An enterprise with good cybersecurity hygiene will have several methods of protection for data handled on premise. But for a variety of reasons, it’s often necessary for sensitive data to be transferred between devices, whether between rooms, offices, or even countries. When data leaves the internal IT ecosystem of an enterprise or organization, it is no longer protected by previously established firewalls or access controls. This is true whether users are relying on cloud solutions to transmit through an online intermediary (such as email) or using removable storage devices such as USB drives and external HDDs or SSDs. While there are several different solutions for transporting data — most commonly cloud solutions, standard USB drives, and online file transfers — hardware-encrypted storage drives provide the highest level of data security because they implement the actual data encryption in an entirely different way.
The Alternatives and Their Shortcomings
There are plenty of methods for securing data, and while several solutions have the advantage of lower costs, they come with unique risks. Cloud storage, for example, provides the ability to quickly upload and download files between devices regardless of physical distance, but that convenience comes at a cost. Data shared through cloud providers can be susceptible to exposure on unsecured WiFi networks and can be accessed by the cloud providers themselves. Enterprises have to trust that cloud providers are adequately protecting against hackers and that all potential vulnerabilities will be detected and addressed before a data breach occurs. Cloud providers must reliably apply security fixes for all of their software promptly — a daunting process for any IT organization. Storing data on a cloud provider’s server is basically storing your data on someone else’s computer — you have to trust that the provider actively works to keep your data secure.
In general, removable storage (such as USB drives and SSDs) can be a very secure way to move data, but there are substantial risks that need to be mitigated before a device can be considered truly secure. Most critically, USB devices that have been lost or stolen can put sensitive data at risk. If data is stored directly on a drive without encryption, anyone who plugs the device into their computer will be able to access its contents — imagine the compliance and legal repercussions if PII data is exposed. If the data stored on the device has been encrypted, it is not immediately accessible, but the level of security depends on the type of encryption.
Hardware Encryption is Fundamentally Different from Software Encryption
Encryption can provide invaluable protection for sensitive data, but there are several different methods to store encrypted data on a removable drive. The most inexpensive option is to use software to encrypt sensitive data, then store that encrypted content on a regular, inexpensive USB drive. This method provides a valuable layer of security compared to unencrypted data, but it still leaves your data vulnerable to determined hackers. While software-encrypted data is not immediately accessible, it has no inherent protection against repeated hacking attempts, such as password guessing (called Brute Force attacks) through free and paid tools available to crack passwords or specific software-encrypted file types.
Hardware encryption works differently. A cryptoprocessor built into the device performs the encryption on the data, establishing an unremovable layer of protection in the drive’s circuitry that hackers cannot bypass through Brute Force attacks or that employees can turn off. This is a permanent layer of protection, in contrast to software encrypted drives, which can be wiped and reformatted to remove software encryption, turning the formerly software-encrypted drive into a breach candidate if sensitive data is copied to it. This is scary for compliance and legal reasons.
Because the security components in a hardware-encrypted drive are hardwired into the device, they provide security at both cryptographic and physical levels. High-end, military-grade hardware-encrypted drives feature tamper-resistant designs which use epoxy to prevent the removal of internal components without damaging them. This structure protects the encrypted drive components from being accessed through disassembly. Some drives have special cryptochips that can detect attacks and intrusions and self-destruct or wipe out the stored data.
The Level of Protection Hardware Encryption Provides
Most drives carrying encrypted data have no built-in way to keep track of log-in attempts, meaning that a bad actor who has stolen or found the drive can run brute-force password-cracking software on the drive. Brute-force attack programs can scale from running on a single computer to harnessing the power of thousands of computers through networking. Many of these programs can also make use of powerful graphics card GPUs. A bad actor with these tools has the ability to guess millions of passwords in a matter of seconds, and the amount of time before the password to certain software-encrypted data is cracked can be measured in days or hours. With a hardware-encrypted USB flash drive, the crypto-microprocessor is able to track the number of attempted log-ins, and when a threshold has been met, the drive can wipe its encryption key, and the data is lost forever.
While most cybersecurity protocols focus on preventing sensitive data from getting out, it is just as critical to protecting against letting foreign data in. A system-wide firewall can provide some protection, but traditional anti-malware security installations can’t detect some forms of malware loaded through removable storage — including the notorious BadUSB attack. Malware such as keyloggers, spyware, and ransomware can be loaded onto unsecured systems and then potentially spread through the network.
Hardware-encrypted USB drives can be designed to prevent these kinds of attacks, as they are generally invulnerable to malware injection. While typical flash storage devices can be covertly overwritten with malware (either at the firmware level or the software level), a well-designed hardware-encrypted USB drive will use digitally signed (using RSA 2048-bit) firmware that is checked by the cryptoprocessor. If the firmware does not pass the signature checking process, the cryptoprocessor will render the drive non-functional, effectively “bricking” the device.
The Value of Investing in Hardware Encryption
Devices with hardware encryption come at a premium compared to unencrypted storage due to the cost of advanced components and engineering. In some use cases, the price difference may seem steep, but buyers often fail to assess the sheer cost of a data breach or ransomware attack. The difference in price for a hardware-encrypted device makes up a small fraction of what just one consultation with an intellectual property lawyer could cost, not to mention eventual lawsuits and governmental fines. Hardware-encrypted USB drives provide insurance against breaches, and the premium per device is very low compared to the risk of data loss through each and every standard USB drive transporting sensitive data.
A breach’s costly and reputation-damaging consequences can be avoided altogether by having the proper tools in place. If an employee loses a hardware-encrypted USB drive, enterprise leaders can be confident that the data stored on that device is not at risk of a breach thanks to the hack-protection hardware encryption provides. In addition to the security of the cryptoprocessor, many hardware-encrypted drives come with advanced features such as multiple Passwords or PINs for admins and users, as well as physical or touchscreen keypads for OS-independent usage outside of the Windows/macOS/Linux ecosystem. These features improve user experience and provide flexibility, but they all support the fundamental, hardwired security inherent to a hardware-encrypted device. Choosing the right drive for a specific purpose comes down to matching user preferences, storage size, and relying on a trusted manufacturer with a strong track record.
The difference in cost between typical flash storage and hardware-encrypted devices of the same capacity can make these drives seem like premium products best suited for power users — but the reality is that organizations may not be able to afford the consequences of relying on basic storage with a cheaper upfront cost. The benefits of encrypted drives go beyond a simple comparison of being feature-rich and “more secure.” These devices protect data in a fundamentally different way that provides a level of security so advanced that lost devices no longer put sensitive data at risk. Investing in hardware-encrypted devices safeguards against cyber threats that can end up costing organizations millions of dollars. In an environment with an ever-escalating volume of cyberattacks, hardware encryption is not a luxury but a necessary level of protection. Think of it as insurance against data loss.