TCG Opal is the standard de-jure framework for device security.
It is designed for mobile devices and laptops and has extremely wide industry support and across multiple operating systems. The TCG Opal framework is supported by most top-tier storage manufacturers and is also designed for solid-state drives (SSDs) as well as hard disk drives.
Devices that conform to the Opal standard have proven secure encryption build in at the firmware level. The moving of the encryption to the drives means that the reduction in performance is minimised as the compute-intensive work is done by ASIC (Application Specific Integrated Circuits) designed specifically for the job.
It should be pointed out that any Opal certified drives are visible to most users who may purchase such a device to install in their laptop. Only when the TCG Opal functionality is enabled does it become something more than an SSD.
As good as they are, standards and frameworks will only get you so far. The management tools that utilise them are important. There are several vendors that provide management tools that integrate with the TCG Opal framework to provide centralised management and an almost transparent user experience users still have to enter a password or key on start-up.)
To utilise Opal, there are two parts to the framework in a client- server configuration. The server works as a management station to allow control and management of the encryption and the keys. Critically, using a solution such as Opal wraps up the encryption complexity into a set of management tools utilising a framework. Vendors include:
- McAfee
• Sophos
• WinMagic • Symantec
Whilst the exact implementation details vary from vendor to vendor, they provide the key needs and requirements for management. Management functionality includes a wide range of tools and facilities including:
Remote Wipe
When paired up with a remote location and management tools, the ability to remotely wipe the drive upon device loss proves additional levels of security and confidence that the data is beyond recovery, even if the keys were available. This is accomplished by removing the device key, so when the device connects to the internet, this is achieved instantly.
Key management
As previously noted, centralised key management is fundamental. It provides the help desk staff with the means to manage the encryption infrastructure.
Drive level management
Powerful software solutions will also provide monitoring and managing of the drives. Such monitoring will alert the administrator or help desk to any potential failure or a drive that is displaying known indicators of early failure including the excess relocation of blocks or excessive errors.
As mentioned, TCG Opal only works on compliant drives. Any drives an administrator wishes to use should be TCG Opal certified. The standard covers all drive formats, whether they are standard SSD 2.5”, M2 or mSATA. It is wise to choose a vendor who has an option in each format.
For administrators making the move to TCG Opal they need to understand that the management framework comes in a client- server architecture. The clients are those laptops that have certified drives in them, and the management is a server that holds the application of choice that utilises the framework to communicate with the client and manage the actual SSD device.
The question of how to secure the data is complex, and it is critical to incorporate and manage encryption into standard IT operations without hindering progress or potential data loss. Whilst these considerations may sound complex there is a framework that helps companies manage such items on a practical level.
Ultimately managing device encryption is a mix of well-designed business processes and supporting technology. Centralised management is key to providing a quality service to the end users whilst minimising the cost of providing the service and support. Planning is essential and utilising a framework such as TCG Opal with top tier SED vendors makes the whole development that much more straightforward.
Launched in April 2018, Kingston’s new SED UV500 provides end-to-end data protection using 256-bit AES hardware-based encryption and TCG Opal 2.0 security management solutions. As mentioned above, the TCG Opal functionality needs to be enabled to utilise the drive encryption fully.
This can only be done via TCG Opal compatible solutions, such as those from, e.g. Symantec, McAfee or WinMagic. For the user that does not have TCG Opal environment already the drive, encryption is transparent, automatic and not configurable. It cannot be turned off or on and these users can utilise ATA Password in BIOS. The ATA Password is a standard password security that functions on most hard drives and SSDs on the market. In summary, the TCG Opal software is needed for unlocking the full set of features on the UV500 SSD. Without TCG Opal, the user can use ATA Password to protect the content on the drive.