Suppose you were being seated in a roller coaster car. You pull down your lap bar, and the guy sitting next to you refuses, saying he will just hold on while the car twists and turns and flips upside-down, because he finds the restraints uncomfortable. This is obviously foolish; the safety measures are there for a reason, and anyone who doesn’t use them is just asking for trouble.
Business security today is much like our hypothetical roller coaster, with its ups and downs that require protection for our intellectual property and other assets. And one of the most fundamental – yet widely neglected – security measures is the use of full disk encryption (FDE). Let’s look at some of the fundamental questions surrounding FDE, and why you should take another look at it.
Why aren’t more businesses taking advantage of it?
While technology itself has been moving forward by leaps and bounds, our perception of technology changes much more slowly. This is the often the case with encryption, with many people considering it a slow, resource-intense process that is hard to manage and impairs productivity. They are also more inclined to put their budget toward more visible projects. And many of them still believe that a data breach won’t happen to them. And yet, in 2012 alone, 1 in 5 data breaches resulted from lost or stolen portable devices (laptops, data tapes, hard drives and other removable media) or stationary devices (desktop or server).
The perception of slowness is inaccurate. After the initial encryption of the drive, the continued protection whole-disk encryption offers is unobtrusive. Only power users are likely to notice a slowing of their system, when performing I/O intensive operations. The typical experience will be less intrusive than the overhead from other applications, such as antivirus.
What are the advantages of encryption?
Encryption is essentially insurance for loss or theft of a device containing sensitive information; we buy both encryption software as well as insurance with the hope we’ll never truly need it. When businesses lose a device containing data, such as the personally identifying information of their customers, the business is required to disclose the loss and notify all parties who may be affected. Needless to say, this can be time-consuming and costly – not only in absolute dollars, but in the perception of the company’s reputation. When a lost or stolen device is protected by FDE, however, that information is safe, and the only loss is the device itself, which is negligible compared to costly disclosure.
Who should deploy encryption, and where should it be used?
Large and small businesses should employ encryption; data breach notification laws apply to companies of all sizes, and those who are interested in your intellectual property are often opportunistic and don’t care how large or small your business is. The odds of an employee’s laptop being lost or stolen are as high as 1 in 10, according to a Ponemon Institute Study. It’s important to deploy encryption on any device that contains intellectual property or other confidential information: desktops, laptops, data tapes, servers and removable media.
How do we overcome the challenges associated with FDE to implement it effectively?
A little sense goes a long way toward effective adoption of FDE. The first step is to get buy-in at the executive level for the initiative. This preparatory step may be the single most important thing you can do. If management is convinced of the usefulness of encryption, they are in a position to implement policies that can make it an organization-wide success. It’s far better to help them understand the importance of FDE before an incident occurs.
Selecting the ideal encryption solution is important. Many businesses will opt for whatever is the least expensive or easiest to deploy. Choosing convenience rather than effectively evaluating the solution with the future in mind, can lead to legacy problems or other compatibility issues down the road. Consider how challenging key management can be, and look for a solution that will allow administrators to access resources even if a user profile is deleted on a machine. Also, think about making changes later. If you want to add functionality later, will you have to bring in another vendor, or does your current solution accommodate expanded features?
Once you find the best solution, the deployment itself also requires adequate preparation. In addition to budgeting for the solution itself, plan for additional costs during implementation to avoid surprises down the road. Consider the user experience, and be sure to initiate the deployment with a pilot group before rolling it out across the organization. Features such as single sign-on can go a long way toward success. Because the initial encryption takes time, have it run overnight rather than during working hours, to reduce inconvenience for employees.
While encryption isn’t as hot a topic right now in IT compared with mobility and virtualization, encryption solutions are a fundamental part of your security arsenal. Effectively using encryption software in conjunction with other endpoint security tools can help you better weather the ups and downs of today’s constantly changing business security landscape.Tags: breach notification laws, data breach, encryption, insider threat, PGP