Tales from the Crypt: Hardware vs Software

Encryption is never out of the spotlight in this industry, but the methods that businesses can deploy to encrypt their data are wide-ranging. Daniel Brecht examines the pros and cons of the various solutions on offer

With the use of mobile devices booming, and attacks against government networks and business databases escalating, data security has become a hot topic for IT system managers and users alike. Today’s technology advances have spurred a number of solutions to meet the requirements and the pockets of everybody who needs to secure a machine, from a simple home computer, to the most sophisticated networks. Sorting through so many different solutions, however, can be overwhelming.

Whether to opt for software-based or hardware-based solutions is the first decision users are faced with, and it’s not an easy choice. Although both technologies combat unauthorized access to data, they do have different features and must be evaluated carefully before implementation.

Software-Based Encryption

Software encryption programs are more prevalent than hardware solutions today. As they can be used to protect all devices within an organization, these solutions can be cost effective as well as easy to use, upgrade and update. Software encryption is readily available for all major operating systems and can protect data at rest, in transit, and stored on different devices. Software-based encryption often includes additional security features that complement encryption, which cannot come directly from the hardware. 

Hardware encryption is most advisable when protecting data on portable devices
Hardware encryption is most advisable when protecting data on portable devices

The protection granted by these solutions, however, is as strong as the level of security of the operating system of the device. A security flaw in the OS can easily compromise the security provided by the encryption code. Encryption software can also be complicated to configure for advanced use and, potentially, could be turned off by users. Performance degradation is a notable problem with this type of encryption.

Hardware-Based Encryption

Hardware-based encryption uses a device’s on-board security to perform encryption and decryption. It is self-contained and does not require the help of any additional software. Therefore, it is essentially free from the possibility of contamination, malicious code infection, or vulnerability.

When a device is used on a host computer, a good hardware-based solution requires no drivers to be loaded, so no interaction with the processes of the host system is required. It also requires minimum configuration and user interaction and does not cause performance degradation.

A hardware-based solution is most advisable when protecting sensitive data on a portable device such as a laptop or a USB flash drive; it is also effective when protecting data at rest. Drives containing sensitive data like that pertaining to financial, healthcare or government fields are better protected through hardware keys that can be effective even if drives are stolen and installed in other computers.

Self-encrypted drives (SEDs) are an excellent option for high-security environments. With SEDs, the encryption is on the drive media where the disk encryption key (DEK) used to encrypt and decrypt is securely stored. The DEK relies on a drive controller to automatically encrypt all data to the drive and decrypt it as it leaves the drive. Nothing, from the encryption keys to the authentication of the user, is exposed in the memory or processor of the host computer, making the system less vulnerable to attacks aimed at the encryption key.

“Software is easier because it is more flexible and hardware is faster when that is needed"Bruce Schneier, Resilient Systems

Hardware-based encryption offers stronger resilience against some common, not-so-sophisticated attacks. In general, malicious hackers won’t be able to apply brute-force attacks to a hardware-encrypted system as the crypto module will shut down the system and possibly compromise data after a certain number of password-cracking attempts. With software-based solutions, however, hackers might be able to locate and possibly reset the counters as well as copy the encrypted file to different systems for parallel cracking attempts. 

Hardware solutions, however, might be impractical due to cost. Hardware encryption is also tied to a particular device and one solution cannot be applied to the entire system and all its parts. Updates are also possible only through device substitution.

The Debate

There is no single answer to companies’ encryption needs, stresses Bruce Schneier, CTO of Resilient Systems and creator of the blog Schneier on Security.

“Software is easier because it is more flexible,” he says, “and hardware is faster when that is needed. My preference is software, because I tend to use general purpose hardware and specific software. So my email encryption, web encryption, IM encryption is all software. But the software might use the hardware-specific instructions in the Intel chip for encryption.”

Nico de Corato, telecommunication engineer and founder of DubaiBlog, has a similar approach when it comes to choosing encryption solutions: “Each device requires software in order to operate, and a device is nothing else than hardware. You could not really choose between hardware and software; there is a total interdependence.” 

The solutions used depend on the needs of the individual, he adds: “In some cases you can choose, and often I’m the one preferring software solutions. For example, if you need to buy a new GPS, the best solution is probably to download the application on your existing devices (eg a smartphone). This way, you are always going to have the GPS with you; you are going to pay much less than buying a new GPS-device. The same goes for encryption software solutions.”

