self-encrypting drive solution. For a while, Seagate tried to do its own marketing but as a component manufacturer, Seagate has little IT visibility in spite of its market leadership. 4. Higher cost. There is about a 10% premium for a PC with a self-encrypting drive installed. You’d think this would be a wash because you don’t have to buy encryption software. Wrong. If you want to use any of the encryption management tools to manage passwords, encryption keys, and the like, you still have to pay a software fee for a managed device. It doesn’t matter whether the device uses software or hardware for encryption, you pay the same price regardless. Given this, it is cheaper to just go with software.It seems like the market has voted and software won. If the conditions I described in points 2, 3, and 4 above change than self-encrypting drives could gain momentum. Additionally, if there is a major software encryption vulnerability or breach, attitudes could also change. In lieu of these changes however, self-encrypting drives will remain a niche. Market 1, Technology Superiority 0.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author