Our business environment becomes more mobile by the day: globalization has resulted in more travel, shared work spaces, and virtual home offices. Increasingly, companies are replacing desktops with laptops. The falling price of laptops and the integration of mobile personal digital assistants (PDAs) with the corporate IT infrastructure ensure a high level of acceptance for portable computers among users. By 2009, IDC predicts that over 45% of all PCs in the world will be laptops.
However, mobile devices pose a tremendous security risk: they can easily be stolen or lost, and confidential data can be disclosed. Both the widespread use of and vulnerability of laptops, PDAs, and mobile phones are readily apparent in the numerous high-profile losses that hit the news on an ongoing basis.
With a Full Disk Encryption (FDE) solution, damage is restricted to the value of the hardware in the event of mobile device loss. Without proper access control (e.g., smartcard or small hardware token) the data on a hard disk remains secure and confidential, even if the hard drive is physically read bit-by-bit. Product roadmaps, customer data, social security numbers, contracts, prices, and much more are no longer at risk. The company’s image remains unscathed and can even benefit, if a coherent and comprehensive security concept is utilized and proactively communicated to the market.
For enterprise-wide deployment of FDE technology, there are two varieties that would be considered appropriate: software-only FDE and the combination of software- and hardware-FDE. For existing systems, the software-based solution is best. This solution can be easily and quickly installed on a large number of computers and imposes no additional hardware requirements as the encryption is performed by the computers CPU. Hardware-based FDE uses an encryption processor installed on hard disks from specific manufacturers. This FDE solution performs somewhat better than a pure software-based solution; however, the cost of exchanging hard drives makes it truly suitable only for new laptops. Also, hardware-FDE still needs to be managed by a software component. Therefore, enterprises should implement a combination of both technologies.
Full Disk Encryption (FDE) prevents unauthorized access to data storage. Booting a system from a different media (e.g., a CD or a USB stick) typically leverages data protection mechanisms that are linked to the operating system. There is a range of bootable CDs, both Linux- and Windows-based, intended explicitly to access hard drives in computers. Full Disk Encryption renders this approach useless because the complete content of the hard drive is encrypted. Even if the hard drive is mounted in a different computer or — even more drastically — if somebody tries to read the data directly from the magnetic disk by opening the hard disk enclosure, the result is the same: documents, spreadsheets, presentations, even the operating system and all applications remain secure and protected against access and manipulation.
Full Disk Encryption is a mature security technology which provides risk management in terms of protection from data loss as well as compliance with government legislation. A well executed solution is an adaptive technology which can incorporate new technological advances and also ensures no productivity impact on the end user or IT administrator.
