Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:55 AM

Tech Insight: Hacking Your Encryption Options

Choosing the right encryption solution isn't always easy

Even with encryption solutions widely available today, it’s painfully obvious that many organizations just aren’t taking advantage of them. In the first two months of this year, about half of the 52 data exposures tracked by the Privacy Rights Clearinghouse involved stolen or lost laptops, desktop computers, and hard drives.

But choosing the right encryption solution isn’t always easy. It requires careful consideration of several key issues and features, including the impact on end users, performance degradation, encryption key (or password) recovery, and centralized management.

The encryption products designed to protect data at rest -- information stored on a hard drive or removable media -- fall into three different categories: file-, folder-, or disk-based.

Disk-based encryption solutions, aka whole disk or full-disk encryption, have grown in popularity. Some heavy-hitters have made key moves in this space, with Microsoft packaging BitLocker in Windows Vista and Server 2008; McAfee purchasing SafeBoot; and TrueCrypt recently getting updated to include disk encryption for the system drive on Windows machines.

Many IT security pros don’t typically consider the effect an encryption deployment will have on their users. But it can have a major impact, not only on the daily activities of users, but also on the feelings they have about encryption in general. The less invasive the impact on them and their jobs, the less likely users will find a way to circumvent encryption for convenience’s sake. The advantage of disk-based encryption is that it’s transparent, so therefore users don’t have to do anything special, unlike with most file- and folder-based solutions. But this isn’t true for all folder-based solutions -- Credant Mobile Guardian, for example, automatically encrypts files and folders on different places on the hard drive (not the entire drive), and does so transparently.

With disk-based encryption, the entire disk is protected so that all files the user creates or modifies on the disk are encrypted. Additionally, so are all temporary files from Web browsing, document editing, and viewing attachments. With file- and folder-based encryption, however, users must remember to encrypt each file, or save the files into a folder where all of its content is automatically encrypted. The temporary files created during the editing of a sensitive document, for instance, may not get deleted when the program exits -- thereby potentially inadvertently exposing that data.

And although ignorance isn’t an excuse, if the user doesn’t understand which information is considered sensitive within his or her organization, he or she isn’t likely to encrypt it with file- and folder-based encryption.

Don’t overlook system performance when deciding on an encryption solution. Disk-based solutions typically have the highest system overhead because every read and write to the hard drive incurs a performance hit. For companies with a lot of older systems, the performance degradation will be quite noticeable, both through system monitoring and user experience.

File- and folder-based solutions have an edge in this area -- you only get a performance hit when a user intentionally encrypts a file. Performance may need to be weighed on a case-by-case basis, depending on hardware specifications. It can also be a deciding factor that helps enterprises realize it’s time to upgrade their systems.

Password recovery and resets are a common headache for any system, and are especially important with encryption because it affects whether or not certain files are accessible, or in the case of disk-based encryption, whether a computer system can boot or not. Users need a relatively pain-free, secure way to reset their passwords in case they’re forgotten, and system administrators must be able to decrypt files and disks where the employee is no longer available to provide his or her password.

Companies using Microsoft Active Directory (AD), for instance, can configure their AD domain to store BitLocker recovery information. Similarly, most well-known enterprise solutions like McAfee’s SafeBoot include easy-to-use (often Web-based) interfaces for users and help desk staff to reset passwords.

Centralized management is an absolute must for any enterprise environment and is usually the foundation for providing password reset functionality. But the features provided by the encryption software manufacturers can vary greatly from product to product. Being able to remotely deploy an encryption solution from a central console is extremely beneficial for IT groups that support hundreds or thousands of machines, but it isn’t a critical feature for smaller organizations.

Integration with AD, LDAP, or a similar directory service allows custom profiles and policies to be enabled for specific users and computer systems. Logging and reporting are also important in a centralized management interface to ensure that the systems that need to be encrypted are, and that you can detect repeated logon failures.

No matter how you decide to encrypt data within your enterprise -- via file-, folder-, or disk-based encryption -- you’ll need to evaluate what it means to your users, system performance, and password recovery, and to make sure the centralized management features fit your enterprise environment and don’t hinder management and deployment.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Microsoft Corp. (Nasdaq: MSFT)
  • McAfee Inc. (NYSE: MFE)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 10/23/2020
    Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
    Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
    David Pearson, Principal Threat Researcher,  10/21/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-10-26
    An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
    PUBLISHED: 2020-10-26
    This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
    PUBLISHED: 2020-10-26
    A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
    PUBLISHED: 2020-10-26
    The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
    PUBLISHED: 2020-10-26
    SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software* U...