Full disk encryption (FDE) systems use strong encryption algorithms to automatically protect all data stored on the hard drives of PCs and laptop computers. Users can access the data via an authentication device, such as a password, token or smart card. This enables the system to retrieve the key that decrypts the disk. On many systems, functions such as key management, access control, lock-outs, reporting and recovery are all managed centrally.
According to John Girard, an analyst at Gartner, the main differences among available products derive from their varying approaches to management, encryption strength, user authentication, policy management and value-added features, such as protection of information on removable media.
Here we'll look at two prime considations in selecting encryption solutions, as well as dos and don'ts suggested by veterans of encryption implementation.
Full disk encryption versus file or folder encryption system. With FDE, data is encrypted automatically when it's stored on the hard disk. This is different from file or folder encryption systems, where it's up to the user to decide which data needs encrypting. FDE's biggest advantage is that there's no room for error if users don't abide by or don't understand encryption policies.
The shortcoming of FDE, Lambert points out, is that it does not protect data in transit, such as information shared between devices, stored on a portable hard drive or USB, or sent through e-mail. FES, she says, is ideal for this, although it requires a lot of attention to developing a policy for what gets encrypted and what doesn't, as well as training users on the policy. FES is also more compute-intensive than FDE, she says, leading to PC performance hits of 15 percent to 20 percent, versus just 3 percent or 4 percent.
Hardware versus software encryption. According to Girard, hardware-based encryption promises significant performance improvements over software-based technologies, and the new Trusted Computing Group (TCG) open standard offers a common management specification for hard-drive manufacturers.
However, there is a lack of real-world products using the standard, he says. Hardware encryption will continue to evolve, he says, and future choices will appear in other device subsystems, such as CPUs or supporting chip sets.
Today's self-encrypting hard drives—such as those from Seagate Technologies—are mainly geared toward consumers, Lambert says. That's because without TCG, they do not yet perform better than software-based encryption, and most cannot be centrally managed. An exception, she says, is a partnership among Dell, Seagate and McAfee to provide laptops with encrypted hard drives and enterprise-level management tools. Wave Systems also sells key management software for Seagate drives, says Eric Maiwald, an analyst at Burton Group.
Encryption Dos and Don'ts
DO prep the machine. According to Girard, the biggest mistake people make when installing encryption is failing to ensure the machine is clean and running properly beforehand. "If there's a disk problem," he says, "parts of the code specific to the encryption engine will not be readable." He suggests defragmenting the hard drive, running Checkdisk several times, backing up the data, administering all patches and optimizing performance before encrypting. While the performance hit for encryption is only 1 percent to 3 percent, he says, "why not make the machine faster to minimize that or at least break even?"
At Los Angeles County, which uses Pointsec, now from Check Point Software Technologies, CISO Robert Pittman's team conducted a health check on the hard drives of the county's laptops to see how much free space existed, how badly it was fragmented and the maintenance level of the operating system. His team identified about 20 out of the total 12,500 laptops that would need to be replaced prior to encrypting them.
Frank Ward, a consultant for the State of Connecticut, also ran drive-evaluation software on the state's laptops during the pilot phase of implementing encryption software from McAfee. About 15 percent of the hard drives failed, he says. By checking all the disks, the failure rate for installing McAfee on the state's 5,000 machines was just 3 percent.
DON'T jump in too quickly. It's also essential to have a clear road map for deployment. Some organizations use a centralized software delivery system. For instance, Patterson used LANdesk from LANdesk Software to do a mass-deployment of Utimaco. However, he plans to activate the software one machine at a time, taking what he calls a "low and slow" approach. Not only does he need to remove previously installed encryption software, but he also wants a manageable way to deal with any issues that might arise. "I don't want to show up on Monday and [see that] every machine is blue-screened," he says. "Utimaco is good about recovering from errors, but there are situations where the drive is on the edge, and spinning it for three hours will push it over. If we go too fast we'll be overwhelmed by support calls."
