I was wondering if SEDs are used in cloud environments, for example in data centers of CSPs like Azure or AWS?
And if so, what additional protection do they offer beside from physical theft of the drive?
Asked
Active
Viewed 373 times
2
-
AWS has an option for encrypted storage (at least, they did a couple of years ago) I expect this is SED for performance although I've not seen a doc that confirms this. Only protects against physical data centre compromise, so not that helpful for general security, although often need for compliance. – paj28 Nov 10 '18 at 17:48
-
1US FedRamp certified cloud providers must provide data encryption at rest. This will include AWS and Azure. – doneal24 Nov 10 '18 at 22:45
1 Answers
1
I haven't been able to find information on the specific providers you named, but you may be interested in these two articles.
Self-encrypting Drives in Datacentres
Self-encrypting Drives vs software-based encryption
In terms of security benefits, the encryption key is stored on the disk as opposed to the OS, which makes it harder to extract. By erasing the encryption key, they you can render the data practically irrecoverable, allowing you to securely dispose of an SSD in a relatively convenient manner. Plus, it is a lot quicker and cheaper to wipe in this way than pretty much any other safe method.
Not that they're a magic bullet to all problems. The second article I linked details how, with physical access, a powered-on SED is still vulnerable to some of the same attacks as software-encryption, and potentially other methods as well.
Finally, not a security point, but SEDs have dedicated crypto processors, meaning the data encryption and decryption functions aren't vying for CPU usage, so you do see some performance related benefits from that.