Couldn’t help the pun. With all the recent uproar over Edward Snowden, the NSA, PRISM, and snooping in general, I thought it might be best to start this post with a groaner.
Full Disk Encryption, or FDE, is becoming more common these days in response to regulatory compliance requirements. Companies that maintain Personally Identifiable Information (PII), or other customer data, need to make sure that data stays within their control. With the rise in mobility the past few years, we’re seeing more cases of lost or stolen laptops, phones, and other devices. Basically, you can’t afford to lose customer data; FDE protects against that and more. For example, in some cases, you may not have to report a stolen laptop as a data breach if you can prove that its hard drive was encrypted (check your compliance and legal policies to be sure.)
Depending on your computer fleet, tech savvy, and budget, there are numerous ways to encrypt hard drives. Tools such as TrueCrypt offer good protection at my favorite price (free), while enterprise solutions from Checkpoint, Sophos, and others can fully manage encryption across thousands of devices. There are also managed offerings from companies like Alertsec, who provide FDE-as-a-service.
Some things to consider before you deploy FDE in your environment:
- Authentication. There are two key points here:
- Preboot authentication. This authenticates the user before the operating system loads, reducing the chance that an attacker can get to any unencrypted data. Depending on your chosen FDE solution, preboot authentication can consist of a PIN, a password, a token (two-factor authentication), or biometric data. It’s important to match the solution with the need; for example, some highly regulated industries may require two-factor or biometric devices, while others may allow a unified password (see SSO below.)
- Single Sign-on (SSO). To make life easier for your users, SSO synchronizes the preboot credentials with the machine or network credentials, so users don’t need to memorize yet another password.
- Machine type. While it obviously makes the most sense to encrypt laptops since they frequently leave the secured perimeter of your office, you may want to consider encrypting desktops as well. Cable locks, while an effective theft deterrent, are just that; a determined attacker can easily get past a cable lock, open the desktop case, and pocket the hard drive.
- Removable media. Users lose USB sticks, SD cards, etc. all the time – it’s easy to do. Protect your data by making sure users can (and know how to) easily encrypt removable media before they take it with them. Again, your particular needs may include blocking access to USB ports and/or optical drives on all computers; if this is the case you don’t need to worry about encrypting removable media.
- Key management. This is a big one – your encryption keys are what allow you to manage and decrypt all of your encrypted data; without them, your encrypted machines are basically useless. It’s critical to properly store, secure, and back up your encryption keys, since they are the keys to the kingdom of your data. In the case of managed providers (as mentioned above), make sure their key management policies and procedures line up with any compliance or contractual obligations you may have.
THE BOTTOM LINE
It’s easier than ever to encrypt computer hard drives; while no solution is perfect, any solution is better than not having one – especially when you get that frenzied “my laptop was stolen” call from a user on a Monday morning!