in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Desktop Encryption Software: Encrypting Hard Drives For Better Data Security

  • Form factor is not security.  At least not anymore
  • Two ways of protecting desktop computer data: disk and file encryption

Form Factor is Not Security

Why are laws passed that advocate the use of drive encryption software on laptop computers and other portable data devices, but not for desktop computers?  Massachusetts, for example, passed a law -- 201 CMR 17.00 -- that requires the use of laptop encryption on any portable computers that store sensitive data.

The reason?  To prevent data breach incidents that lead to ID theft and other forms of fraud, which have been increasing each year in geometric fashion.  The law even covers sensitive data stored on backup tapes and small portable devices.  However, no such requirement exists for desktop computers.

This omission (or exclusion) of desktop computers seems to imply that desktop computer encryption is not necessary because such computers won't be stolen.  What other conclusion is one supposed to arrive at, when other computing devices are singled out by name?

While I cannot fathom that this is what legislators intended, if such erroneous reasoning was behind the exclusion, I've got to point out two things.  First, today's desktops are nothing like desktop computers from 10 years ago. I mean, take a look at these specs:

Mini Tower:                            Slim Tower:
Height: 14.57" (370mm)           Height: 14.69" (373mm)
Width: 6.69" (170mm)             Width: 4.17" (106mm)
Depth: 16.8" (427mm)             Depth: 17.20" (437mm)
Weight: ~13.45lbs (6.1 kg)      Weight: ~12.79lbs (5.8 kg)

These are sizes and weights of a couple of desktop machines on sale at the Dell website.  The fact is that today's desktop computers are far smaller and lighter than they've ever been.  Desktop machines are not hard to steal for the average person, especially with similar specs to the above.

Plus, often times their storage capacity is much larger than what is generally found on laptop computers.  The larger your capacity, the more information you can store in it, including sensitive data, meaning the odds of having a severe data breach are higher.

And yet, it's only laptops that are required to be encrypted?

I guess it makes sense when you consider that most laptops are moved about because they come attached with a screen and a trackpad/mouse, but desktops -- even when they are as light as the two models featured above -- generally aren't moved around because you'd need to also carry a monitor and accessories as well.  This implies that a laptop could go missing or be stolen from just about anywhere, whereas the theft of a desktop computer needs to occur at the office or wherever that desktop machine is normally stationed.

This brings me to my second observation. Desktop computers get stolen, and not just once in a blue moon: when offices are being moved, during break-ins, because employees steal them, etc.  It's happened in the past, and it's bound to happen in the future (especially since they're so much smaller than they used to be and, hence, "portable").  The fact that desktop computers don't get moved about often does not imply that they're immune from data breaches.

For example, here are 5 blog posts on situations where desktop computers were stolen, brimming with sensitive information:

I would've listed more, but there's just too many of them.  And, if you'd like proof from some other source, take a look at the HHS.gov site.  As of today, a search for "desktop" shows 38 breaches, whereas "laptop" shows 60 breaches (there is some overlap).  I should note that "paper records" runs a close 52 breaches.

Disk and File Encryption

OK, so you get it: desktop encryption software is as necessary as laptop encryption software.  So what is available?

There are roughly two ways of encrypting data on a computer.

One is the use of full disk encryption, where the hard drive of a computer is encrypted wholly, as the name implies.  The other is the use of file encryption, where individual files are encrypted.  There are pros and cons to each.

Disk encryption software allows one to set up encryption and forget about it, except during the short process when a computer has to be booted up: encryption programs like AlertBoot require the correct username and password to be typed when a computer is turned on.  This is known as power-on authentication or pre-boot authentication, and means that without the correct credentials, the computer will not even start up!

Once you get past the authentication portion, the computer behaves like any ordinary computer.  When you shut down your computer, the encryption kicks back in, meaning the contents of your computer are protected.  You should note what this implies: full disk encryption does not provide you with encryption protection while it's up and running.  I often compared this aspect to a safe with the door open: as long as you're accessing the safe's contents, it cannot protect what's within its walls.

What if you need to protect sensitive files while the computer is up and running?  Then you'll have to turn your sights to file encryption.  As the name implies, this is when files are individually protected, as opposed to wholesale protection like disk encryption.  File encryption also falls prey to the "open safe" syndrome, in that a file you're accessing is not protected anymore: in order to read it, you have to decrypt it, however, temporarily.

But, unlike disk encryption, it means a limited number of files are left unprotected at any given time (the minimum being one file).  Knowing this, why would anyone choose disk encryption over file encryption?  Well, to begin with, perhaps you don't feel like typing in the same password each time you have to open up a file.  What if you have to work with 25 separate files today?

Or, perhaps you have hundreds of files you have to deal with.  Not only does that mean hundreds of passwords typed, you also have to go through the process of encrypting each one of those files.  Now, there are programs out there that will make your life easier by automatically encrypting any and all files of a certain type, such as all Excel spreadsheets.  But, do this for a number of files, and you begin to wonder: well, isn't this what disk encryption is all about?

In my opinion, the two are meant to be complimentary: disk encryption as a general purpose encryption, and file encryption to further protect those files that definitely need protection when something goes awry.  Which is why AlertBoot gives you both to better enhance one's computer security.

 
<Previous Next>

Laptop Encryption Software Not Used In Missing Tulane Computer, Over 10,000 Affected

Hard Disk Encryption Protects Data When Accessed By Unauthorized User? Not Quite

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.