Data Encryption: File Level Encryption or Full Disk Encryption?
Agencies are now on the hunt for a data encryption solution. The decision must be made between file-based encryption and full-disk encryption (FDE).
Because funding is always a huge issue in government agencies, it would make sense to leverage existing investments. This may lead some agencies to select file encryption. After all, Windows XP comes with encryption (EFS) built-in. For that matter, so do Linux and the Mac OS.
While this solution is cost effective, it leaves one serious and all-too-common security risk—it relies on users to do the right thing. This form of encryption allows all information in a selected folder or directory to be automatically encrypted. The problem is that anything not stored in those folders is still unprotected, which makes it much too easy to leave sensitive data unsecured.
As I stated earlier in the article, relying on people doesn’t provide good security. In the case of file encryption, you’d need policies stating that all sensitive information must remain encrypted. Then you would have to rely on users making the correct decisions, and never making mistakes.
Although FDE takes human error and decision making out of the process entirely, it introduces an entirely new set of problems. The most common helpdesk calls for most organizations involve unlocking accounts and passwords. If encryption is added into the environment, another solution is needed for these problems.
Fortunately, enterprise data encryption solutions provide central management tools for resetting passwords when the user forgets or leaves, so the corporate data remains a corporate asset.
A recent article in Information Security Magazine details efforts by two companies to protect their corporate assets, customer information, and intellectual property. They didn’t even discuss file/folder versus full-disk encryption.
For these two large corporations, it was a foregone conclusion that they would apply full-disk encryption. The major difference is that one organization decided to close all the loopholes and encrypt all mobile systems.
A representative of the organization gives this excellent reasoning:
I don’t want to have to manage each laptop based on what it may or may not contain. That’s what drove the decision to encrypt all laptops. Doing so allows the company to have one approach for managing all the devices, and full disk encryption makes the potential disappearance of a laptop a non-issue, since data cannot be harvested when it’s encrypted.
This may not be the ideal solution in many cases. Initial investment, a lack of necessary manpower and resources, and the potential for problems due to slow performance and key management difficulties are all issues that need to be evaluated.
An alternate approach is to focus FDE efforts on high-risk users based on their jobs and how much they travel. In other words, the approach is to evaluate the risk and then take appropriate steps to mitigate the known risk.