Full disk encryption: A practitioner's advice

The CIO-level business angle on the latest tech

Last April, McAfee and Datamonitor released a report called “Datagate: The Next Inevitable Corporate Disaster?” The report held some disturbing statistics about data breaches:

* More than 60% of corporate respondents have experienced “data leakage” within the last year, and a third believe it could put their company out of business.

* The average annual cost of data leakage was $1.82 million.

* Intellectual property and financial information are the two most valuable classes of data.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last April, McAfee and Datamonitor released a report called “Datagate: The Next Inevitable Corporate Disaster?” The report held some disturbing statistics about data breaches:

* More than 60% of corporate respondents have experienced “data leakage” within the last year, and a third believe it could put their company out of business.

* The average annual cost of data leakage was $1.82 million.

* Intellectual property and financial information are the two most valuable classes of data.

* On average, a data breach that exposes personal information costs over a quarter million dollars - even if the lost data is never used. And it will cost hundreds of thousands of dollars more to service those same customers with follow-up programs and call/support centers.

* A data breach costs companies millions of dollars in lost brand equity and government fines and penalties.

Data loss can happen to any organization, and statistics like these are driving many companies and government agencies to seek out encryption capabilities for data storage devices. For IT managers and compliance officers, full disk encryption for laptops and desktop computers is becoming increasingly popular as a security measure.

If the ominous statistics aren’t enough to motivate organizations to encrypt their data, laws such as the California Information Practice Act known as SB 1386 are forcing the issue. This ground-breaking 2003 law requires an agency, person or business that conducts business in California and owns or licenses computerized “personal information” to disclose any breach – or suspected breach – of security to any resident whose unencrypted data is believed to have been disclosed. Because the law specifies that notification only pertains to the exposure of unencrypted data, many organizations are turning to full disk encryption as a sort of “get out of jail free card.”

I turned to Sean Steele, one of the principal security consultants at infoLock Technologies, to get his practitioner’s advice about deploying full disk encryption within a large organization. Sean says this is a very hot issue with most of his clients. Before he recommends a solution to a client, they go through a litany of questions to determine what would work best for that organization. We’ll discuss some of those questions and considerations in this and next week’s newsletter.

“The market for full disk encryption solutions is fairly young. There’s really no one dominant player,” says Sean. He adds that there are six vendors with products worth consideration: GuardianEdge Technologies, PGP Corporation, CheckPoint Software (which recently acquired PointSec), SafeBoot Technology, Utimaco Safeware, and Credant Technologies.

InfoLock’s preferred vendor is GuardianEdge. “This company approaches the problem from an enterprise viewpoint,” says Sean. “GuardianEdge has a distinct centrally-managed approach to endpoint data protection -- including hard disk encryption, removable storage encryption, and device/port control. Their solution framework integrates with Active Directory and leverages policies at the server level to control device-level encryption. We see that centralized control as a real positive.”

Linda Musthaler is a principal analyst with Essential Solutions Corporation.