Superior technology has brought with it pros as well as cons, and one of the greatest concerns for businesses is information leakage. This can happen through something as simple as stolen computers and it instantly puts a business at risk. A data breach is most effectively prevented by encryption of a business’ hard drives.
Full disk encryption (FDE) solutions are tailored to keep sensitive information safe in the event that there is theft of a business’ computers. The entire hard drive system, which includes all applications, the operating system and stored data, gets encrypted. After this, whenever the system starts there is an encryption key prompt that the user uses to get the system to boot and run in normal mode.
Any information on the disk read is also decrypted on the fly and any information written is encrypted on the fly, and then stored in memory. In case the encryption key is missing, all data stored on the disk cannot be accessed by hackers and thieves.
There is another kind of encryption called file-level encryption (FLE), but this is different. FDE automatically and transparently secures all the stored data in the hard drive, including hidden files with confidential data and swap files, without requiring user intervention. On the other hand, FLE is for protection of specific files that have been encrypted manually and it is basically user dependent – the user must perform an action to get the files encryption to take place before storage of the data.
There are several ways in which FDE products let administrators enable the provision of a system’s encryption key by users at the pre-boot stage:
• By prompting a password or passphrase.
• By insertion of a USB drive with the key.
• By use of a one-time password generating device like an RSA token.
• By use of a biometric device like a fingerprint reader. This is normally connected to a Trusted Platform Module that contains the actual encryption key.
How to Purchase the Best Full Disk Encryption Product
When you go to purchase a full disk encryption product, there are certain key things you’ll have to look out for:
• Support for the version of operating system you’re using.
• Support for Intel AES-NI instructions.
• FIPS-140 compliant encryption modules.
• Authentication methods.
• Key management systems and recovery options.
When modern encryption algorithms are implemented in an FIPS 140 compliant manner (FIPS – Federal Information Processing Standard), it becomes impossible for data to be decrypted on a drive using FDE without the key. This means in case there is loss of the password or the user forgets it, the encrypted data becomes permanently inaccessible; that is unless the FDE product’s encryption component operates with a key management system that enables the retrieval of the key either through a help desk or a self service system.
There is another drawback to using full disk encryption. Files in motion are not protected. The moment a file is copied to a memory stick or sent via email, it becomes decrypted. For a complete encryption, both FDE and FLE should be deployed to provide the user an option for manually encrypting the files they want to share with others.
Gradian are delighted to be featured in Symantec’s partner success story.