Regulatory compliance requirements and concern over data breaches are pressuring midmarket companies to look at full disk encryption for laptop security and to address the security of sensitive data that is mobile and easily shared, lost or stolen.
While most regulations don't specifically require laptop encryption software or hardware, compliance is the hammer that is driving midmarket companies to deploy full disk encryption on employee laptops. State data breach laws are perhaps the most compelling, but you're running at high risk for HIPAA, GLBA and PCI DSS non-compliance if you don't encrypt. Massachusetts' personal information law, 201 CMR 17.00, scheduled to go into effect next March, requires laptop encryption for any company holding Massachusetts resident's personal information.
There are a number of good commercial products on the market, so once you decide to deploy FDE on corporate laptops, there are several key evaluation areas:
Ease of deployment. With hundreds of laptops and a small IT staff, midmarket companies will need a product that automatically pushes out the installation in one action, and just as easily adds new laptops. Most commercial FDE products make this a simple, one-shot process.
Central management. Again, given limited resources for a large number of users, this is essential for the midmarket. In particular, key management is otherwise a very manual process, requiring spreadsheet tracking and securing that information from prying eyes. These products typically take most of the pain out of this chore.
"If you want to use a free solution like TrueCrypt, at 10 users, you're probably good," said Jon Oltsik, senior analyst at Enterprise Strategy Group. "When you get into the hundreds of employees, you want something with management muscle behind it."
The product should automatically do symmetric key encryption and store the keys locally. Neither the user nor the admin need be concerned with them again. A master key is created to give authorized management access to encrypted drives to reclaim data from laptops of terminated employees or for legal purposes.
"With no centralized key recovery scheme, each user is on his own or the admin has to make up his own recovery system," said Tim Matthews, vice president of marketing at PGP Corp. "That's not very economical and rife with security issues."
Note: A strong password policy is critical. Encryption is useless if the password is cracked. People also tend to forget strong passwords, so your product should allow easy recovery. One common feature is a complex one-time password that the admin can deliver to the user out-of-band. Most products also have self-service password reset options, requiring the user to answer challenge questions.
If you need stronger authentication for some or all your users, look for products that integrate easily with two-factor authentication products, such as tokens or biometrics.
Reporting. This doesn't have to be elaborate, but you need to be able to prove that all your laptops, particularly those that fall under regulatory control, are encrypted. For example, if you are subject to PCI DSS, you can generate a report that says, "I'm covered." Similarly, if a laptop is lost or stolen, the report verifies the drive was indeed encrypted, relieving your company of that costly disclosure requirement.
User transparency. The end user shouldn't even know his drive and its data have been encrypted. You don't want to deal with help desk calls. Users may notice some slowdown during the initial installation, but they probably won't notice any ongoing performance impact. .
Platform support. If you have Mac laptops, make sure the product works with those, with the same management console.
Additional capabilities. FDE products often include device/port control features, such as policy-based management of portable storage devices. Increasingly, vendors are offering suites that include data loss prevention and endpoint security, including their antimalware products. If you are looking at adding these capabilities, now or in the future, focus on those companies that offer them and evaluate how well they integrate all these products.
Price. In the final analysis, most of the well-known commercial products will meet your FDE requirements, and it may come down to who offers the best deal. Figure somewhere in the area of $25 a seat.
Free alternatives such as TrueCrypt won't have the central management, mass deployment or reporting you need. Management, key storage and password recording will be done manually, and you'll need a power user admin to install the software and track and manage updates.
If you were one of those companies that upgraded to Vista, the Ultimate and Enterprise editions include BitLocker encryption. It can be managed with Active Directory and Group Policy, but installation and management are more cumbersome than third-party encryption products. BitLocker will also be available with Windows 7.
You can pay a premium for laptops with encrypted hard drives, which means you don't need to install client software on each machine. However, you still need software for key management and reporting.
Send comments on this technical tip to firstname.lastname@example.org
This was first published in September 2009