Most encryption software allows you to push it out to users' machines via a centralized software delivery system, Maiwald says. For instance, McAfee allows you to use its ePolicy Orchestrator for deployment, he says. However, this is not always possible, as was the case in Connecticut. In the state's distributed environment, Ward found the centralized deployment mechanisms were not ubiquitous enough. He still needed to work fast, due to the State's strategy for accelerated deployment.
To do that, the State created five teams of three people to install McAfee (over a six-week period) on the laptops of 55 agencies and 950 state police trooper cars. The teams consisted of previously trained administrators, McAfee resources and an IT person. "We'd give the agency a week's notice to get their machines logistically together and then try to get as many done in a day as we could," Ward says. His team would set up in a conference room or other central location, connect 20 or so machines to a file server to download the software and then pull them offline to finish encrypting, which could take two hours for a 100G drive. "It was very much a production line," Ward says. The agency continued working on any that didn't get completed, and they could bring any particularly troublesome machines to a centralized depot.
DON'T underestimate deployment time. As Ward found, installation takes time, especially for large drives. A good rule of thumb is that it takes two to four hours for the software to encrypt the drive, depending on its size.
Because of this, it's important to choose a system that will be easy for administrators to learn and for a vendor or reseller that provides customized training. When Pittman chose Checkpoint, he had about 100 people trained—two or three from each of L.A.'s 38 agencies—to encrypt 12,500 machines. It helped, Pittman says, to create a standardized configuration to be implemented. In all, it took about nine months, although 80 percent of the agencies were finished in six months.
DO consider background installation. To keep deployment as low-impact as possible, consider a system that enables users to keep working during installation, Girard says. Even better, make sure you don't need to restart the process if it gets interrupted.
DON'T expect full user acceptance. Users can be wary of added security, seeing it as an annoying roadblock that hinders technology performance, Lambert warns. One way to head off potential opposition is to fully communicate the what, why, how and when of deployment prior to implementation and stress that performance will be affected minimally, no more than 5 percent, she says.
DO test on a pilot group. Pilot testing is important for several reasons, including ironing out potential problems and gauging user resistance and the scope of the full deployment, Lambert says. "User enrollment should be easy, but with some products, users get confused," Girard says. "When that happens en masse, you've got real problems because if you fail to set up enrollment properly, the machine has to be put into recovery mode. If the user never enrolled with the management console, it can be even trickier."
DO check for interference with other applications. Another reason for a pilot test is there can be device-driver or BIOS interference between the encryption software and other applications, Girard warns. "You should run it against your standard image, as well as potential things you'll install in the next year," he says.
Conflicts can arise between encryption and some desktop management systems that already have entries in the boot sector of the disk, Maiwald adds. "You can't have two things in the boot sector unless they were made to work together," he says, which some vendors are doing, such as GuardianEdge and Symantec. "We find problems in just about every enterprise, so the best advice is to test it."
DO consider your authentication options. Vendors offer different user authentication mechanisms, including PINs, passwords, smart cards and tokens, but the most popular is the password option. While it might seem more secure to challenge users with two separate passwords—one at preboot and one to enter the network domain—many organizations choose the single sign-on option.
DO consider an integrated suite. When Patterson began looking for an encryption system, his search was two-fold, as Raymond James' antivirus software contract was also ending and he wanted to try a different endpoint firewall than what was offered via Windows. This led him to look for products in which these functions could all be managed through a single console. "Otherwise, we'd need a fleet of people to run these systems, and no single picture of what's happening on the network," he says.
With Utimaco, Sophos has created a road map to integrate encryption with a broader security suite, Patterson says. McAfee also offers integrated management of encryption with other endpoint security functions.
Such integration will help ease deployment of these various security functions, Patterson says. "If we tell users we're going to put another agent on their machine, we have to jump through lots of hoops to ensure performance won't go down," he says. "Adding more functionality into one product set is very attractive as far as selling it to both management and end users."
