When in Doubt, Encrypt the Whole Hard Drive

Carl Weinschenk

To people who follow security issues on a daily basis, the first half of this opinion piece at CNET written by William Watkins, the CEO of Seagate Technologies, contains no surprises. The short version: There are an increasing number of data breaches, and the cost associated with these failures is great and growing.


The second half of the piece is more compelling. Watkins says 29 states have laws aimed at data protection, and statutes in all but one of them include provisions for encryption. The fly in the ointment, however, is that the precise type of encryption is left open. Thus, it is possible for organizations to encrypt on a file-by-file basis, a procedure that Watkins says is "time-consuming, expensive and fraught with failure points."


He says the superior alternative is hard drive encryption which, once implemented, automatically protects every piece of data on the machine. The unstated idea is that full encryption is a no-brainer, though always there are complexities. The government apparently is beginning to understand what is at stake. Last week, vendors were selected for Data At Rest (DAR) contracts by the General Services Administration. Winners were Credant, GuidianEdge, Information Security, Safeboot, Safeboot Mobile, SafeNet, SPYRUS and WinMagic.


Encryption is a powerful tool for good guys -- and apparently for bad as well. This interesting posting at a site called Anti CATCH Team.org seeks to protect readers from "snoopy, abusive and corrupt police agencies" with full-disk encryption. Of course, a piece of software can't distinguish between these and legitimate police agencies. It seems, therefore, that the writer is trying to guard against any police intrusion, justified or not.


Regardless of the writer's attitude, he offers valuable comments by distinguishing between container-file and whole-disk encryption. The former, he says, doesn't protect against copies of data in Windows subfolders. Whole disk encryption -- such as PGP Whole Disk or DriveCryptPlus Pack -- encrypt everything, including temp files, browser history and other data.


Our guess is that the any debate between ad hoc and full-drive encryption should be settled somewhere between the two, but should lean toward encrypting at the hard drive level. The bottom line is that it can't be assumed that end users will make encryption decisions on any basis other than convenience. Therefore, machines likely to carry any sensitive material should get the full and automatic hard disk treatment.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.