Home » Blog


The latest announcements, insights and commentary from Linoma Software

Is Disk Encryption Really the Silver Bullet?

Disk encryption was introduced as a solution for simplifying the encryption requirements that most companies face for protecting sensitive data. Now that the IT industry has gained a few years of experience, however, many have discovered that disk encryption is not an all-encompassing security solution.

disk encryption for laptop computersLaptops are one of the most popular targets for disk encryption.

[Download our white paper Defending Against Data Breach for details about the risks laptops and tablets present for IT staffs.]

However, companies have discovered that it requires a lot of planning and time to implement laptop encryption properly.

First of all, disk drives must be in good condition with no disk errors, and experts recommend that they be de-fragmented before installing the encryption software.

Once the time-consuming de-fragmentation task is completed, encrypting the drive will take an additional 2- 4 hours depending on the size of the drive. Employing disk encryption for a large number of laptops in the organization will therefore result in some significant downtime for their users.

Some companies are touting disk encryption as their "end all" for meeting compliance requirements. But it is not a silver bullet. For instance, once a laptop is placed on the network, the data on the encrypted disks could potentially be accessed by savvy online hackers. Once access is gained, all information on the compromised laptop could then be easily downloaded from the laptop by the hacker.

For those companies that deal with credit cards, PCI DSS compliance standards involve a complex series of requirements that disk encryption cannot solve on its own. Here are just two items from the PCI checklist:

  • A user's access to protected data must be managed separately from his or her access to the operating system that the data resides on. Therefore, if the secure data is stored on an MS Windows server, access control to the sensitive data must be managed by an application other than in Active Directory.
  • Cryptographic keys and cardholder data must be encrypted wherever it may be stored, including removable media such as USB drives, CDs, DVDs, or tape backups. However, disk encryption does not encrypt data if it's moved to other devices.

IT professionals are discovering that the best way to meet PCI DSS and other similar regulations is to keep sensitive data off of laptops whenever possible. Sensitive data can be more easily secured and controlled by IT professionals within centralized corporate database systems. The data can then be encrypted at the field level within these database systems. Along with effective key management and audit trails, an effective database encryption solution will provide a much higher level of protection for this sensitive data.

To maximize their time and resources, many companies are turning to third party vendors, such as Linoma Software's Crypto Complete, which provide an effective solution for field encryption without the need to make programming or database changes.

Keeping data secure is a constant battle, and given the high cost of data breach, it could be one of the most critical tasks a company tackles. As hackers get more creative, relying on encryption best practices may be the best defense IT has.

Comments (1)

  1. Alex:
    Jun 12, 2012 at 03:50 PM

    I've seen multiple cases where full disk encryption failed to protect the data and the FULL disk leaked due to user error. No matter how hard you strive to protect a drive with all kinds of security you can think of - the disk will get mounted and the user can leave it widely available to physically logged in people or to someone who exploited their machine remotely. So in reality, FDE only works if the laptop is stolen, only if the attacker has not obtained the key in advance or doen't use the "rubber hose cryptanalysis"

Add a Comment

Allowed tags: <b><i><br>