Full disk encryption: A practitioner’s advice

* If disturbing statistics about data breaches aren’t enough to motivate organizations to encrypt their data, laws are forcing the issue

Last April, McAfee and Datamonitor released a report called “Datagate: The Next Inevitable Corporate Disaster?” The report held some disturbing statistics about data breaches:

* More than 60% of corporate respondents have experienced “data leakage” within the last year, and a third believe it could put their company out of business.

* The average annual cost of data leakage was $1.82 million.

* Intellectual property and financial information are the two most valuable classes of data.

* On average, a data breach that exposes personal information costs over a quarter million dollars - even if the lost data is never used. And it will cost hundreds of thousands of dollars more to service those same customers with follow-up programs and call/support centers.

* A data breach costs companies millions of dollars in lost brand equity and government fines and penalties.

Data loss can happen to any organization, and statistics like these are driving many companies and government agencies to seek out encryption capabilities for data storage devices. For IT managers and compliance officers, full disk encryption for laptops and desktop computers is becoming increasingly popular as a security measure.

If the ominous statistics aren’t enough to motivate organizations to encrypt their data, laws such as the California Information Practice Act known as SB 1386 are forcing the issue. This ground-breaking 2003 law requires an agency, person or business that conducts business in California and owns or licenses computerized “personal information” to disclose any breach – or suspected breach – of security to any resident whose unencrypted data is believed to have been disclosed. Because the law specifies that notification only pertains to the exposure of unencrypted data, many organizations are turning to full disk encryption as a sort of “get out of jail free card.”

I turned to Sean Steele, one of the principal security consultants at infoLock Technologies, to get his practitioner’s advice about deploying full disk encryption within a large organization. Sean says this is a very hot issue with most of his clients. Before he recommends a solution to a client, they go through a litany of questions to determine what would work best for that organization. We’ll discuss some of those questions and considerations in this and next week’s newsletter.

“The market for full disk encryption solutions is fairly young. There’s really no one dominant player,” says Sean. He adds that there are six vendors with products worth consideration: GuardianEdge Technologies, PGP Corporation, CheckPoint Software (which recently acquired PointSec), SafeBoot Technology, Utimaco Safeware, and Credant Technologies.

InfoLock’s preferred vendor is GuardianEdge. “This company approaches the problem from an enterprise viewpoint,” says Sean. “GuardianEdge has a distinct centrally-managed approach to endpoint data protection -- including hard disk encryption, removable storage encryption, and device/port control. Their solution framework integrates with Active Directory and leverages policies at the server level to control device-level encryption. We see that centralized control as a real positive.”

Although the U.S. Veterans Administration selected GuardianEdge to encrypt its computers after its infamous 2006 laptop theft, the Federal government just selected a number of products that meet its stringent security and encryption requirements. Read about the products in Federal Computer Week.

Of course, every customer’s situation is unique, and no one product works for every company. That’s why the market has yet to declare a front runner.

When Sean has the initial consultation with his clients, as well as when he meets with technology vendors, he brings up a series of technical, administrative and user experience questions. First, the technical questions…

* Does the software encrypt the entire hard disk?

“In the early days of disk encryption in the early 1990s, vendors believed that file and folder level encryption was sufficient,” says Sean. “What we discovered from this is that data was handed off to unencrypted areas of the disk, such as swap files or temp files. This allowed something we like to call ‘data seepage’. Today, enterprises want full disk encryption, covering all sectors on a hard disk. This is the first thing we look for in an enterprise product.”

* Is the solution FIPS and/or Common Criteria certified?

According to Sean, third party accreditation for full disk encryption technology is critical. “Certification is especially important to the U.S. Department of Defense, and it should be to enterprise organizations, as well,” says Sean. “When an independent, credible third party has validated the security of a solution, you can more readily trust that solution to protect your data.”

There are two types of accreditation to look for: FIPS 140-2 is a cryptographic certification from the National Institute of Standards and Technology (NIST) and is commonly used in the United States. Internationally, industry is moving to Common Criteria accreditation, which uses a scale called evaluation assurance level (EAL). Most products receive a Common Criteria certification of EAL4 or lower.

* What level(s) of encryption is used?

“Encryption strength is generally measured by the algorithm used and the bit length of the key,” says Sean. “Most organizations use a 128- or 256-bit implementation of the current NIST standard AES (Advanced Encryption Standard), or triple DES encryption. These are proven algorithms, and widely accepted for use in the enterprise.” Sean also cautions clients to stay away from a vendor that has created its own encryption algorithm. “The public domain algorithms are trustworthy. I would be leery of any vendor that said it has developed its own.”

Coming next week: more of Sean Steele’s advice on selecting a full disk encryption solution for your enterprise.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in