Full disk encryption comes to workgroups
- 14 May, 2009 04:34
Losing your laptop can be expensive in three ways. First, you'll spend hundreds or thousands of dollars to replace the hardware. Second, you'll suffer the time and aggravation of restoring your data, all the while hoping you have everything backed up properly. But most expensive? Surviving the backlash and legal consequences of losing customer data, financial records and private company information.
How expensive can that last penalty be? Some experts put the minimum price at US$50,000 if you lose customer data that requires you to comply with your state's security breach notification law. All states now have these laws in some form or another. But beyond the legal implications, how would you like to contact all your customers and explain how their financial data was on a laptop you left at the airport security checkpoint?
More than 10,000 laptops per week in the United States stay at the checkpoints after their owners walk away in their retrieved shoes. But if you lose a laptop protected with Full Disk Encryption (FDE), you only have to worry about replacing the hardware and restoring your data. Security breach laws don't apply to laptops with full disk encryption installed because the information on the disk cannot be retrieved without the password.
Disk encryption software hides in the part of the hard disk that initializes the hardware. When you start the machine you provide your password to the encryption software before it loads Windows and your applications and data. Most tools then provide your password to Windows as well, but some may not.
When I say "full disk encryption" I mean a third party option above and beyond normal Windows or Macintosh login security. Your Windows password only stops novice hackers. Windows folder encryption doesn't cover everything, because Windows scatters critical information all over your hard disk. Any disk that doesn't have full disk encryption can be broken and the contents read, particularly if stolen for that reason. Sometimes bad guys are after your good data.
Of course, the 10,000 laptops lost in airports aren't stolen by corporate spies. However, the data breach laws apply to all lost laptops, even those slowly decaying in the lost and found pile (two-thirds of laptops lost at airports are never recovered).
Full disk encryption software has long been used by large enterprises that can afford to spend a couple hundred dollars per laptop and the network infrastructure to support the software. The least expensive personal whole disk encryption software at $35 was discontinued by the maker last year. Now your choices are around $100 per laptop, and free.
Since "free" is always good, take a look at TrueCrypt, the free Open Source full disk encryption software. TrueCrypt isn't the only free option, but it's the most popular. Almost 10 million copies of TrueCrypt have been downloaded over the past few years.
Installing encryption on individual laptops works, but isn't very manageable. The user sets the password, which may not be a good password (see Password Strength). The user may then change the password, or not tell the company what the password is, meaning the laptop data can never be recovered if the user leaves or gets hit by that proverbial truck. If you don't have the correct password for your encrypted laptop, you can't get the data. And the software vendor can't help you, so don't ask.
Large enterprises use dedicated network servers to manage the encryption keys and passwords for each laptop. This allows network administrators to recover passwords when lost, the number one reason for help desk calls. Even if the user changes the password, enterprise encryption management systems can recover the data by technical tricks of key escrow and hardware fingerprints and the like.
For the first time, a small company can get those same management advantages without the enterprise pricing. PGP now sells Whole Disk Encryption Workgroup Edition that lets any standard Windows computer perform the encryption key and password management functions when needed. Aimed at companies protecting 10-150 workstations, PGP provides most of the enterprise management features without the need for enterprise servers and databases.
PGP's cost per license is around the same as competitors at $100 or so depending on price discounts and volume. It only sells this product through its 600 or so resellers, not online or through retail. You can find other individual encryption packages through the major online stores or by searching the Web.
If you have a relationship with another vendor that offers full disk encryption products needing servers and the like for management, call them. Most are talking about a managed service offering to handle the individual computer encryption details over the Web.
Many full disk encryption products also allow you to encrypt data stored to CDs, DVDs and USB drives. Some USB hard drives also come with encryption options. But managing and transmitting passwords for removable storage can be tough. Rethink securely sharing common files via online collaboration tools rather than removable drives.
Wikipedia has a great Comparison of Disk Encryption Software listing. A few are free, most are not, but this is a good starting point for your encryption software search. You should notice that Windows offers the BitLocker full disk encryption on two version of Vista only, and promises it on some versions of Windows 7. But BitLocker is a logical volume encryption system that can't be used on the boot volume. That's why I recommend getting a third party product for full data protection.