How endpoint encryption works in a data security strategy
Companies should use encryption to keep data on endpoints protected should an attacker successfully get hold of a device or breach enterprise security measures.
Imagine an employee loses a work computer, or a USB drive with sensitive company information on it gets stolen. What happens to the data? Is it protected against unauthorized access? If it's not encrypted, these scenarios can be devastating.
Encryption is the key layer in any data security strategy as it ensures data cannot be read by unauthorized users.
Even if multiple layers of protection, such as firewalls, intrusion detection systems, antimalware and data loss prevention, fail or are breached, encrypted data stays protected. Endpoint encryption can ensure data remains safe from unauthorized access when it is stored and transmitted to another endpoint. It is often obligatory to achieve compliance with data protection laws and standards, such as GDPR, HIPAA and PCI DSS.
The 2 types of endpoint encryption
Two main approaches to endpoint encryption that companies can implement to protect data are full-disk encryption and file encryption.
1. Full-disk encryption
Full-disk encryption secures the entire contents of any storage media, protecting the OS, applications and data stored on a drive, including swap, system and hibernation files. This makes the drive virtually useless until the correct PIN or password is entered and its contents are decrypted. Note, the master boot record (MBR) is not encrypted by software-based products. This is so the device can boot and locate the encryption driver to unlock the system.
This pre-boot authentication ensures data remains encrypted until authentication is complete. Even if the encrypted disk is lost, stolen or placed into another computer, its contents remain protected. Another advantage of full-disk encryption is that data stored on the drive is automatically encrypted and decrypted, providing seamless and transparent UX.
Because full-disk encryption decrypts the entire disk once a user successfully authenticates, it is essential the device is not left unattended. To keep data protected, users must log out in order to reencrypt the disk and its data.
Full-disk encryption is either hardware- or software-based. The latter, however, cannot encrypt the MBR or similar bootable disk area because it tells the software how and where the OS is located. Software encryption modifies this record so it can display a modified pre-boot environment to enable the user to authenticate to the device by entering a password or PIN, and possibly a second form of authentication, such as a biometric scan or hardware token. MacOS, Linux and Windows all include full-disk encryption software. A variety of standalone utilities that include a full-disk encryption tool are also available.
Hardware-based encryption takes place within the drive itself, using an onboard cryptoprocessor that automatically encrypts everything when written to the disk. These are known as self-encrypting drives (SEDs). The encryption key used to encrypt data stored on these drives never leaves the device and is known only by the drive itself. The authorization key, set by the user, is also encrypted and stored on the drive. It is used to decrypt the encryption key and load it into the cryptoprocessor, thereby controlling access to the drive's data.
Encryption keys and user information are stored in the drive hardware. This isolates the drive from the CPU and OS, making it less vulnerable to attack. SEDs also work without affecting system performance as the drive controller performs all the hardware-based disk encryption, not the host OS.
2. File encryption
The alternative option is file encryption, which only encrypts designated files or folders. These items remain encrypted even after a user successfully logs in to the system. They are only decrypted when the user opens them and enters the correct password, token or other authentication measure when prompted.
File-based encryption supports structured and unstructured data, so it can be used to secure a database, as well as documents and images. It also enables data to be protected when shared, such as via an email attachment or a collaboration service. Senders can designate how the recipient decrypts the data, for example, from a separately communicated password to a portal that handles the authentication process.
Enterprise-level endpoint file encryption products can enforce an organization's encryption policy. This policy defines the types and locations of files that require encryption and enables groups to share and work on particular network files and folders. For example, Windows allows encryption via Encrypting File System on New Technology File System to be enforced through Group Policy.
To increase the strength of software-based encryption, many products take advantage of a Trusted Platform Module (TPM), a hardware-based, tamper-resistant cryptoprocessor that is part of the device's motherboard:
- Windows and Linux use TPMs.
- IOS and macOS use Secure Enclave.
- Samsung Android devices use Samsung Knox.
A TPM provides hardware-based cryptographic and security-related functions, such as system integrity checks, disk encryption and secure key management, all at machine speed.
Endpoint encryption typically uses Advanced Encryption Standard-256 (AES-256) and Rivest-Shamir-Adleman (RSA), both of which are public protocols and are compliant with Federal Information Processing Standards 140-2, a federal computer security standard. AES-256 uses a single key to encrypt and decrypt stored data, while RSA is commonly used to securely transmit data from one endpoint to another. RSA uses asymmetric encryption, which uses two keys: one key to encrypt the data and another key to decrypt it.
Endpoint encryption considerations
An important aspect of data security is availability. All deployments with endpoint encryption should include data recovery options in case of a forgotten password, lost authentication token or corrupted MBR. When selecting an endpoint encryption product, confirm it uses some form of self-recovery, one-time password, recovery token and/or administrator key to access encrypted systems in a lockout state.
Choose a product that provides centralized management capabilities to automatically deploy and enforce encryption policies; create, distribute, destroy and store keys; and remotely lock compromised endpoints. Without these services, managing endpoint encryption at scale quickly becomes difficult.
Attackers like to target endpoints because they can be weak points within an organization's IT infrastructure. Any loss, theft or unauthorized access of endpoints increases the chances of a data breach, which can result in lawsuits, heavy fines, negative publicity and loss of business.
Endpoint encryption should be a part of every organization's data security strategy. However, endpoint encryption -- even when part of the OS, such as Microsoft BitLocker or Apple FileVault 2 -- is not always enabled by default.
IT needs to implement security policies that ensure endpoint encryption is activated when new devices are deployed. Also, note that endpoint encryption does not solve all data security problems. Challenges, including downloads of malicious software, which can access data when it's in its unencrypted state, are still problematic. Therefore, use endpoint encryption in conjunction with other security tools, such as antimalware and perimeter defenses.