Central Management Simplifies the Transition to Hardware-Based Encryption

I am always happy when technology makes my job as a client security engineer easier.

Intel’s recent deployment of hardware-based encryption using the Intel® Solid-State Drive (Intel® SSD) Professional Family (currently consisting of the Intel® SSD Pro 1500 Series and the Intel® SSD Pro 2500 Series), combined with McAfee® Drive Encryption 7.1 encryption software, has done exactly that. For some organizations, the deployment of Opal-compliant drives might disrupt encryption management policies and procedures -- but not at Intel, thanks to the level of integration between McAfee Drive Encryption and McAfee® ePolicy Orchestrator (McAfee ePO).

Intel IT has used ePO for several years to manage other McAfee security solutions, such as virus protection and firewalls. Now, as we transition to Opal drives, ePO’s integration with encryption management means that end users don’t have to learn a new user interface or process when they change from software-based to hardware-based encryption. They just enter their encryption password and they’re in -- the same as before when using software-based encryption.

Mixed Environment? Not a Problem

We are transitioning to the new drives using our standard refresh cycle. Therefore, our computing environment still contains a fair number of older Intel SSDs that must use software-based encryption. But for IT staff, there’s no difference between provisioning one of the Opal-compliant drives and a non-Opal-compliant drive. McAfee Drive Encryption provides a hybrid agent that can detect whether software- or hardware-based encryption can be used, based on the configuration of the drive and rules defined by the IT administrator. The same policy is used, regardless of the drive manufacturer or whether the drive needs hardware-based or software-based encryption. The technician just tags the computer for encryption, and that’s it. Decryption, when necessary, is just as easy.

When McAfee releases a new version of Drive Encryption, or when a new version of the Opal standard is released (the Intel SSD Pro 2500 Series, in initial phases of deployment at Intel, are Opal 2.0-compliant), the policies won’t change, and the update will be transparent. We can just push the new version to the client PCs -- employees don’t have to visit service centers, and IT technicians don’t need to make desk-side visits with USB sticks. The system tree organization of ePO’s policies enables us to set different policies for different categories of systems, such as IT-managed client PCs and servers and Microsoft Active Directory Exchange servers.

The transition to Opal-compliant drives is also transparent to the rest of the IT department: there is no change is the system imaging process -- the same image and process is used whether the drive is an older SSD or a new Intel SSD Pro 1500 Series. The recovery process is also identical regardless of whether the drive is hardware or software encrypted. It is all performed from the same console, using the same process. Intel Help Desk technicians do not need to learn a new method of recovery when a new drive is introduced.

Bird’s Eye View of Encryption Across the Enterprise

McAfee ePO enables us to easily determine the encryption status of all PCs in the environment. The ePO query interface is easy to use (you don’t even have to know SQL, although it is available for advanced users). The interface comes with most common reports already built-in (see the figure for examples) and allows for easy customization. Some reports take less than 30 seconds to generate; some take a little longer (a few minutes).

Using ePO, we can obtain a bird’s-eye view of encryption across the enterprise. The ePO dashboard is customizable. For example, we can view the entire encryption state of the environment, what Drive Encryption version and agent version are being used, and if there are any incompatible solutions that are preventing encryption from being enforced. We can even drill down to a particular PC to see what is causing an incompatibility.


Sample McAfee® ePolicy Orchestrator Dashboard (from left to right): encryption status, McAfee® Drive Encryption versions installed, encryption provider. These graphs are for illustrative purposes only and do not reflect Intel’s current computing environment.

Encryption can be removed in one of the following ways:

  • The IT admin applies the decrypt policy. This method requires communication between the client PC and server.
  • The IT Service Center uses a recovery image with an identification XML file exported from the server, or the users’ password, to decrypt the drive.

Decrypting in this manner guarantees that the encryption status reported in ePO is in fact the status of the drive.

The information displays in near real-time, making it helpful if a PC is lost or stolen. Using ePO, we can find the state of the drive. If it was encrypted, we know the data is safe. But if not, we can find out what sort of data was on the PC, and act accordingly. ePO lets IT admins customize the time interval for communication between a specific PC and ePO.

Customizable Agent

Although the McAfee agent reports a significant amount of information by default, the product developers realized that they probably couldn’t think of everything. So, they built in four client registry values that provide even more maneuverability. For example, we needed a way to differentiate between tablets and standard laptops, because we needed to assign a policy based on the availability of touch capabilities during preboot. So, during the build, we set one of the four registry values to indicate whether the PC has a fixed keyboard. The McAfee agent reports this property to ePO, which in turn, based on the value, assigns a compatible policy.

Single Pane of Glass

Before integrating Drive Encryption, ePO, and the Opal-compliant Intel® SSD Professional Family, some IT support activities, such as helping users who forgot their encryption password, were time-consuming and inefficient. Recovery keys were stored in one location, while other necessary information was stored elsewhere. Now, one console handles it all. If a user calls in, the IT technician has everything necessary, all in one place -- a one-stop shop for everything encryption.

We have found the combination of McAfee Drive Encryption 7.1 software and Opal-compliant Intel SSDs featuring hardware-based encryption to provide a more robust solution than would be possible with either technology alone. I’d be interested to hear how other IT organizations are faring as the industry as a whole adopts Opal-compliant drives. Feel free to share your comments and join the conversation at the IT Peer Network.