Full disk encryption is expected to be the top security
technology to be tested or adopted this year, what are the
challenges and benefits likely to be?
Business case must be well-managed to balance cost and benefits
of full disk encryption
In seeking to provide a detailed response for the above
questions, views have been sought from the wide community of
experts that make up the BCS Security Forum Strategic Panel (SFSP)
as well as the BCS membership itself, writes Andrea Simmons,
consultant forum manager at the BCS Security Forum.
Full disk encryption (FDE) is expected to be the top security
technology tested or adopted this year. There is little doubt
encryption helps improve security. The issue that requires more
thought on a case-by-case basis is that of desktops and the point
at which the overhead becomes worth it.
For example: a reasonable-sized, separated network of desktops
used for running software that process very confidential documents.
The machines are all kept in an access-controlled environment, but
FDE would add an additional layer of security. However, due to the
nature of the work the Linux and windows machines are regularly
re-imaged. With FDE this would be much slower, as you can't tell
which parts of the disk are data and what can be ignored, so a hard
disk that previously held about 20GB of actual imaged data becomes
180GB of data you need to reimage every time. These are the
practical security and operational challenges that present
themselves to IT professionals on a regular basis.
There are many different options and budget will affect what
technology is chosen, with what purpose in mind. The business case
must be well managed to apply the most appropriate solution and
driven by a suitable risk assessment.
If you deploy complex technology, to get the best out of it, it
should be implemented with strict controls. This will mean an
element of communication and education for those to whom it will
have an impact in terms of day-to-day operation of existing
equipment.
This is going to be the biggest challenge if you believe many
implementations of full disk encryption are likely to be a
knee-jerk response to a data breach or data loss experienced that
prompted action. On the one hand, there are many IT managers who
have been pleading, for many months if not years, for protection
such as disk encryption as an appropriate technical control for a
security challenge, and on the other hand there are many technology
companies rubbing their hands with glee at the potential of
increased sales. So somewhere in the mix of all this should be the
information security manager applying sense, reason and risk
assessment methodologies.
So what other challenges might there be? Where to stop is
probably one of them, that is, we have Blackberries, PDAs, mobile
phones, laptops, desktops - all containing information, all of
which needs to be identified, labelled and properly handled/managed
in a way that protects the information appropriately - which may
include encryption, full or otherwise (that is, there are partial
options).
The benefits are clear in terms of the protection afforded.
Implementation and cost benefit continue to be the challenge.
Read more advice from the Computer Weekly Security Think Tank
>>