24 min read

Don’t avoid FDE adoption anymore!

Sep 24, 2018 9:12:00 AM


                                                                                                                                                                                                             Picture by anyaberkut | iStock

by Mohamad Ashokaibi

Risks around every Corner

Accidental and unauthorized disclosure of sensitive business-critical data cause millions of dollars in damage to businesses every year. A study in 2018 conducted by Ponemon Institute speaks in numbers that "in this year’s study, the average cost of a data breach per compromised record was $148, and it took organizations 196 days, on average, to detect a breach." Without adequate precautions and employee awareness, it is very common for businesses to lose precious data stored on their endpoints, especially portable ones. To further make it worse, not all cases of lost or stolen computers are reported or are reported after it is too late to contain the issue. To remain assured the data will not be exposed and accessed illicitly in such incidents, full-disk encryption (FDE) is the answer. 

Encryption has been the ultimate choice for ensuring data privacy since its early stages hundreds or even thousands of years back. We in IT industry know very well the importance of data encryption, but we also know very well the potential complications thus we generally tend to avoid data encryption solutions. Such complications may include changes in end-user experience, risk of data corruption, additional authentication steps, user denying corporate access to data, and more. But still we need it to protect our most valuable asset and to check that box in the compliance checklist.


Clutches of compliance

Many companies and organizations have one or more IT regulations to which they have to comply (and remain compliant). Majority of such regulations mandate that sensitive data has to be properly protected. Take HIPAA for example where it mentions the following as one of its Technical Safeguards:

"Information systems housing PHI must be protected from intrusion.

When information flows over open networks, some form of encryption must be utilized.

If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional." 


GDPR also now is an essential regulation that huge portion of businesses has to comply with. According to GDPR, companies have to take security measures to protect their sensitive data. These are in particular measures that prevent unauthorized persons from gaining access to this data.

Furthermore, PCI DSS mentions FDE as a valid measure to protect stored cardholder data. Take the following from Requirement #3.4.1:

“If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials).

Decryption keys must not be associated with user accounts.”

Technical pressures

Protecting data becomes of much relevance when it is residing on mobile endpoints (e.g., laptops). Despite the increasing use of smartphones and tablet PCs, both traditional and 2-in-1 laptops are still the preferred choice for most mobile workforce in businesses today. With ongoing improvements in technology, those laptops are getting more and more room to store data. Gone are the days of a few gigabytes of disk space where nowadays you see new laptops come with at least 500 GBs if not a terabyte, two or even more. The risk of data loss therefore is definitely maximized.

Besides, to be more relevant in our discussion to corporate environments and business needs, you might have to consider FDE too for non-portable endpoints – desktops, workstations and perhaps even servers. And yes, virtual machines are no difference and has to be FDE-encrypted in several cases! So you want to make sure all grounds are covered as the essence of data protection is the same regardless of endpoint type.

The Windows operating system offers in general an adequate level of information privacy in many cases. But little or no protection is there natively in cases of lost or stolen computers. This is another serious setback that when thrown into the mix calls louder for finding a solid solution.

DriveLock to the rescue

FDE technology is one where the entire internal hard disk is encrypted bit-by-bit and sector-by-sector, including kernel files, system drivers, page and swap files, and everything else. Being a non-intrusive process, the user can go about doing their work normally, unaffected. It is also completely transparent to the end-user, operating system and applications so normal system operations remain unchanged.

There are a few enterprise-class FDE solutions in the market today, and the Germany-based DriveLock SE is a global leader in this field.
Adopted by huge number of customers, DriveLock FDE solution today is protecting hundreds of thousands of endpoints worldwide. Customers are enjoying the features below.

Employs a standards-based rapid encryption engine. Trusted by customers around the globe.

Supports latest advancements in software and hardware; including UEFI BIOS, Windows Secure Boot, AES-NI engine, FIPS 140-2 encryption mode, and more.

Supports various and modern encryption and hashing algorithms, and strong disk wiping options. Supports tokens and smartcards for two-factor authentication.

Performs diverse safety checks before and during initial encryption to eliminate chances of failing. Has recovery option without forced decryption.

Used to centrally define encryption policies, deploy agents, perform various recovery tasks and pull out useful reports for visibility and demonstration of compliance.

Supports domain and local users, as well as emergency users. Gives control over number of failed login attempts and lockout periods.
Protection works whether the endpoint is online or offline. Authentication and recovery procedures work the same regardless of endpoint location.
Users can still use their Windows credentials to login. Single Sign-On (SSO) feature eliminates extra login screens. Virtually no change to end-user experience.
Change the background at preboot login screen to match corporate profile. Display custom messages to end-users for explanation or assistance.
Has a dedicated console for operators to monitor endpoint encryption status, assist with password and disk recovery, and generate reports.
Provides several recovery options for password retrieval and for disk emergency. Businesses keep their right to access protected data when needed.
Makes endpoints able to boot without user interaction securely over the network when the centralized server is reachable. Great for ATMs, kiosks and other self-service machines.
Configured in 4 simple steps and in less than 5 minutes!
Being a top endpoint security vendor, DriveLock SE delivers to you a robust FDE solution that is easy to configure and deploy, and smooth to administer, operate and support.

But do not go away just yet as our story does not end here!
To further help you towards building a versatile defense-in-depth solution, DriveLock SE also offers on top of the same platform file and folder encryption, removable storage encryption, application whitelisting, device control, and security awareness and education solutions. All based on the same management core, adding more components to the platform will help businesses better protect their data, defend against cyberattacks while maximizing their return on investment (ROI).
Mohamad Ashokaibi
Written by Mohamad Ashokaibi