Encrypt data or encrypt disk? You decide

Mobile computing and larger databases pose new risks for unprotected data

As more companies disclose information losses and data theft, information technology companies have entered the market to sell products that encrypt entire hard drives.

Those companies argue that encrypting all data on a disk is the best way to protect it from internal and external threats, including user carelessness. “It means the user can never make a mistake” that jeopardizes data security, such as putting classified material in an unclassified folder or onto a portable storage device, said Matt Pauker, co-founder of Voltage Security.

The arrival of whole-disk products marks a change in how encryption is used, experts say. Encryption traditionally focused on “data in flight” because information was more vulnerable when in transit than when it resided at its endpoints, said Kevin Brown, vice president of marketing at Decru.

In the past 10 years, however, “data at rest” has become a more tantalizing target, he said. Large organizations, particularly the federal government, have consolidated hundreds of petabytes of data and replicated it for backup purposes.

“Not only do you have all your eggs in one basket, you now have eight copies of that basket,” Brown said.

Data at rest represents a major security vulnerability for organizations with mobile workforces, said David Peirce, senior practice manager for enterprise security at GTSI. Data can be left anywhere, he said, so it must be protected everywhere.

Another reason to encrypt data at rest is the ubiquity of small, inexpensive hard drives, said Peter Christy, a principal at Internet Research Group, a market strategy and research firm. “A 60G iPod can hold everything of value for a large company,” he said.

Encryption technology has become more robust, transparent and easier to use, Christy said. Whole-disk encryption providers are also making it easy for administrators to automatically enforce effective security policies, he added.

Industry research groups are endorsing whole-disk encryption as a best practice, Brown said.

Whole-disk encryption is superior to file encryption for data at rest because the latter approach saves data in unencrypted temporary files on other sectors of the disk, said Thi Nguyen-Huu, chief executive officer of WinMagic.

Voltage’s and WinMagic’s 256-bit Advanced Encryption Standard technology works at the driver level to prevent attackers from exploiting vulnerabilities in the operating system, Nguyen-Huu and Pauker said.

Users must identify themselves with multifactor authentication before the operating system boots up. If the machine is lost, whoever finds it cannot gain access beyond the preboot screen.

Whole-disk encryption does not solve every security problem because it only protects data at rest, Nguyen-Huu said. Data is decrypted whenever it leaves the hard drive, so it must be re-encrypted using file-based encryption whenever it travels into RAM, onto removable storage or over a network, he said.

He recommends that organizations employ both kinds of encryption: whole-disk encryption for data at rest and file encryption for data in motion.

Experts weigh in on whole-disk encryption

Government agencies used to be the only organizations using whole-disk encryption because they were the only ones with the regulatory mandates and computing horsepower to do it, said Matt Pauker, co-founder of Voltage Security. But the growth in regulations that apply to businesses has created a larger market for encryption products, he added.

Whole-disk encryption, which protects data at rest, is increasingly important because some organizations have expanded their storage capacity by as much as 80 percent a year in the past decade, said Kevin Brown, vice president of marketing at Decru.

But others see little difference between whole-disk and selective encryption products. “You get all the safety of locking [data in] a lead box with the flexibility of getting the information when you need it,” said David Peirce, senior practice manager for enterprise security at GTSI.

Regardless of the type of encryption, users who store data on portable machines must find ways to protect that information from unauthorized access, said Peter Christy, a principal at Internet Research Group, a market strategy and research firm. If they don’t, they leave themselves vulnerable to attack.

— Michael Arnone

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group