Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:55 AM

Tech Insight: Hacking Your Encryption Options

Choosing the right encryption solution isn't always easy

Even with encryption solutions widely available today, it’s painfully obvious that many organizations just aren’t taking advantage of them. In the first two months of this year, about half of the 52 data exposures tracked by the Privacy Rights Clearinghouse involved stolen or lost laptops, desktop computers, and hard drives.

But choosing the right encryption solution isn’t always easy. It requires careful consideration of several key issues and features, including the impact on end users, performance degradation, encryption key (or password) recovery, and centralized management.

The encryption products designed to protect data at rest -- information stored on a hard drive or removable media -- fall into three different categories: file-, folder-, or disk-based.

Disk-based encryption solutions, aka whole disk or full-disk encryption, have grown in popularity. Some heavy-hitters have made key moves in this space, with Microsoft packaging BitLocker in Windows Vista and Server 2008; McAfee purchasing SafeBoot; and TrueCrypt recently getting updated to include disk encryption for the system drive on Windows machines.

Many IT security pros don’t typically consider the effect an encryption deployment will have on their users. But it can have a major impact, not only on the daily activities of users, but also on the feelings they have about encryption in general. The less invasive the impact on them and their jobs, the less likely users will find a way to circumvent encryption for convenience’s sake. The advantage of disk-based encryption is that it’s transparent, so therefore users don’t have to do anything special, unlike with most file- and folder-based solutions. But this isn’t true for all folder-based solutions -- Credant Mobile Guardian, for example, automatically encrypts files and folders on different places on the hard drive (not the entire drive), and does so transparently.

With disk-based encryption, the entire disk is protected so that all files the user creates or modifies on the disk are encrypted. Additionally, so are all temporary files from Web browsing, document editing, and viewing attachments. With file- and folder-based encryption, however, users must remember to encrypt each file, or save the files into a folder where all of its content is automatically encrypted. The temporary files created during the editing of a sensitive document, for instance, may not get deleted when the program exits -- thereby potentially inadvertently exposing that data.

And although ignorance isn’t an excuse, if the user doesn’t understand which information is considered sensitive within his or her organization, he or she isn’t likely to encrypt it with file- and folder-based encryption.

Don’t overlook system performance when deciding on an encryption solution. Disk-based solutions typically have the highest system overhead because every read and write to the hard drive incurs a performance hit. For companies with a lot of older systems, the performance degradation will be quite noticeable, both through system monitoring and user experience.

File- and folder-based solutions have an edge in this area -- you only get a performance hit when a user intentionally encrypts a file. Performance may need to be weighed on a case-by-case basis, depending on hardware specifications. It can also be a deciding factor that helps enterprises realize it’s time to upgrade their systems.

Password recovery and resets are a common headache for any system, and are especially important with encryption because it affects whether or not certain files are accessible, or in the case of disk-based encryption, whether a computer system can boot or not. Users need a relatively pain-free, secure way to reset their passwords in case they’re forgotten, and system administrators must be able to decrypt files and disks where the employee is no longer available to provide his or her password.

Companies using Microsoft Active Directory (AD), for instance, can configure their AD domain to store BitLocker recovery information. Similarly, most well-known enterprise solutions like McAfee’s SafeBoot include easy-to-use (often Web-based) interfaces for users and help desk staff to reset passwords.

Centralized management is an absolute must for any enterprise environment and is usually the foundation for providing password reset functionality. But the features provided by the encryption software manufacturers can vary greatly from product to product. Being able to remotely deploy an encryption solution from a central console is extremely beneficial for IT groups that support hundreds or thousands of machines, but it isn’t a critical feature for smaller organizations.

Integration with AD, LDAP, or a similar directory service allows custom profiles and policies to be enabled for specific users and computer systems. Logging and reporting are also important in a centralized management interface to ensure that the systems that need to be encrypted are, and that you can detect repeated logon failures.

No matter how you decide to encrypt data within your enterprise -- via file-, folder-, or disk-based encryption -- you’ll need to evaluate what it means to your users, system performance, and password recovery, and to make sure the centralized management features fit your enterprise environment and don’t hinder management and deployment.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Microsoft Corp. (Nasdaq: MSFT)
  • McAfee Inc. (NYSE: MFE)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How SolarWinds Busted Up Our Assumptions About Code Signing
    Dr. Jethro Beekman, Technical Director,  3/3/2021
    'ObliqueRAT' Now Hides Behind Images on Compromised Websites
    Jai Vijayan, Contributing Writer,  3/2/2021
    Attackers Turn Struggling Software Projects Into Trojan Horses
    Robert Lemos, Contributing Writer,  2/26/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-03-04
    Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a com...
    PUBLISHED: 2021-03-04
    Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow a user with administrative privileges to turn off data encryption on the device, thus leaving it open to potential cryptographic information dis...
    PUBLISHED: 2021-03-03
    The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive info...
    PUBLISHED: 2021-03-03
    resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.
    PUBLISHED: 2021-03-03
    GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/documen...