Should full disk encryption be used to prevent data loss?

BROWSE BY TAG Platform Security,   Enterprise Data Protection,   Disk Encryption and File Encryption,   Identity Theft and Data Security Breaches,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security Should developers create libraries of common cryptographic algorithms? How to secure USB ports on Windows machines What is the best database patch management process? What is an encryption collision? What are new and commonly used public-key cryptography algorithms? Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Should businesses delay Windows Vista adoption and just buy Windows 7? Why should we place data files on a separate partition than the OS? Should Windows Mobile updates come from Microsoft? Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Stories of lost or stolen laptops containing sensitive information appear almost weekly in the news, and according to a Ponemon Institute survey done in August 2006, around four out of five organizations have suffered data loss in this fashion. I would consider controlling what data can be downloaded to a company laptop in the first place, but statistics certainly support more widespread use of data or hard drive encryption.

So why don't we encrypt our data as a matter of course? Well it's probably because of the impact on performance, plus the required increase in system administration and user support. Full-disk encryption (FDE) is a process that encrypts everything on a disk without user action. This includes the operating system, swap file and any temporary files. These last two can often leak important confidential data to a hacker. FDE also provides support for pre-boot authentication. It's an effective technique, but encryption can double data access times, particularly when virtual memory is being heavily accessed.

Another, more significant problem, though, is encryption key and password management. Any encryption system is only as safe as the encryption keys. With FDE, only one key is used to encrypt the entire disk. Usually keys are stored on the local system, and their sole protection is typically the user's password or passphrase. And we all know how weak they can be! Disk encryption therefore requires policies that enforce strong passwords and can handle forgotten passwords, encryption key backup processes and employee termination.

Despite these disadvantages, I think FDE is fast becoming an essential security requirement for any organization that holds sensitive data. Data loss can be crippling both financially and legally, and protecting data with a well-implemented FDE policy will prevent many of these problems. File encryption such as Microsoft's Windows EFS (Encrypting File System) is a start, but EFS doesn't encrypt all of the data saved on the hard disk. Also, file encryption is nowhere near as efficient as drive encryption.

There are plenty of new products that will make FDE a more practical solution. Windows Vista Enterprise and Ultimate editions, for example, include BitLocker full volume encryption (FVE). It encrypts the partition on which Vista is installed, and it does so on a sector basis rather than by files. This arrangement protects all data, including that in the paging file, hibernation file and all system files. Other partitions can only be protected using EFS, but at least the EFS encryption keys are located on the OS partition. On the hardware side, Seagate is about to ship a hard drive that includes a special encryption chip that will make its data impossible for anyone to read -- or even boot up its PC -- without some form of authentication. (I'm a fan of using hardware tokens to reduce password management overhead, but it's an additional cost to consider.) Thankfully, Seagate is also working to develop an enterprise password management system that works with the drives.

More information: