Tech Insight: Hacking Your Encryption Options

Choosing the right encryption solution isn't always easy

Dark Reading Staff, Dark Reading

February 29, 2008

4 Min Read

Even with encryption solutions widely available today, it’s painfully obvious that many organizations just aren’t taking advantage of them. In the first two months of this year, about half of the 52 data exposures tracked by the Privacy Rights Clearinghouse involved stolen or lost laptops, desktop computers, and hard drives.

But choosing the right encryption solution isn’t always easy. It requires careful consideration of several key issues and features, including the impact on end users, performance degradation, encryption key (or password) recovery, and centralized management.

The encryption products designed to protect data at rest -- information stored on a hard drive or removable media -- fall into three different categories: file-, folder-, or disk-based.

Disk-based encryption solutions, aka whole disk or full-disk encryption, have grown in popularity. Some heavy-hitters have made key moves in this space, with Microsoft packaging BitLocker in Windows Vista and Server 2008; McAfee purchasing SafeBoot; and TrueCrypt recently getting updated to include disk encryption for the system drive on Windows machines.

Many IT security pros don’t typically consider the effect an encryption deployment will have on their users. But it can have a major impact, not only on the daily activities of users, but also on the feelings they have about encryption in general. The less invasive the impact on them and their jobs, the less likely users will find a way to circumvent encryption for convenience’s sake. The advantage of disk-based encryption is that it’s transparent, so therefore users don’t have to do anything special, unlike with most file- and folder-based solutions. But this isn’t true for all folder-based solutions -- Credant Mobile Guardian, for example, automatically encrypts files and folders on different places on the hard drive (not the entire drive), and does so transparently.

With disk-based encryption, the entire disk is protected so that all files the user creates or modifies on the disk are encrypted. Additionally, so are all temporary files from Web browsing, document editing, and viewing attachments. With file- and folder-based encryption, however, users must remember to encrypt each file, or save the files into a folder where all of its content is automatically encrypted. The temporary files created during the editing of a sensitive document, for instance, may not get deleted when the program exits -- thereby potentially inadvertently exposing that data.

And although ignorance isn’t an excuse, if the user doesn’t understand which information is considered sensitive within his or her organization, he or she isn’t likely to encrypt it with file- and folder-based encryption.

Don’t overlook system performance when deciding on an encryption solution. Disk-based solutions typically have the highest system overhead because every read and write to the hard drive incurs a performance hit. For companies with a lot of older systems, the performance degradation will be quite noticeable, both through system monitoring and user experience.

File- and folder-based solutions have an edge in this area -- you only get a performance hit when a user intentionally encrypts a file. Performance may need to be weighed on a case-by-case basis, depending on hardware specifications. It can also be a deciding factor that helps enterprises realize it’s time to upgrade their systems.

Password recovery and resets are a common headache for any system, and are especially important with encryption because it affects whether or not certain files are accessible, or in the case of disk-based encryption, whether a computer system can boot or not. Users need a relatively pain-free, secure way to reset their passwords in case they’re forgotten, and system administrators must be able to decrypt files and disks where the employee is no longer available to provide his or her password.

Companies using Microsoft Active Directory (AD), for instance, can configure their AD domain to store BitLocker recovery information. Similarly, most well-known enterprise solutions like McAfee’s SafeBoot include easy-to-use (often Web-based) interfaces for users and help desk staff to reset passwords.

Centralized management is an absolute must for any enterprise environment and is usually the foundation for providing password reset functionality. But the features provided by the encryption software manufacturers can vary greatly from product to product. Being able to remotely deploy an encryption solution from a central console is extremely beneficial for IT groups that support hundreds or thousands of machines, but it isn’t a critical feature for smaller organizations.

Integration with AD, LDAP, or a similar directory service allows custom profiles and policies to be enabled for specific users and computer systems. Logging and reporting are also important in a centralized management interface to ensure that the systems that need to be encrypted are, and that you can detect repeated logon failures.

No matter how you decide to encrypt data within your enterprise -- via file-, folder-, or disk-based encryption -- you’ll need to evaluate what it means to your users, system performance, and password recovery, and to make sure the centralized management features fit your enterprise environment and don’t hinder management and deployment.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights