Full disk encryption is expected to be the top security
technology to be tested or adopted this year, what are the
challenges and benefits likely to be?
Realise the full benefits by encrypting hard drive and storage
media
Full drive protection completely replaces the contents of a
user's hard drive with an encrypted image, writes John Girard,
vice-president and distinguished analyst at Gartner. If this is
combined with pre-boot authentication, a thief really has nowhere
to start in breaking out the contents of the drive. In the event of
a problem with a fully encrypted drive, access to a damaged drive
would require a proprietary diagnostic disk (usually a bootable
CD). If the drive can be read by a support tech, data can only be
recovered down to the sector level. Pre-boot encryption has other
challenges, for example, if the company uses Wake On LAN, the
system will need to unlock with no user present.
In contrast, file-based encryption doesn't change the user
system image so radically. Files and folders are selectively
encrypted, but usually are still visible, and it is very important
to choose the right ones to protect. File-oriented products have
become sophisticated and can automatically protect data based on
owner or application, and can be directed to encrypt every possible
piece of data that won't interfere with system start-up. File-based
encryption allows companies to use standard diagnostic approaches
and is more flexible in the case of the Wake On LAN example,
because system start-up is independent of user data encryption.
Both methods can achieve high levels of certification, including
FIPS 140-2 for the crypto APIs and Common Criteria. Both methods
need time for installation. First-time encryption can take many
hours, depending on the starting amount of data and system
performance, but, on the upside, it only has to be done once. Both
methods have been accused of performance and stability problems, so
it's important to test before committing to a product, and to
assure that systems have enough processing power and memory to work
with encryption.
No matter what method you choose for your PC drive, file
encryption will be an expanding requirement. You need to anticipate
and set encryption policies for data transfer to flash media, CDs,
DVDs, external hard drives and other destinations. Smartphones and
PDAs cannot be encrypted as full drives, and removable media
devices may of necessity need to carry a mixture of encrypted and
unencrypted data.
Gartner recommends:
- Get your workstations, phones and PDAs encrypted as soon as
possible.
- Don't bypass pre-boot authentication to make full drive
encryption logins easier.
- Don't dismiss file encryption. You will be using it for a long
time to come.
- Make sure your help desk and your users are fully trained to
live with changes to their systems
- Implement regular backups so you avoid wasting time trying to
recover encrypted data from individual devices
- Don't make recovery too easy - otherwise the wrong people
might get hold of your decryption passwords!
Read more advice from the Computer Weekly Security Think Tank
>>