Researchers: Partially Encrypting Disks Leaves Data at Risk


When news of a technical problem that could have significant impact on businesses breaks, all executives can do is wait until the experts tell them whether it truly is a big deal, if a fix is imminent, or if the industry is in the soup.


The news in this case, as reported in InfoWorld, is that partially encrypting hard drives is problematic. The worst kind of security is the security that an organization inaccurately thinks it has. This could be one such case. The issue is that bits and pieces of files are stored on various parts of the disk. The problem, which was found by the University of Washington and British Telecommunications, is that segments of files meant to be encrypted are being stored in unencrypted areas, making them vulnerable.


The story provides a good deal more detail on how the researchers found the problem. There doesn't seem to yet be a consensus on what this means for partial encryption. The takeaway, though, is clear: Given a choice, full disk encryption (FDE) is more prudent than ever.


FDE seems to be getting more accessible. This week, for instance, Hitachi GST introduced the Deskstar 7K1000.B SATA II interface hard drive. Hitachi says the GST is the most power-efficient 1-terabyte drive available. The system employs Advanced Encryption Standard (AES) encryption, but the story doesn't say what level.


The takeaway from this Jon Ostik column at CNET is that FDE has made tremendous headway and, indeed, has become a commodity item. Smart vendors are providing additional functionality in efforts to deal with this environment. Two examples, Ostik says, are that FDE is being teamed with data leakage prevention in products from McAfee/Safeboot and with port blocking in packages from PointSec. Ostik says that the market is developing in two directions: Big security vendors are making FDE a feature of general suites and others are making it an element of more specialized packages.


The overall topic of this Securosis piece is when to use different types of encryption. Rich Mogull suggests that there are times that FDE is not enough, since multiple people may have access to the machines and its encryption keys. It also doesn't protect data in motion. File-level encryption is useful, but also doesn't protect data in certain circumstances. Thus, Mogull says, there are instances in which simultaneous file and full-drive encryption are appropriate.