Stanton Gatewood, CISO at the University System of Georgia, on the other hand, wanted a system that specialized in encryption, which is why he selected PGP. "We looked at others, but when it comes to the nuts and bolts of encryption and asking hard, technical questions, their answers weren't readily available. It seemed as though encryption was an add-on—that they were a firewall or antivirus company that now does encryption."
DO prepare a strong business case. Although encryption might seem a no-brainer, many businesses still take a "wait and see" approach, Lambert says. Convincing decision makers to get ahead of a breach by implementing FDE may require making a strong business case. Consider, Girard says, that the cost to mitigate a single compromised data record is comparable to or greater than the seat cost of an encryption tool. Furthermore, he says, the cost to mitigate a large number of breached data records is always larger than the total cost to implement encryption for all mobile platforms in a company.
Not that costs are low. While prices are dropping, Girard says, expect to pay over $100 retail per seat for up to 250 seats for a fully managed and audited encryption product with support for removable media. That drops to less than $100 per seat in the 1,000-seat range and below $70 for 5,000 seats or more, he says.
You can get it for less, Ward says. The State He paid about $11.56 per seat instead of the $76 list price when the reseller offered a 30-day deal of 85 percent off.
DO consider support for removable media. With the prevalence of USB media drives, more attention is being paid to removable media encryption and device control, Lambert says. Generally, the same vendors that offer FDE or FES also offer encryption for removable media, she says, and in some cases, such as CheckPoint, they also integrate port management, content filtering, centralized auditing and management of USB port storage devices.
Removable media encryption was one of Patterson's evaluation criteria. Utimaco's Data Exchange product encrypts one file at a time rather than the entire USB, he says, which is compatible with the types of data users store, ranging from music to spreadsheets. He set company policy to encrypt anything that users copy over from their PCs, with password-based authentication. This does require thorough training, he says, so that users know how to decrypt and share files among coworkers, so he's phasing it in slowly.
Gatewood says PGP enables the encryption administrators to plug in functionality to encrypt e-mail, files being transferred and removable media, down the road. "We selected a system that will grow," he says.
DO look into the vendor's method of key recovery. Vendors offer varying approaches to key recovery, Maiwald says, for users who forget their password. These range from self-service portals for password reset, to help desk support with a challenge-response mechanism or a one-time password or token that a support tech can provide over the phone. "Look for an approach that nicely meshes with your help desk procedures," he says.
DO consider Active Directory integration. Systems that integrate with Active Directory simplify management exponentially, users say. "When a machine is added to the Active Directory domain, we can see it in the console and move encryption keys around," Patterson says. "It's a huge help for key escrow."
Ward says AD integration enabled him to do a one-way pull to populate the McAfee database, saving a great deal of time and providing assurance that the database was structured correctly. "It was important that we not put an additional burden on administrators," he says.
DO look into reporting capability. Ease of reporting is another key selection criteria, Patterson says, to prove laptops are encrypted, especially when one goes missing. Other common reports include whether users had any issues with encryption, whether they called the help desk and whether it was resolved, Gatewood says.
DO check on which platforms are supported. There are far fewer Macintosh-based encryption platforms than Windows, Lambert says. Gatewood's choice of PGP was partly due to its cross-platform support of many versions of Windows, as well as Mac OSX.
DON'T overlook key management. Without strong key management, Gatewood says, you're better off not having encryption at all. This is what enables you to restore, revoke and manage keys in any way. Lack of a strong key management system is one reason he bypassed any of the open-source systems he considered. PGP's Universal Server, on the other hand, allows him to not only manage its own keys, but also keys from other systems, as well. "Some management consoles can be a little kludgey," he says. You should also be able to back up the key escrow database.
DO consider lock-out. This feature locks the machine if someone hasn't logged on to the network for a certain period of time, typically several weeks. At Connecticut, Ward says network-connected machines ordinarily check in five or six times a day to send logs to the encryption server. If that doesn't happen within the configured lock-out period, the machine won't allow the user to authenticate, and an administrator will need to unlock the machine. "It enforces discipline so that you're getting client logs on a continual basis, and the machines are constantly updated with new software and any changes in policy," Ward says.