The Keys to Full Disk Encryption

Couldn’t help the pun. With all the recent uproar over Edward Snowden, the NSA, PRISM, and snooping in general, I thought it might be best to start this post with a groaner.

BACKGROUND

Full Disk Encryption, or FDE, is becoming more common these days in response to regulatory compliance requirements. Companies that maintain Personally Identifiable Information (PII), or other customer data, need to make sure that data stays within their control. With the rise in mobility the past few years, we’re seeing more cases of lost or stolen laptops, phones, and other devices. Basically, you can’t afford to lose customer data; FDE protects against that and more. For example, in some cases, you may not have to report a stolen laptop as a data breach if you can prove that its hard drive was encrypted (check your compliance and legal policies to be sure.)

THE TOOLS

Depending on your computer fleet, tech savvy, and budget, there are numerous ways to encrypt hard drives. Tools such as TrueCrypt offer good protection at my favorite price (free), while enterprise solutions from Checkpoint, Sophos, and others can fully manage encryption across thousands of devices. There are also managed offerings from companies like Alertsec, who provide FDE-as-a-service.

THE ISSUES

Some things to consider before you deploy FDE in your environment:

  • Authentication. There are two key points here:
  • Preboot authentication. This authenticates the user before the operating system loads, reducing the chance that an attacker can get to any unencrypted data. Depending on your chosen FDE solution, preboot authentication can consist of a PIN, a password, a token (two-factor authentication), or biometric data. It’s important to match the solution with the need; for example, some highly regulated industries may require two-factor or biometric devices, while others may allow a unified password (see SSO below.)
  • Single Sign-on (SSO). To make life easier for your users, SSO synchronizes the preboot credentials with the machine or network credentials, so users don’t need to memorize yet another password.
  • Machine type. While it obviously makes the most sense to encrypt laptops since they frequently leave the secured perimeter of your office, you may want to consider encrypting desktops as well. Cable locks, while an effective theft deterrent, are just that; a determined attacker can easily get past a cable lock, open the desktop case, and pocket the hard drive.
  • Removable media. Users lose USB sticks, SD cards, etc. all the time – it’s easy to do. Protect your data by making sure users can (and know how to) easily encrypt removable media before they take it with them. Again, your particular needs may include blocking access to USB ports and/or optical drives on all computers; if this is the case you don’t need to worry about encrypting removable media.
  • Key management. This is a big one – your encryption keys are what allow you to manage and decrypt all of your encrypted data; without them, your encrypted machines are basically useless. It’s critical to properly store, secure, and back up your encryption keys, since they are the keys to the kingdom of your data. In the case of managed providers (as mentioned above), make sure their key management policies and procedures line up with any compliance or contractual obligations you may have.

THE BOTTOM LINE

It’s easier than ever to encrypt computer hard drives; while no solution is perfect, any solution is better than not having one – especially when you get that frenzied “my laptop was stolen” call from a user on a Monday morning!

Image Credit: Austin Mills via Compfight

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s