Encrypt data or encrypt disk? You decide

Mobile computing and larger databases pose new risks for unprotected data

As more companies disclose information losses and data theft, information technology companies have entered the market to sell products that encrypt entire hard drives.

Those companies argue that encrypting all data on a disk is the best way to protect it from internal and external threats, including user carelessness. “It means the user can never make a mistake” that jeopardizes data security, such as putting classified material in an unclassified folder or onto a portable storage device, said Matt Pauker, co-founder of Voltage Security.

The arrival of whole-disk products marks a change in how encryption is used, experts say. Encryption traditionally focused on “data in flight” because information was more vulnerable when in transit than when it resided at its endpoints, said Kevin Brown, vice president of marketing at Decru.

In the past 10 years, however, “data at rest” has become a more tantalizing target, he said. Large organizations, particularly the federal government, have consolidated hundreds of petabytes of data and replicated it for backup purposes.

“Not only do you have all your eggs in one basket, you now have eight copies of that basket,” Brown said.

Data at rest represents a major security vulnerability for organizations with mobile workforces, said David Peirce, senior practice manager for enterprise security at GTSI. Data can be left anywhere, he said, so it must be protected everywhere.

Another reason to encrypt data at rest is the ubiquity of small, inexpensive hard drives, said Peter Christy, a principal at Internet Research Group, a market strategy and research firm. “A 60G iPod can hold everything of value for a large company,” he said.

Encryption technology has become more robust, transparent and easier to use, Christy said. Whole-disk encryption providers are also making it easy for administrators to automatically enforce effective security policies, he added.

Industry research groups are endorsing whole-disk encryption as a best practice, Brown said.

Whole-disk encryption is superior to file encryption for data at rest because the latter approach saves data in unencrypted temporary files on other sectors of the disk, said Thi Nguyen-Huu, chief executive officer of WinMagic.

Voltage’s and WinMagic’s 256-bit Advanced Encryption Standard technology works at the driver level to prevent attackers from exploiting vulnerabilities in the operating system, Nguyen-Huu and Pauker said.

Users must identify themselves with multifactor authentication before the operating system boots up. If the machine is lost, whoever finds it cannot gain access beyond the preboot screen.

Whole-disk encryption does not solve every security problem because it only protects data at rest, Nguyen-Huu said. Data is decrypted whenever it leaves the hard drive, so it must be re-encrypted using file-based encryption whenever it travels into RAM, onto removable storage or over a network, he said.

He recommends that organizations employ both kinds of encryption: whole-disk encryption for data at rest and file encryption for data in motion.

Experts weigh in on whole-disk encryption

Government agencies used to be the only organizations using whole-disk encryption because they were the only ones with the regulatory mandates and computing horsepower to do it, said Matt Pauker, co-founder of Voltage Security. But the growth in regulations that apply to businesses has created a larger market for encryption products, he added.

Whole-disk encryption, which protects data at rest, is increasingly important because some organizations have expanded their storage capacity by as much as 80 percent a year in the past decade, said Kevin Brown, vice president of marketing at Decru.

But others see little difference between whole-disk and selective encryption products. “You get all the safety of locking [data in] a lead box with the flexibility of getting the information when you need it,” said David Peirce, senior practice manager for enterprise security at GTSI.

Regardless of the type of encryption, users who store data on portable machines must find ways to protect that information from unauthorized access, said Peter Christy, a principal at Internet Research Group, a market strategy and research firm. If they don’t, they leave themselves vulnerable to attack.

— Michael Arnone

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above