Companies need to consider factors like impact on performance, backup, security and available resources to decide on proper encryption implementation. Businesses should consider the risks involved in losing the data they handle, but also how long they need to keep data encrypted and how well they would be able to manage encrypting keys with each solution.

It is also important, in light of the strict regulations that have been issued for data protection (such as HIPAA and PCI), that businesses choose the solution that allows them to be fully compliant.

Different considerations guide the choice. According to Tom Brennan, managing partner of cybersecurity consulting company ProactiveRISK, “In the commercial space it is mostly about price. With .GOV clients, it is more about data classification right.”

When budget is a concern, the choice is often to steer away from hardware-based solutions in favor of software solutions that can be implemented across the board. In addition, “rather than deal with the expense and inconvenience of being locked into upgrading one proprietary hardware platform every few years, some prefer to use software,” Brennan adds. 

Mobile working practices necessitate a considered approach to encryption for organizations
Mobile working practices necessitate a considered approach to encryption for organizations

Industry Models

“Recent security breaches in multiple industries – including entertainment, retail, and healthcare – tell us that large enterprises are not paying enough attention to security best practices,” says Dan Timpson, CTO at certificate authority DigiCert.

“In addition, many of these companies lack basic security measures. According to the Online Trust Alliance, 90% of data breaches in 2014 could have been prevented.”

The potential consequence of a data, privacy, or network security breach is very significant. According to the Ponemon Institute’s 2014 Cost of a Data Breach Study, data breaches now cost $3.5m on average, and the cost per lost or stolen record is $145. In a previous report, the Ponemon Institute reported that the average value of a lost laptop is $49,246, with only 2% accounting for the hardware replacement costs. Encryption could abate this sum by $20,000 as it prevents criminals from accessing and using data contained within.

Sometimes the size of a company makes for a different approach. Larger companies with massive security departments and large budgets probably already have a valid security posture, but smaller businesses might not be treating the issue with the importance it deserves. Many SMB managers believe that only larger companies are the target of malicious hackers. That couldn’t be further from the truth.

Symantec’s 2014 Internet Security Threat Report showed that companies with less than 250 employees accounted for more than half of all targeted attacks (61%) in 2013, an 11% increase from the previous year. A study by the National Cyber Security Alliance reported that 20% of small businesses fall victim to cybercrime each year.

Timpson comments that “using software-based encryption is straightforward and may be more approachable for a smaller business that does not have an on-site IT admin dedicated to data security measures.”

However, this is a valid solution only if companies realize that “the need to outsource this work brings the responsibility to find companies that are trustworthy and vet their products and services to ensure a good fit,” he adds.

Timpson believes that “introducing a third party increases the potential for vulnerability.” Although hardware encryption is perceived as more costly due to the upfront investments that are needed to supply an entire organization, Timpson believes that “in the long run, hardware can reduce costs with IT labor, user productivity, and licensing fees.”

So, what is the best solution to protect data? It depends on where you are trying to protect it.

When data is at rest, especially on removable devices, hardware-based encryption is often best. By encrypting entire disks or USB drives, everything is secure, from directories to file systems to content. Authentication should be done prior to booting so that not even the OS is started if the user is unauthorized. However, smaller companies might find it hard to justify the expense even for the added security and better systems performance.

If data is in transit, however, file level encryption is more appropriate: files and folders are singularly encrypted and stay encrypted regardless of how and where they are transferred. Possibly less expensive, these solutions are prone to a number of drawbacks from performance degradation to less-than-perfect protection due to hackers exploiting OS and memory vulnerabilities that expose encryption keys.

New theories and technology advances could eventually change that. As Andrew Avanessian, executive vice-president of consultancy and technology services at endpoint security software firm Avecto, explains, “AES instruction sets, which are included in some modern processors, allow software encryption to be more efficient and perform better without relying on dedicated hardware but applications need to be optimized to take advantage of this.”

Choosing carefully is paramount, but there is no place for indecision. Avanessian believes the real problem is that “some organizations can get hung up about encrypting devices and end up delaying implementations. With the increasing portability of devices and BYOD, it is important to get some level of encryption setup as soon as possible.”

Encryption is necessary and is the best mechanism to protect data confidentiality, integrity and genuineness. It minimizes the chance of security breaches and adds layers of protection to secure data. Costs related to data loss and requirements dictated by law should be incentive enough for all businesses to adopt solutions, regardless of whether they are hardware-based or software-based.

This feature was originally published in the Q2 2015 issue of Infosecurity – available free in print and digital formats to registered users

What’s Hot on Infosecurity Magazine?