Full disk encryption is expected to be the top security
technology to be tested or adopted this year, what are the
challenges and benefits likely to be?
Benefits of full disk encryption lie in avoiding PR and
compliance risks of breeching data
According to Forrester, full disk encryption will be the most
piloted or adopted security technology in 2009, writes Raj Samani
of ISSA UK. With national press now interchanging data loss stories
with reports on an ailing housing market, this is hardly
surprising.
This is a significant shift from 2005, where the Ponemon
Institute's National Encryption Survey found only 4.2% of the 800
companies polled stated they had plans to roll out encryption
throughout the enterprise.
Since then, there have been numerous examples demonstrating the
merits of full-disk encryption. From public announcements naming
and shaming organisations failing to use full disk encryption (and
subsequently lose devices containing personal information), to
regulators such as the Financial Serevices Authority (FSA) imposing
almost seven figure fines when insufficient controls are in place
to protect personal data. Admittedly, full disk encryption is not
impenetrable. Cold boot or iceman attacks are reported to be
capable of extracting encryption keys from the data remanence
properties of DRAM/SRAM.
However, such attacks are unlikely to be within the arsenal of
the opportunistic thief, and there is the added benefit that
encrypting data at rest may allow for safe harbour from many (US)
State data breach notification bills. There are also requirements
for organisations that process card payments to render primary
account number (PAN) unreadable, typically with encryption.
With such an overwhelming case for full disk encryption, there
is the question of why the technology is not implemented by
default. Referring to the Ponemon survey, it cited the primary
reasons for not encrypting sensitive or confidential information
were concerns about system performance (69%), complexity (44%) and
cost (25%).
System performance concerns are merited. It is reported that
access times suffer performance degradation between 56%-85%. There
are also challenges related to managing the encryption keys, the
administrative overhead with the roll-out of any new technology to
users, ongoing support and maintaining regulatory compliance with
bills such as RIPA (Part 3).
The decision about whether to roll out full disk encryption must
also consider the level of assurance it gives to key stakeholders.
A recent example of a theft of an encrypted laptop containing
personal information met with a less than enthusiastic response
from a union representing the affected data subjects: "All we have
received are bland assurances that everything is going to be all
right". If it is only a bland assurance, is it really worth the
pain?
Read more advice from the Computer Weekly Security Think Tank
>>