Full disk encryption is expected to be the top security technology to be tested or adopted this year, what are the challenges and benefits likely to be?
Benefits of full disk encryption lie in avoiding PR and compliance risks of breeching data
According to Forrester, full disk encryption will be the most piloted or adopted security technology in 2009, writes Raj Samani of ISSA UK. With national press now interchanging data loss stories with reports on an ailing housing market, this is hardly surprising.
This is a significant shift from 2005, where the Ponemon Institute's National Encryption Survey found only 4.2% of the 800 companies polled stated they had plans to roll out encryption throughout the enterprise.
Since then, there have been numerous examples demonstrating the merits of full-disk encryption. From public announcements naming and shaming organisations failing to use full disk encryption (and subsequently lose devices containing personal information), to regulators such as the Financial Serevices Authority (FSA) imposing almost seven figure fines when insufficient controls are in place to protect personal data. Admittedly, full disk encryption is not impenetrable. Cold boot or iceman attacks are reported to be capable of extracting encryption keys from the data remanence properties of DRAM/SRAM.
However, such attacks are unlikely to be within the arsenal of the opportunistic thief, and there is the added benefit that encrypting data at rest may allow for safe harbour from many (US) State data breach notification bills. There are also requirements for organisations that process card payments to render primary account number (PAN) unreadable, typically with encryption.
With such an overwhelming case for full disk encryption, there is the question of why the technology is not implemented by default. Referring to the Ponemon survey, it cited the primary reasons for not encrypting sensitive or confidential information were concerns about system performance (69%), complexity (44%) and cost (25%).
System performance concerns are merited. It is reported that access times suffer performance degradation between 56%-85%. There are also challenges related to managing the encryption keys, the administrative overhead with the roll-out of any new technology to users, ongoing support and maintaining regulatory compliance with bills such as RIPA (Part 3).
The decision about whether to roll out full disk encryption must also consider the level of assurance it gives to key stakeholders. A recent example of a theft of an encrypted laptop containing personal information met with a less than enthusiastic response from a union representing the affected data subjects: "All we have received are bland assurances that everything is going to be all right". If it is only a bland assurance, is it really worth the pain?