Full disk encryption is expected to be the top security technology to be tested or adopted this year, what are the challenges and benefits likely to be?
Business case must be well-managed to balance cost and benefits of full disk encryption
In seeking to provide a detailed response for the above questions, views have been sought from the wide community of experts that make up the BCS Security Forum Strategic Panel (SFSP) as well as the BCS membership itself, writes Andrea Simmons, consultant forum manager at the BCS Security Forum.
Full disk encryption (FDE) is expected to be the top security technology tested or adopted this year. There is little doubt encryption helps improve security. The issue that requires more thought on a case-by-case basis is that of desktops and the point at which the overhead becomes worth it.
For example: a reasonable-sized, separated network of desktops used for running software that process very confidential documents. The machines are all kept in an access-controlled environment, but FDE would add an additional layer of security. However, due to the nature of the work the Linux and windows machines are regularly re-imaged. With FDE this would be much slower, as you can't tell which parts of the disk are data and what can be ignored, so a hard disk that previously held about 20GB of actual imaged data becomes 180GB of data you need to reimage every time. These are the practical security and operational challenges that present themselves to IT professionals on a regular basis.
There are many different options and budget will affect what technology is chosen, with what purpose in mind. The business case must be well managed to apply the most appropriate solution and driven by a suitable risk assessment.
If you deploy complex technology, to get the best out of it, it should be implemented with strict controls. This will mean an element of communication and education for those to whom it will have an impact in terms of day-to-day operation of existing equipment.
This is going to be the biggest challenge if you believe many implementations of full disk encryption are likely to be a knee-jerk response to a data breach or data loss experienced that prompted action. On the one hand, there are many IT managers who have been pleading, for many months if not years, for protection such as disk encryption as an appropriate technical control for a security challenge, and on the other hand there are many technology companies rubbing their hands with glee at the potential of increased sales. So somewhere in the mix of all this should be the information security manager applying sense, reason and risk assessment methodologies.
So what other challenges might there be? Where to stop is probably one of them, that is, we have Blackberries, PDAs, mobile phones, laptops, desktops - all containing information, all of which needs to be identified, labelled and properly handled/managed in a way that protects the information appropriately - which may include encryption, full or otherwise (that is, there are partial options).
The benefits are clear in terms of the protection afforded. Implementation and cost benefit continue to be the challenge.