Full-Disk Encryption Is Partial Protection, Analysts Say

Full-disk and file-based encryption should be combined to best prevent data leaks, according to security analysts and vendors.

It seems to be in the news about once a month-another laptop disappears containing thousands of pieces of corporate or personal data.

Now the legal department wants to know whether IT can confirm that some or all of the data was encrypted so the company can determine both its risk and what to do next.

It is in cases like these, when data is at risk, that some vendors and analysts say full-disk encryption is the ultimate assurance against data leaks.

"The legal position that is out there is if I lose a machine and the datas encrypted, it doesnt really matter what data is on the machine because no one can get access to it," said Steven Sprague, CEO of Wave Systems, based in Lee, Mass. "So there are a couple of challenges with that. One is, Do I have good, strong encryption? The second one is, How do I prove this machine I no longer have was encrypted when I lost it?"

A partnership between Wave Systems, Seagate Technology and Dell has led to managed, hardware-based encryption on Dells Latitude D630 and D83 computers courtesy of Seagates Momentus FDE (full-disk encryption) hard drive and Wave Systems Embassy Trust Suite user management and pre-boot authentication capabilities.

Embassy Trust Suite allows system administrators to back up passwords, set and control hard drive policies and security settings, and perform a cryptographic erase of all data so that the drives can be safely redeployed or discarded.

"Why shouldnt encryption be baked into the hard drives we buy and the systems we acquire?" asked Neil MacDonald, an analyst with Gartner.

But when it comes to protecting information overall, full-disk encryption is best thought of as only part of the solution, MacDonald and others said.

"It does nothing to improve DLP [data leak prevention] if a user has an encrypted hard drive, boots, supplies their pin and then proceeds to copy sensitive files into e-mail or onto USB storage in unencrypted form," he said. "File-based encryption supplements FDE, especially on machines and folders that are shared between users."

The process changes brought on by FDE, such as key management, storage and recovery when someone loses a password, are all concerns for businesses, MacDonald said. The cost of encryption has also been an issue, though moves by Microsoft, Seagate, Dell and others have helped, he added.

"Up until about 18 months ago, average costs [for software] per desktop were in the range of $70 to $90," MacDonald said. "We are seeing pricing half that today."


Click here to read about how the theft of a laptop compromised the personal data of job applicants at the Gap store chain.

Companies considering moving to hardware-based encryption would have to tally the price of purchasing brand-new laptops for all of their users-a potentially hefty price tag for large enterprises.

The potential for data leaks extends beyond missing laptops to when employees copy sensitive information onto USB devices, for example.

"Hackers are going to take the path of least resistance to get to the data," said CEO Patrick McGregor, of BitArmor Systems, based in Pittsburgh. "If the data is perceived to be safe on the hard drive then they are going to attack where it is more vulnerable. Since Seagate cannot encrypt data once it leaves the computer, the smart hackers will wait until the user initiates a file transfer and either steal the data off the network or wait until is copied to a USB drive or an unprotected network share."

And that, he said, is when file-based encryption products step into the batters box. BitArmor takes a primarily file-level approach to encryption with its DataControl software, the latest version of which uses what the company calls Smart Tags to ensure that data remains encrypted while at rest on laptops and other devices or in motion.

"The only way to truly prevent data leaks is to protect and manage sensitive files, which cannot be accomplished with drive encryption alone," McGregor contended.

Thomas Raschke, an analyst with Forrester Research, agreed. FDE is important when the damage has been done-when data or devices have been leaked or lost-but preventing information loss in the first place is the key, he said.

"Layered and risk-based security is what works best-ILP [information leak prevention] and encryption need to be integrated," he said. "ILP gives you a more fine-grained level of security: It can manage the use of pieces of sensitive content based on defined policies, e.g. one line in a Word doc."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.