Should full disk encryption be used to prevent data loss?

BROWSE BY TAG Platform Security,   Enterprise Data Protection,   Disk Encryption and File Encryption,   Identity Theft and Data Security Breaches,   VIEW ALL TAGS

RELATED CONTENT Platform Security What patch management metrics does Project Quant use? Should developers create libraries of common cryptographic algorithms? How to secure USB ports on Windows machines What is the best database patch management process? What is an encryption collision? Is credit card tokenization a better option than encryption? Will a database anonymization implementation succeed? What are the Mac OS X Snow Leopard antivirus features? What are new and commonly used public-key cryptography algorithms? Should management processes change based on a patch release schedule? Disk Encryption and File Encryption No major PCI DSS revision expected in 2010 How to use TrueCrypt for disk encryption The future of PCI DSS encryption requirements? Tokenization for PCI What are the top three network intrusion techniques? Health Net healthcare data breach affects1.5 million Prevent meet-in-the-middle attacks with TDES encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Michael Cobb, featured expert Pose a Question Other Security Categories Meet all Security Experts Become an Expert for this site

ANSWERED December 2006:
Stories of lost or stolen laptops containing sensitive information appear almost weekly in the news, and according to a Ponemon Institute survey done in August 2006, around four out of five organizations have suffered data loss in this fashion. I would consider controlling what data can be downloaded to a company laptop in the first place, but statistics certainly support more widespread use of data or hard drive encryption.

So why don't we encrypt our data as a matter of course? Well it's probably because of the impact on performance, plus the required increase in system administration and user support. Full-disk encryption (FDE) is a process that encrypts everything on a disk without user action. This includes the operating system, swap file and any temporary files. These last two can often leak important confidential data to a hacker. FDE also provides support for pre-boot authentication. It's an effective technique, but encryption can double data access times, particularly when virtual memory is being heavily accessed.

Another, more significant problem, though, is encryption key and password management. Any encryption system is only as safe as the encryption keys. With FDE, only one key is used to encrypt the entire disk. Usually keys are stored on the local system, and their sole protection is typically the user's password or passphrase. And we all know how weak they can be! Disk encryption therefore requires policies that enforce strong passwords and can handle forgotten passwords, encryption key backup processes and employee termination.

Despite these disadvantages, I think FDE is fast becoming an essential security requirement for any organization that holds sensitive data. Data loss can be crippling both financially and legally, and protecting data with a well-implemented FDE policy will prevent many of these problems. File encryption such as Microsoft's Windows EFS (Encrypting File System) is a start, but EFS doesn't encrypt all of the data saved on the hard disk. Also, file encryption is nowhere near as efficient as drive encryption.

There are plenty of new products that will make FDE a more practical solution. Windows Vista Enterprise and Ultimate editions, for example, include BitLocker full volume encryption (FVE). It encrypts the partition on which Vista is installed, and it does so on a sector basis rather than by files. This arrangement protects all data, including that in the paging file, hibernation file and all system files. Other partitions can only be protected using EFS, but at least the EFS encryption keys are located on the OS partition. On the hardware side, Seagate is about to ship a hard drive that includes a special encryption chip that will make its data impossible for anyone to read -- or even boot up its PC -- without some form of authentication. (I'm a fan of using hardware tokens to reduce password management overhead, but it's an additional cost to consider.) Thankfully, Seagate is also working to develop an enterprise password management system that works with the drives.

More information: