Why SMBs Should Adopt Full-Disk Encryption


Small and mid-sized businesses are paying a lot more attention to security now than in the past, according to Symantec 2010 Global SMB Information Protection Survey. On this front, I recently took a look at the LOK-IT secure flash drives; and IronKey . Both products enhance security by using hardware encryption technology to prevent unauthorized parties from accessing their contents.


Stolen or misplaced USB flash drives are but one possible chink in the armor against information loss. On the other hand, the sheer portability and increased use of laptops mean that they are even more prone to theft. In fact, the greater amount of information contained in a typical laptop means that a stolen one could be even more problematic than a lost flash drive.


SMBs serious about protecting themselves should consider adopting use of full disk encryption (FDE), which entails encrypting the entire hard disk of the computing device.


Debunking the objections


The truth about FDE is that many of the initial barriers against adopting it are no longer valid, says a recent article on Search Midmarket Security. In "Laptop full disk encryption: Debunking myths", tests by an independent third party on behalf of CheckPoint Software were cited. Of the three major software FDE products on the market, the performance degradation that was measured averaged less than 10 percent. Referring to this figure, contributor Mike Chapple argued that "In the grand scheme of things, this is not a major performance impact, especially in light of the security benefits to the organization."


Another myth would be how the use of FDE interferes with the ability to perform disk defragmentation, resulting in poor hard disk drive performance over prolonged periods of time. The major FDE products available today do provide applications with direct access to disk, however, which means that administrators can continue to schedule the disk defragmentation as necessary.


My opinion is that the use of solid-state drives will continue to increase, eventually eclipsing that of traditional HDDs. Their superior performance and the fact that SSDs do not require defragmentation in the first place will be the final straw in the debate against these outdated reasons to not implement FDE.


The real challenge of FDE


The most complex piece of the puzzle when it comes to implementing FDE is really about management of the encryption key as well as properly educating staffers on the technology. Key management entails ensuring that organizations retain the ability to access encrypted data should users forget their passwords, due to an unfortunate demise, or even when employees are fired.


In addition, staffers need to be aware that FDE is not a magic bullet to for all security-related woes. For one thing, the use of FDE doesn't protect against spyware siphoning off confidential information, or when users inadvertently negate such defenses by disabling their login passwords for the sake of convenience.


Various FDE options


The easiest way to achieve software-based FDE would be to make use of Microsoft BitLocker, which can be found in the Enterprise and Ultimate version of Windows 7 and Windows Vista. The licensing cost might unfortunately be outside the budget of some SMBs, though, and I shall be taking a look at another solution by Check Point shortly.


Beyond the use of data encryption, I would love to hear practical ways that SMBs can protect themselves against information loss. Feel free to add your comments below.