What happens if a laptop from your company is lost or stolen? This may result in sensitive or confidential data being leaked to competitors or the public. Even more seriously, if there was any personal identification data on it, this breach of security is required by law to be reported in most states. When such an action is taken, your company would suffer a loss of valuable reputation – one that may have taken years to build. And on top of that, the possibility of a lawsuit from affected individuals looms. Fortunately there is plenty that can be done to keep sensitive data safe, foremost of which is full disk encryption.
What is full disk encryption?
Full disk encryption (FDE) is one of the best ways of protecting your company’s sensitive data. FDE is when every bit on the disk or volume is encrypted to prevent unauthorized access. This can be achieved via software or hardware methods, with software being the most common and usually least expensive route.
The FDE software encrypts all parts of the disk including swap space, temporary files and the operating system, with the exception of the master boot record required for it to boot up. One encryption key is used for everything, so all data is readable when the computer is running. Because the encryption key itself can be difficult to remember, the most common FDE implementations involve authentication via a password system or hardware such as a smart card, fingerprint or token identifier. Without proper authentication from the user, all data remains encrypted and thus unreadable.
How secure is too secure? To address situations where the authentication password is forgotten, the relevant employee is suddenly unavailable or the smart card is lost, most FDE programs supply a unique emergency recovery key (usually around 40 digits long) to be stored in a highly secure location so that the organization has some way to decrypt their data in an emergency.
Is full disk encryption (FDE) right for your organization?
If you use file-level encryption software to encrypt only certain files or directories, you may be wondering if you need FDE. The answer is yes, especially if you handle personal identification data on that computer or have data that you otherwise wish to remain secure. (Personal identification data is defined differently in different states, but usually is a name associated with at least one of the following: driver’s license number, social security number, credit card or other financial information, or a password or identification key leading to financial information.) Encrypting only certain files or directories carries the danger of omitting to select all instances of desired files when encrypting, therefore in situations where it is critical that data remain secure, FDE is recommended for its ability to encrypt everything. There is nothing wrong with using file-level encryption in addition to FDE to provide an additional layer of protection, however. In other words, file-level encryption is no substitute for FDE, but may be used to complement it.
On the other hand, an encryption suite is overkill for virtually all small-sized and most medium-sized businesses. For such businesses, exclusively purchasing FDE will suffice unless they are just beginning to take data security safeguards (and therefore have a range of needs) or wish to overhaul all their data security at once. A suite is when FDE forms only a small part of the data security, such as where FDE interfaces with other security software options. A suite becomes cheaper than buying the exclusive FDE program only if most of the suite’s other components are also used. For most small or medium sized businesses which already implement other data security measures, it is therefore generally cheaper to exclusively purchase FDE instead of a suite.
Cost and scale is another consideration. Standalone versions of FDE generally work out cheaper per computer unless at least several hundred computers are involved. However, such FDE software designed to be installed on many computers comes with significant added conveniences such as the ability to have centralized management supporting one or more administrators and multiple users on individual computers. Businesses anticipating rapid growth should weigh these considerations carefully.
Some examples of full disk encryption software
BitLocker Drive Encryption
BitLocker Drive Encryption is a software FDE which also has the option of a hardware option for computers possessing the Trusted Platform Module hardware – a hard-wired chip identifying a hard disk drive as belonging with a specific motherboard. Thus removal of the hard disk to another computer will automatically render the data unreadable on the new computer, providing a further level of security. This software is available in Windows Vista Enterprise and Ultimate and may be ideal for small businesses. However, one flaw is that it cannot work on more than one disk volume. While this is not a problem if you have the computer configured with only one volume, BitLocker Drive Encryption is not for those who use multiple disk volumes.
Sophos SafeGuard Device Encryption
This FDE software works with NTFS, FAT and FAT32 file systems on Windows 7, Windows Vista and Windows XP. It features a very wide range of available authentication systems. The Sophos SafeGuard Device Encryption is the main part of the wider suite of Sophos Enterprise software. It can be centrally distributed, rolled out across networks and comes with plenty of customer support, including secure phone help for lost passwords and automated administrative activities. This may be a good choice for medium-sized businesses because it is designed to make support as convenient as possible for the company’s IT professional.
Symantec Endpoint Encryption
This FDE also works on removable storage devices, such as USB drives and removable hard drives. It is compatible with Windows 7, Windows 2000, Windows XP and Windows Vista. Symantec Endpoint Encryption supports multiple users and administrators on individual machines, making it a flexible option for businesses anticipating growth.
SecureDoc for Mac
For those on Macintosh operating systems, SecureDoc for Mac may be purchased either in standalone versions for individual computers, or as part of a centrally managed system, making it ideal for both small and medium sized businesses. Requiring OS X v10.4.8 or higher, SecureDoc for Mac additionally offers the option of working with a Seagate Momentus FDE drive to provide hardware encryption.
Full disk encryption in summary
Full disk encryption (FDE) is essential for businesses wishing to protect any sensitive data such as personal identification data or proprietary information. A wide range of FDE software options are currently available. Small businesses looking to minimize costs should aim for software which is available in standalone format, while medium sized businesses would benefit from larger-scale versions offering the convenience of centralized management and the ability to be rolled out across networks. Other factors for IT professionals to consider are: the supported methods of user authentication, the route taken in the case of a lost password or other authentication, whether any hardware modifications are required for optimal effectiveness of the FDE or for user authentication, and the level of user support provided.