Inventory: Four application scenarios of full disk encryption technology
In this article, expert Karen Scarfone focuses on the advantages of FDE and its application scenarios to help enterprises determine whether this storage encryption technology is really needed.
Full disk encryption (FDE) is a storage encryption technology that, as its name suggests, can encrypt all information in a hard drive for a desktop, notebook, or server. This means that when a computer is not started, its operating system (OS), applications, and user data are protected to prevent unauthorized access.
When someone tries to start the operating system, the user or administrator must successfully authenticate the identity before it starts. This is called pre-start authentication (PBA ). After PBA is successful, the operating system is started, and you can access the functions, applications, and data of all operating systems.
Traditionally, each enterprise should use FDE technology to access or store sensitive data to a minimum. Although this sounds reasonable, many companies use FDE technology for all their desktops and laptops because they mistakenly believe that this technology can actually provide more protection.
Whether FDE is suitable for an enterprise's system depends entirely on the threats that the enterprise tries to block: loss or theft of devices, theft of server data, operating system tampering, or access of sensitive data by malware, this is the four application scenarios that FDE is good at dealing.
Scenario 1: prevent loss or theft of computing devices
The most common reason for deploying FDE is that attackers attempt to obtain unauthorized access to sensitive data in lost or stolen laptops or mobile devices.
Over the years, media have reported many incidents of lost or stolen laptops, which contain records of millions of unprotected customers. These are considered real data leaks because no one knows whether attackers have accessed the sensitive data. A single data leak accident may result in millions of dollars of losses to enterprises-cost of recovery and Reputation Loss.
Considering the severity of these data leaks, it is necessary for enterprises to install FDE technology to protect sensitive data in their laptops. In this way, data is still safe when the laptop is lost or stolen, because the device is protected by FDE. This helps enterprises prevent data leaks and prevent media reports of lost or stolen laptops.
Many enterprises have extended this basic principle (using FDE to protect sensitive data), using FDE technology in all their laptops (sometimes including desktops, because they cannot completely determine which devices contain sensitive information. This is a common and complex problem, that is, FDE is required for all laptops.
For example, if FDE is automatically deployed to all laptops, the enterprise does not need to add the technology to the deployed notebook before the user first accesses sensitive data. This may cause unnecessary delays. In addition, when the FDE technology is fully deployed in the enterprise environment, if the laptop is lost or stolen, there is no need to panic. It is necessary to determine whether the device is protected by FDE. If not, then, determine whether the device is used to access sensitive data. The residual data may remain in the device.
Note that the use of FDE technology is generally based on the assumption that the device will be disabled when it is not used. This is a problem for the notebook, because the notebook is usually in sleep or standby mode. Depending on the products and configurations used, the FDE technology may or may not have any effect on these laptops.
The IT department should perform tests on its own to ensure that the FDE products they are considering to protect sensitive data from sleep and standby devices. If protection is not available, you may need to consider other methods, or enforce the policy to prohibit the use of the standby or sleep mode of the notebook.
Non-FDE method to prevent loss or theft of computing devices
The non-FDE approach to prevent device loss or theft involves building an IT infrastructure architecture, including applications and databases, so that all sensitive data is stored centrally instead of sensitive data (either directly or indirectly, such as data residue) is locally stored in laptops, desktops, and other devices.
Data Loss Prevention (DLP) and other technologies can help ensure that the sensitive data is not transferred to removable media, printed, copied, pasted to other documents, or leaked from centralized storage.
Enterprises that choose this data security method, rather than FDE technology, must carefully inspect and test these methods to ensure their effectiveness. If data may be leaked, the loss or protection of the device may still cause a major data leakage accident.
Scenario 2: prevent server data theft
Sometimes enterprises choose to use FDE Technology on their server hard drive. When the server is not started, this can protect the content in the server hard drive, for example, when a server is shipped from one location to another.
This is not a common situation for some enterprises, but it is common for enterprises with branches that have their own servers, technicians may need to transport hard drives between these locations, and servers will be migrated from one physical location to another during disaster recovery.
For these reasons, enterprises can use FDE Technology on server hard drive to provide assurance during these shipping processes.
Scenario 3: prevent unnecessary OS tampering
Although most people know that FDE technology can prevent leakage of sensitive data due to device loss or theft, it can also prevent operating system tampering.
For example, attackers may gain access to laptops or desktops not protected by FDE in a short period of time. Attackers can modify the executable files, configurations, permissions, and other attributes of the operating system by using multiple methods, including operating system vulnerabilities and using forensic tools. This will allow attackers to return the device to its original location, and maintain remote access to the device by embedding malware into executable files in the operating system.
This is not a common threat, but in enterprises with particularly high security requirements, this alone gives enterprises enough reason to use FDE Technology for desktops and laptops.
Again, you must note that FDE can only protect devices that are not in the starting state. when the device is in the starting state, FDE will not be able to prevent malware infections and operating system operations. To prevent and respond to such situations, enterprises need to use anti-malware technologies, such as anti-virus software or malware analysis tools, vulnerability management tools, includes Patch Management to eliminate known vulnerabilities in operating systems and applications, as well as powerful authentication and Access Control System configurations to ensure that only authorized administrators can change operating system files and configurations.
Scenario 4: require partners to provide comprehensive protection against malware
Perhaps the most common threat to most enterprise systems is the attempt to access malware that stores sensitive data on local desktops or laptops. However, after the device is started, FDE technology cannot block such malware at all. However, there are other forms of storage encryption technology that may be helpful.
These technologies include virtual disk encryption, Volume encryption, and file encryption, which can protect the confidentiality and integrity of data even when the device is fully started. Many enterprises store sensitive data in their Laptops and Desktops. While choosing FDE technology, they can also choose these technologies to provide additional protection layers, especially for malware.
Summary
FDE can effectively prevent some types of threats. Specifically, they can help prevent unauthorized access to sensitive data on lost or stolen desktops, laptops, or servers.
In addition to the FDE technology, there are alternative technologies to prevent sensitive data from being stored locally. However, these are not all other technologies. FDE provides an additional protection layer, because FDE can effectively prevent attackers from changing the executable files of the operating system or applications that do not start the device.
However, FDE cannot protect data or executable files from devices in use. To consider the use of FDE technology, enterprises should carefully consider the threats they are trying to address, and combine the use of FDE technology with other additional security technologies.