Protecting the Whole Hard Drive
Introduction
Disk Encryption is used to protect the entire hard drive or portable
storage device such as a USB thumb drive or portable hard drive. Disk
Encryption is used mainly on portable computers, but can also be used on
any computer that contains highly sensitive data especially if it is
located in high risk areas.
As many operating systems, especially Windows, stores application
data, configuration information, and temporary files in numerous
locations, even a diligent user can have sensitive information stored on
the computer in the clear. Full disk encryption protects the whole hard
drive no matter the sophistication of the user, application or
operating system – everything is protected all the time.
How it works in a nutshell.
When using full disk encryption, when the computer boots, the
computer asks for a password and/or a USB token in order to load the
operating system. It is very important that the boot password is
complex as if the password is simple then the protection of the full
disk encryption is nullified by simple password - remember, weak
passwords trump strong security - always.
So what will encryption provide:
1. Protects Data When Laptop Lost
No matter who finds the laptop, the data on the hard drive is protected.
2. Protects Data When Laptop Stolen
If unfortunately your laptop is stolen then the data on the laptop is protected.
3. Better than Mountable Encrypted Volumes for Normal Users
Mountable encrypted volumes turns an encrypted file to a drive letter,
like a “F” drive. The issue is the user has to remember to run the
encryption software and mount the volume before they can save their
data. Some would say, “Why don’t you have the drive automount?” Well it
would not give you much protection if some one can boot your operating
system. For users that are diligent
TrueCrypt is an open source volume encryption software that I have been using for little less than a year and it works great.
4. Better than Encrypted File System (EFS)
Encrypted File System (EFS) is included with Windows 2000 and Windows XP
Professional. It allows you to encrypt selected files, like files in
you’re My Documents folder. EFS does not let you encrypt operating
system files. It is good for securing data but as the operating system
stores configuration and temporary files in many places EFS is not as
effective as full disk encryption, but better than nothing.
5. Help Meet With Regulatory Concerns
If the laptop is lost or stolen, or if the laptop has private customer
data on it then the loss of the data must be reported and customers
notified. This can be a huge embarrassment for any company and bring
about the PR fiasco that no one looks forward to.
6. Transparent to User
Unlike EFS and Volume Mounted encryption, the only evidence that full
disk encryption is active is the password request when the computer
boots.
During heavy disk operations there is only a 5% performance hit while
reading and writing to the encrypted drive. I have been running
SecurStar for over a year I don’t even notice the performance
difference.
7. Beyond Username and Password of the Operating System
Many people think the username and password protects the data on the
laptop. This is not the case. Without full disk encryption if someone
has physical access to your laptop, it is not your data anymore.
8. Protects Against Rip and Attack
Not only laptops need full disk encryption. There may be desktops in your organization that contain sensitive information if stolen would not be good. I am not talking about servers that are locked in server rooms guarded
by men with guns, but maybe a CAD workstation and/or a research
workstation that may have local files (even cached) that could be a
target for attackers. Attackers could take out the hard drive, make a
copy and put it back before anyone knows.
Conclusion
For portable data and confidential data in high risk locations consider full disk encryption to protection your corporate data.
Aucun commentaire:
Enregistrer un commentaire