Encrypt data or encrypt disk? You decide

As more companies disclose information losses and data theft, information technology companies have entered the market to sell products that encrypt entire hard drives.

Those companies argue that encrypting all data on a disk is the best way to protect it from internal and external threats, including user carelessness. “It means the user can never make a mistake” that jeopardizes data security, such as putting classified material in an unclassified folder or onto a portable storage device, said Matt Pauker, co-founder of Voltage Security.

The arrival of whole-disk products marks a change in how encryption is used, experts say. Encryption traditionally focused on “data in flight” because information was more vulnerable when in transit than when it resided at its endpoints, said Kevin Brown, vice president of marketing at Decru.

In the past 10 years, however, “data at rest” has become a more tantalizing target, he said. Large organizations, particularly the federal government, have consolidated hundreds of petabytes of data and replicated it for backup purposes.

“Not only do you have all your eggs in one basket, you now have eight copies of that basket,” Brown said.

Data at rest represents a major security vulnerability for organizations with mobile workforces, said David Peirce, senior practice manager for enterprise security at GTSI. Data can be left anywhere, he said, so it must be protected everywhere.

Another reason to encrypt data at rest is the ubiquity of small, inexpensive hard drives, said Peter Christy, a principal at Internet Research Group, a market strategy and research firm. “A 60G iPod can hold everything of value for a large company,” he said.

Encryption technology has become more robust, transparent and easier to use, Christy said. Whole-disk encryption providers are also making it easy for administrators to automatically enforce effective security policies, he added.

Industry research groups are endorsing whole-disk encryption as a best practice, Brown said.

Whole-disk encryption is superior to file encryption for data at rest because the latter approach saves data in unencrypted temporary files on other sectors of the disk, said Thi Nguyen-Huu, chief executive officer of WinMagic.

Voltage’s and WinMagic’s 256-bit Advanced Encryption Standard technology works at the driver level to prevent attackers from exploiting vulnerabilities in the operating system, Nguyen-Huu and Pauker said.

Users must identify themselves with multifactor authentication before the operating system boots up. If the machine is lost, whoever finds it cannot gain access beyond the preboot screen.

Whole-disk encryption does not solve every security problem because it only protects data at rest, Nguyen-Huu said. Data is decrypted whenever it leaves the hard drive, so it must be re-encrypted using file-based encryption whenever it travels into RAM, onto removable storage or over a network, he said.

He recommends that organizations employ both kinds of encryption: whole-disk encryption for data at rest and file encryption for data in motion.