Data Encryption, Stop Hiding from it!

By

Security. Depending on your upbringing, and the capability of security professionals you have encountered, this word may cause you to raise your head a little higher and hear superhero music playing in the background. Yep, that’s how I am. Or security may just be another 4-letter word (times 2). Security commonly references the CIA triadConfidentiality (only those that should have access do), Integrity (only those who should be able to change data can), and Availability (data is accessible when it is needed). A big part of your security posture is how you encrypt your data.

There are 3 types of data: data at rest, data in use, and data in transit. I will only address data at rest in this article. Years ago, only high value mobile devices were encrypted, and only then if they absolutely had to be. They ran very slowly, caused problems with applications, and keeping track of the keys was a pain. Until around 10 years ago, encryption was pretty much only for individual files and folders. We have come a long way since then.

Today, there are 2 main ways to encrypt data at rest: file/folder encryption and Full Disk Encryption (FDE). Both have their strengths and weaknesses, and they are not mutually exclusive. For customers with mobile devices or that have custom applications, or applications that use data from more than one device, FDE is the way to go. Microsoft debuted BitLocker, their FDE product, as a free feature in Windows Vista if you purchased enterprise or ultimate edition. It has remained in their OS lineup since. Because it is free, widely available, and the product I am most familiar with, BitLocker is the FDE I will reference throughout this article.

What does encryption provide your organization? Many organizations have mobile employees. People can take their laptops home, to a remote site, to a client’s location, or even while on vacation. Sometimes, that employee steps away for lunch or stops to grab a coffee on the way home after a long day of meetings. When they return, their laptop bag with all of their equipment is gone. If the computer was powered on the drive was not encrypted, but they will have to know your password to unlock it (you do use strong passwords, right?). Without that, the thief would need to use a boot disk or connect the hard drive to their computer to steal all your information, but FDE is active. The “bad actor” is unable to read the drive because it is encrypted. You may have lost the laptop, but you haven’t lost any of the information contained on it. In many industries, this is a very, very big deal. This is the difference between whistling a merry tune and declaring a breach.

Let’s address the usual reasons why organizations fear to encrypt: application compatibility, speed, and management. FDE is compatible with all applications. The encryption is applied to the entire volume, which is not the layer that applications run in. Applications looks at folder and files which means they do not look at the volume, which means they do not even know that the drive is encrypted. Using the TPM chip on the motherboard, the entire volume is unlocked when the machine boots and it simply runs as normal.

The reduction in speed on a computer used to be very noticeable. 10%-30% reductions were common. Processors did not have built-in capabilities for encrypting efficiently and hard disks were slow. In 2010 for Intel and 2011 for AMD the AES instruction sets were added to the architecture for processors. This allowed for ~30% performance boost. In around 2013, hard drive manufacturers began offering Self-Encrypting Drive (SED) technology, which means that there is no performance loss whatsoever if using this type of drive.

Key management has long been a concern in the encryption world. Nearly all major products on the market come with some form of key management. Microsoft offers Microsoft BitLocker Administration and Monitoring (MBAM). This is free to customers with the Microsoft Desktop Optimization Pack (MDOP). It allows management of keys as well as customer support capabilities for your helpdesk to provide unlock keys for admins, forensic teams, or users. Just make sure to vet who you are talking to!

In closing, there is no reason today to avoid implementing encryption to strengthen your security posture. You get all of the bonuses of more secure data, but no performance reduction and no compatibility constraints. So, what are you waiting for?! Get encrypting today!