As the details of our digital lives and vocations are increasingly exposed online, the need for privacy has become unavoidable. That desperate need for privacy has even breached the boundaries of the digital world to have a direct impact on our daily physical lives. We may achieve security though multi-factor and other practices online, but what protects the actual devices which hold all of our most precious information? Loss of a device through misplacement or theft starkly illustrates how crippling data loss can be completely unintentional. Full Disk Encryption (FDE) is a common answer to this particular issue, in that it can protect intellectual property and private data on physical devices, helping achieve compliance and mitigate the risk of our digital lives being prey to our physical mistakes. However, security and usability often have an inverse relationship – ratcheting up security can reduce ease of use and negatively impact user satisfaction. The use of Full Disk Encryption is no different.
Full Disk Encryption in Practice
As a basic primer, Full Disk Encryption encrypts the entire hard disk. This includes the operating system and all partitions. It is the proverbial circus mallet in that it leaves no pre-existing data unprotected. The encryption key used to perform the encryption is actually derived from a user password or PIN which effectively acts as the seed. Because the operating system is encrypted, the FDE software is now responsible for presenting the user interface for gathering the password during Pre-Boot Authentication (PBA). This used to be accomplished using a simple command prompt but has evolved over the years to full GUIs that are more user-friendly.
The operating system and its username and password are still very much present, but the drive must first be decrypted before the OS can even begin to load. When Full Disk Encryption is present, this OS login prompt is often bypassed using a form of Single Sign-On in the name of usability. However, if an organization has deployed a Self-Service Password Reset solution to the endpoint workstations that integrates into the native OS logon screen, bypassing this login prompt will create more issues for usability because the user simply cannot initiate a password reset. Some Full Disk Encryption software has built-in self-service support, but since this is not a core competency for the vendor, the user experience can be severely lacking and increase - rather than decrease - the number of calls to the Help Desk.
Getting Around Any Unintentional Barricades
Resolutions and Alternatives
If drive encryption is already in place, then it’s most likely mandated or required somewhere in the organization. Fine, let’s use that as the starting point.
Going back to the circus mallet allusion, it is possible that utilizing such an all-encompassing tool can be overkill. Why encrypt the entire drive when it’s only the user and organization data that needs protection? There is little benefit in encrypting operating system files as they cannot typically be modified by a normally privileged end-user and are usually monitored using file hashes at the system level. As such, using BitLocker and the built-in Encrypting File System on Windows, and/or FileVault 2 on a Mac can present a compelling compromise. These solutions can achieve encryption without incurring the cost of a separate product and having to deal with an additional third party vendor.
Storing sensitive data on a separate physical hard disk or USB drive is another option that directly addresses the requirement of encryption without hampering usability and convenience. However, this route requires some additional planning. Policies must be implemented to ensure that users cannot save data on unencrypted partitions or folders. Even a rogue attachment that’s written to an unprotected TEMP folder can represent a potential data leak.
Some Full Disk Encryption vendors also support APIs that can be used by authentication vendors to extend their more seasoned, robust Self-Service offerings to the realm of encrypted disks. These allow a password reset performed through the SSPR vendor’s mobile app or browser to programmatically restore the user’s access to the encrypted workstation. Though perhaps not a perfect solution, this style of integration drastically improves usability in situations where FDE is an absolute MUST.
Ignoring the facts does not make the reality any different: the need for encryption is unavoidable today. It may be required to protect an organization’s Intellectual Property or simply as a method of ensuring the privacy of employee, customer, and/or vendor data. Full Disk Encryption could even be required due to a compliance mandate. The fact of the matter is, with so many likely scenarios requiring FDE,it has become a need that must be addressed - and addressed correctly. After all, absolute data protection is not always achieved simple when pitted against an extremely determined attacker or foreign/domestic government agency (e.g. the FBI successfully cracking the iPhone’s previously rock solid encryption). Realizing the need for balance can help temper the impulse to encrypt everything, everywhere without regard to the impact on usability - keeping data secure, and end-users happy!
What are your thoughts on the benefits and hindrances of Full Disk Encryption? Let me know in the comments!