There are a number of specific types of laptop encryption available, both as free and commercial products. In addition to product capabilities and implementation types, there are numerous deployment considerations that organizations need to evaluate before rolling out laptop encryption. We’ll address the major types of laptop encryption available today, ranging from pre-encrypted drives to full disk encryption software, as well as everything in-between. We’ll also examine the critical issues of key management and policy management.
BEST LAPTOP ENCRYPTION SOFTWARE OPTIONS
Most laptop encryption software products today support strong encryption using trusted algorithms such as Advanced Encryption Standard (AES), with acceptable 256-bit key lengths. The major types of laptop encryption in use today include full disk encryption, file/folder encryption, volume encryption, and pre-encrypted drives. Several variations of these types are also growing in popularity, including partial drive encryption and centrally managed file/folder encryption (sometimes called distributed encryption). All encryption products will impose varying degrees of performance impact on endpoint systems–a factor that organizations must take into consideration before jumping into a laptop encryption project.
Full Disk Encryption (FDE): FDE software generally encrypts the entire hard drive on a laptop, preventing unauthorized access to the system overall. Although many FDE systems can encrypt bootable disk partitions, quite a few leave the Master Boot Record (MBR) unencrypted to ensure stability and performance. Some technologies, such as hardware-based options that leverage Trusted Platform Module (TPM) chips in the hardware, are capable of encrypting the MBR with significantly less impact to the overall system performance. FDE solutions offer the best protection for mobile systems such as laptops, because the system cannot be decrypted at all without knowledge or possession of a specific cryptographic key. Downsides include potential performance impacts (including significantly longer boot times) and a lack of granular policy definition for protection from specific users and groups accessing the system. In fact, a major criticism of FDE is the availability of all resources when an authorized user is logged in.
FDE can be problematic in other ways as well. Some products have been known to take quite a while to encrypt the entire hard drive, and if the process encounters any errors during the encryption, the hard drive may suffer irreversible damage. In addition, FDE can sometimes interfere with the normal operation of any existing software on the system that requires read/write operations to the hard drive, such as patching agents and antivirus products. partial disk encryption deliberately avoids encrypting specific areas of drives that require frequent access from these products, seeking to alleviate the issues FDE may cause.
File/Folder Encryption: File and folder encryption is most often used when organizations need to encrypt specific resources on systems, leveraging user, group, and role information to create policies for data protection. In many cases, this is most applicable to internal systems or servers with shared drives, but may be used on laptops when they are accessed by multiple parties, or simply for more granular policies that are more content-driven, including policies based on file types such as Microsoft Excel spreadsheets and specific keywords that are recognized by encryption agents or data loss prevention (DLP) products.
File and folder encryption is particularly useful for protecting sensitive data from systems administrators and other privileged users. For example, a CFO may want to encrypt financial spreadsheets to prevent all other users from accessing them, and only she would possess the requisite keys(s) needed to access the data without implementing data or key recovery procedures. However, depending on the product, file and folder encryption software agents may cause some noticeable impact on laptop performance. File/folder encryption can also inadvertently lead to data exposure. If encryption policies are not defined or applied properly, lost or stolen laptops may have sensitive data that can be extracted by an attacker after cracking user credentials or simply duplicating the hard drive and extracting data. In most cases, policies are defined on a central management server by security and IT administrators. These are then pushed down to each system’s encryption agent and applied. For systems that don’t connect to the network often, these policies may be out of date or missing.
Volume Encryption: Volume encryption, also commonly referred to as “home directory encryption,” is essentially a hybrid of FDE and file/folder encryption, where large data stores in specific directories or volumes on a specific system are encrypted for one or more users and/or groups. In general, this equates to a much more simplistic policy-based approach, where less focus is placed on file types, content, or other policy rule matching capabilities; the entire focus, instead, relates to which user or group is accessing a protected resource or volume/directory. This type of solution can be a good tradeoff in terms of system performance impact and management overhead when compared with file/folder encryption, while still offering more granularity than full disk solutions.
Pre-Encrypted Drives: Many laptop manufacturers are shipping systems with pre-encrypted drives. A number of hard drive manufacturers also are creating standalone encrypted laptop drives that can be purchased and added to preexisting systems. The major drawback to this approach is cost, because pre-encrypted drives can cost two times as much as traditional mobile system drives, although prices are quickly coming down. One other potential issue is enterprise-wide management, as these drives typically need some additional management and monitoring software employed in order to configure them and ensure encryption is in place remotely.
However, in addition to the benefits of full-disk encryption, this disk encryption technique provides several additional benefits. First, the drive architecture is built specifically to support encryption, and many vendors are following a standards-based approach espoused by the Trusted Computing Group (TCG) in its Storage Architecture Core Specification. This results in enhanced performance in most cases, with reduced likelihood of hardware compatibility issues or drive errors related to encryption. A recent study by consulting and market intelligence firm Trusted Strategies suggests that read/write operations may actually be twice as fast on pre-encrypted drives versus encryption software. Another advantage concerns the protection of encryption keys. Most software-based encryption products store encryption keys in system memory (dynamic RAM), and this potentially exposes the key to attackers using techniques like the Cold Boot attack discovered by Princeton University researchers in 2008. Pre-encrypted hard drives typically store the key on a Trusted Platform Module (TPM) chip, so it’s never stored in memory.
According to the nonprofit Identity Theft Resource Center, staggering numbers of sensitive data records were breached in 2009, continuing a trend occurring since 2005. Approximately 498 distinct breaches took place with at least 222 million sensitive records lost or stolen. Roughly two-thirds of the breaches were explained, and of these, 27.5 percent were due to lost laptops and other incidents where data was “on the move,” or accidental exposure. Regardless of how the breach occurred, only six of the 498 had encryption or other security controls in place.
With vast numbers of records being lost or stolen, particularly from mobile systems, more organizations should be using endpoint security controls such as laptop encryption. In addition to the potential loss of customer confidence, litigation concerns, and general “bad press” that come with a public data breach, many organizations need to adhere to multiple compliance and privacy mandates at state, federal, and industry levels. Although few compliance requirements actually mandate the use of laptop encryption, it is definitely needed if laptops routinely carry sensitive payment card, healthcare, or financial data that fall under PCI DSS, HIPAA, GLBA and Federal Financial Institutions Examination Council security guidelines. In addition, new state privacy laws such as Massachusetts’ new data law, 201 CMR 17.00, specifically require the use of laptop encryption.
Resource: Information Security Magazine by Dave Shackleford
Data recovery Salon welcomes your comments and share with us your ideas, suggestions and experience. Data recovery salon is dedicated in sharing the most useful data recovery information with our users and only if you are good at data recovery or related knowledge, please kindly drop us an email and we will publish your article here. We need to make data recovery Salon to be the most professional and free data recovery E-book online.