Realise the full benefits by encrypting hard drive and storage media.
Full drive protection completely replaces the contents of a user's hard drive with an encrypted image, writes John Girard, vice-president and distinguished analyst at Gartner. If this is combined with pre-boot authentication, a thief really has nowhere to start in breaking out the contents of the drive. In the event of a problem with a fully encrypted drive, access to a damaged drive would require a proprietary diagnostic disk (usually a bootable CD). If the drive can be read by a support tech, data can only be recovered down to the sector level. Pre-boot encryption has other challenges, for example, if the company uses Wake On LAN, the system will need to unlock with no user present.
In contrast, file-based encryption doesn't change the user system image so radically. Files and folders are selectively encrypted, but usually are still visible, and it is very important to choose the right ones to protect. File-oriented products have become sophisticated and can automatically protect data based on owner or application, and can be directed to encrypt every possible piece of data that won't interfere with system start-up. File-based encryption allows companies to use standard diagnostic approaches and is more flexible in the case of the Wake On LAN example, because system start-up is independent of user data encryption.
Both methods can achieve high levels of certification, including FIPS 140-2 for the crypto APIs and Common Criteria. Both methods need time for installation. First-time encryption can take many hours, depending on the starting amount of data and system performance, but, on the upside, it only has to be done once. Both methods have been accused of performance and stability problems, so it's important to test before committing to a product, and to assure that systems have enough processing power and memory to work with encryption.
No matter what method you choose for your PC drive, file encryption will be an expanding requirement. You need to anticipate and set encryption policies for data transfer to flash media, CDs, DVDs, external hard drives and other destinations. Smartphones and PDAs cannot be encrypted as full drives, and removable media devices may of necessity need to carry a mixture of encrypted and unencrypted data.
- Get your workstations, phones and PDAs encrypted as soon as possible.
- Don't bypass pre-boot authentication to make full drive encryption logins easier.
- Don't dismiss file encryption. You will be using it for a long time to come.
- Make sure your help desk and your users are fully trained to live with changes to their systems
- Implement regular backups so you avoid wasting time trying to recover encrypted data from individual devices
- Don't make recovery too easy - otherwise the wrong people might get hold of your decryption passwords!