The fundamentals of FDE: The business case for full disk encryption
Expert Karen Scarfone outlines the benefits of FDE to help businesses decide if the storage encryption technology is right for their organization.
Full disk encryption (FDE) technologies are a form of storage encryption that, as the name implies, encrypts all the information on a hard drive for a desktop, laptop or server. That way, when the computer is in a non-booted state, its operating system (OS), applications and user data are all safeguarded from unauthorized access.
When someone attempts to boot the OS, the user or administrator must successfully authenticate before booting can occur. This is known as pre-boot authentication (PBA). Once PBA succeeds, the OS is loaded and the user can access all their OS functions, applications and data.
Conventional wisdom holds that -- at a minimum -- every organization should be using FDE on all computers that access or hold sensitive data. While this may sound reasonable, many businesses that use FDE on all their desktops and laptops do so because of the mistaken belief that the technology provides much more protection than it really does.
Whether FDE is appropriate for an organization's systems depends almost entirely on the threats it is trying to thwart; loss or theft of a device, server-side data theft, alterations to the OS, or malware accessing sensitive data are four examples of threats that can be mitigated with FDE.
FDE scenario #1: Protect against computer loss or theft
The most common reason for implementing FDE is the threat of a laptop or mobile device being lost or stolen by an attacker who wants to gain unauthorized access to sensitive data on the system.
For a few years, there seemed to be numerous media reports of stolen or lost laptops, each of which contained millions of unprotected customer records. These were treated as full-fledged data breaches because no one could know if the sensitive data had been accessed by the attackers or not. A single data breach can cost an organization millions of dollars in recovery costs and damage its reputation.
As a result of these breaches, it became a no-brainer to install FDE to protect sensitive data on laptops. That way, if a laptop is lost or stolen, the data can be considered safe because the device is protected by FDE. This helps organizations prevent data breaches and avoids the announcement of stolen and lost laptops by the media.
Many organizations have extended this fundamental principle -- protecting sensitive data using FDE -- so they use FDE on all laptops (and in some cases, desktops) because they are not 100% sure which devices contain sensitive data and which don't. This is a surprisingly common and complex problem that requiring FDE use on all laptops addresses relatively easily and cheaply.
For example, with FDE deployed to all laptops automatically, there would be no need to add the technology to an already-deployed laptop before a user is able to access sensitive data for the first time. That would cause significant and unwanted delays. And with FDE comprehensively deployed across the enterprise, should a laptop be lost or stolen, there is no need to panic while attempting to definitively determine if the device is protected by FDE and, if not, whether it had ever been used to access sensitive data -- the remnants of which might still be on the device.
It is important to note that the use of FDE technologies is often based on the assumption that devices will be shut down when not in use. This is particularly problematic for laptops, which are frequently placed in sleep or hibernation modes. Depending on the product being used and how it is configured, FDE technologies may or may not take effect for laptops in such modes.
IT departments are cautioned to perform their own testing to ensure the FDE products they're considering actually protect sensitive data in suspended and hibernated devices. If they don't, then a different approach may be needed, or it may be prudent to enforce policies prohibiting the use of suspend or hibernation mode for laptops.
Non-FDE approaches to securing against computer loss or theft
One non-FDE approach to protecting against the loss or theft of a device involves constructing an IT infrastructure architecture, including applications and databases, so all sensitive data is stored centrally and no sensitive data -- directly or indirectly (e.g., data remnants) -- is stored locally on laptops, desktops and other devices.
Technologies such as data loss prevention (DLP) can help ensure this sensitive data is not transferred to removable media, printed or copied and pasted into other documents, or otherwise exfiltrated from the centralized storage.
Organizations that choose such a data security method instead of FDE must carefully examine and test them to ensure it's foolproof. If data leakage is possible, then loss or theft of a device can still lead to a major data breach.
FDE scenario #2: Prevent server-side data theft
Sometimes enterprises choose to use FDE technologies on their server hard drives. This provides protection of the contents of the server hard drives when the server is not booted, such as when the server is being transported from one location to another.
Although this is not a common scenario for some organizations, it may be more common for businesses that have many branch offices with their own servers -- where technicians may be transferring hard drives between locations -- and also during disaster recovery operations, when servers are being migrated from one physical location to another.
Because of these reasons, it may make sense to use FDE on server hard drives to provide protection during these transports.
FDE scenario #3: Guard against unwanted OS modifications
Although most people associate FDE technology with protecting against the exposure of sensitive data through loss or theft of a device, it can also protect against attempted alterations to the OS.
For example, an attacker could temporarily gain access to a laptop or desktop that is not protected with FDE. The hacker could then, through the use of several methods -- including exploiting OS vulnerabilities and using forensic tools -- modify the OS's executables, configuration, permissions and other attributes. This would allow the attacker to return the device to its original home while maintaining remote access to the device by planting malware in OS executables.
This is not a common threat, but in organizations with particularly high security needs, this alone may be enough of a justification to merit the use of FDE for desktops and laptops.
Note again that FDE only protects a device when it is not booted; FDE cannot prevent malware infections and OS manipulation performed when the device is in a booted state. Preventing and handling such conditions requires the use of antimalware technologies, such as antivirus software or malware analysis tools; vulnerability management tools, including patch management capabilities to eliminate known vulnerabilities in OSes and applications; and a strong authentication and access control system configuration, to ensure that only authorized administrators can make alterations to the OS files, configuration, etc.
FDE scenario #4: Requires partners to offer global malware protection
Perhaps the most common threat against most organizations' systems is that of malware accessing sensitive data stored locally on a desktop or laptop. Unfortunately, there is nothing that can be done by FDE technologies to prevent this once that device is booted. However, there are other forms of storage encryption technologies that may be helpful.
These technologies -- with names such as virtual disk encryption, volume encryption and file encryption -- can provide protection for the confidentiality and integrity of sensitive data even when a device is fully booted. Many organizations with sensitive data on their laptops and desktops choose to use one of these technologies in addition to FDE to provide an additional layer of protection, specifically against malware.
FDE technologies are very helpful at thwarting certain types of threats. Specifically, they can help prevent unauthorized access to sensitive data made possible by loss or theft of a desktop, laptop or server.
There are alternative technologies besides FDE that can prevent sensitive data from being stored locally, but these aren't foolproof either, and FDE offers an additional layer of protection. That's because FDE technologies are also useful for preventing an attacker from altering OS or application executables for devices at rest.
However, FDE technologies do nothing to safeguard data or executables for devices that are actively being used. Organizations considering the use of FDE technologies should carefully consider what threats they are trying to counter, and pair FDE with additional complementary security technologies.
The merits of encryption vs. hashing after the Adobe password breach
Should FDE be used to thwart data loss?