by Mohamad Ashokaibi
Risks around every Corner
Encryption has been the ultimate choice for ensuring data privacy since its early stages hundreds or even thousands of years back. We in IT industry know very well the importance of data encryption, but we also know very well the potential complications thus we generally tend to avoid data encryption solutions. Such complications may include changes in end-user experience, risk of data corruption, additional authentication steps, user denying corporate access to data, and more. But still we need it to protect our most valuable asset and to check that box in the compliance checklist.
Clutches of compliance
"Information systems housing PHI must be protected from intrusion.
When information flows over open networks, some form of encryption must be utilized.
If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional."
GDPR also now is an essential regulation that huge portion of businesses has to comply with. According to GDPR, companies have to take security measures to protect their sensitive data. These are in particular measures that prevent unauthorized persons from gaining access to this data.
Furthermore, PCI DSS mentions FDE as a valid measure to protect stored cardholder data. Take the following from Requirement #3.4.1:
“If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials).
Decryption keys must not be associated with user accounts.”
Protecting data becomes of much relevance when it is residing on mobile endpoints (e.g., laptops). Despite the increasing use of smartphones and tablet PCs, both traditional and 2-in-1 laptops are still the preferred choice for most mobile workforce in businesses today. With ongoing improvements in technology, those laptops are getting more and more room to store data. Gone are the days of a few gigabytes of disk space where nowadays you see new laptops come with at least 500 GBs if not a terabyte, two or even more. The risk of data loss therefore is definitely maximized.
Besides, to be more relevant in our discussion to corporate environments and business needs, you might have to consider FDE too for non-portable endpoints – desktops, workstations and perhaps even servers. And yes, virtual machines are no difference and has to be FDE-encrypted in several cases! So you want to make sure all grounds are covered as the essence of data protection is the same regardless of endpoint type.
The Windows operating system offers in general an adequate level of information privacy in many cases. But little or no protection is there natively in cases of lost or stolen computers. This is another serious setback that when thrown into the mix calls louder for finding a solid solution.
DriveLock to the rescue