Full Disk Encryption vs. File Encryption

It seems that not a day goes past without us hearing the latest reports about theft of the laptops or another high profile example of data leaks.

In today’s cost-conscious times, the financial implications associated with the leakage of sensitive data can be staggering, the fines for non-compliance can be astronomical, and the loss of corporate reputation can be immeasurable. This heightened consciousness was reflected in a recent report by analyst firm Forrester Research, ‘The State of Enterprise IT Security: 2008 to 2009’ that stated 90% of CISOs now view data security as either "important" or "very important".

So what are the options for CISO's responsible for enforcing a sound Data Loss Prevention (DLP) policy and what solutions should they consider?

Two main software approaches currently exist for protecting data on hard drives: sector based and file based. Sector based Full Disk Encryption (FDE) software encrypts the entire drive sector by sector, while file based encryption encrypts all data files while leaving program and operating system (OS) files untouched.

Whether Full Disk or file-based, it is critical that organisations consider the pros and cons around performance, deployment, stability and implementation when selecting a data protection solution to protect them against the loss of sensitive data.

Benefits of File Based Encryption

Unlike FDE, file-based encryption encrypts only user data so that the OS remains decrypted and can be easily recovered if the system crashes, leaving damage to just a single file. For FDE based products, a careful scan of the drives prior to installation is highly recommended, since any problematic sector can be lethal for the entire disk.

The recovery process itself is much easier with file-based encryption, as only one file needs to be recovered – not the entire disk. Furthermore, file encryption products may be included within the OS, and can provide data separation functionality, saving the IT department time and money. Certain file-based products enable the IT technician to install new programs and perform maintenance tasks without exposing the computer user’s sensitive data.

This functionality, which is called technician mode, cannot be achieved by FDE products and represents a potential security breach for organisations who decide to implement an FDE solution. Another advantage achieved by encrypting only sensitive data stored on the endpoint is that the operating system and program files remain unencrypted, improving the overall stability of the product.

If an organisation does decide to incorporate file-based encryption, they will be able to run the day to day management of the help desk over the network prior to when the user logs in. One of the most common help desk requests from users is resetting forgotten passwords. Most encryption products mandate the use of a custom procedure, which requires a long, and error prone, response procedure. However, there are now file based products that allow help desk organisations to continue using existing standard Active Directory reset procedures for resetting passwords.

In contrast, FDE products mandate a custom and dedicated encryption password recovery procedure requiring both end user and help desk personnel training, and long, hard calls for resetting passwords.

Next page: IT Operations and Full Disk Encryption