Hard Drive Encryption Solutions For

Hard Drive Encryption Solutions For Mobile Devices

While mobile devices, such as laptops, notebooks and portable drives, offer unique benefits to both employees and employers, there are some security risks to consider. Here's how hard disk encryption solutions for these mobile devices can help.

In the modern workplace it is becoming more common for employees to be allowed to work where they are instead of within a confined or controlled office environment. A 2014 Forrester survey (Forrester’s Business Technographics Global Telecom and Mobility Workforce Survey, 2014) indicated that 52 percent of the current workforce takes their work outside the office at least a few times a month. With this comes a number of benefits to the worker (e.g. additional freedom and flexibility) and the employer (e.g. cost of keeping worker in the office, increased productivity). However, these scenarios also open the door to a number of different security threats.

To combat these security threats, companies must put into place security policies that are able to adequately mitigate the threats without forcing employees back into the office environment. One part of such security policy, which will be covered in this article, is the ability to encrypt the data that exists on the mobile devices workers use at home.

For the purposes of this article we will focus on laptops, notebooks and removable media (such as CDs, DVDs, Blu-Ray disks, and USB drives) and not smartphones and tablets, which are typically protected by enterprise mobility management (EMM) solutions.


The Cost Of Lost Information

There are several major risks that come along with allowing workers the freedom to use their devices outside of the office environment, including:
•The risk of that device connecting to rogue networks,
•The risk of the device being compromised physically,
•The risk of a device being lost or stolen.

Since today we're focusing on mobile device encryption, the major risk to mitigate involves the threat from a lost or stolen device. If a device gets into the wrong hands and the storage systems on that device are not encrypted, then the attacker has access to everything that exists on that device.

The cost of this type of information breach depends on the level of the employee who used that device, but the value of almost any internal information about a company can be quite high. According to the Ponemon Institute (The Cost of a Lost Laptop, Ponemon, 2009), the cost of a lost laptop is over $49,000 and that study was from 2009. In a 2014 study (2014 Cost of Data Breach Study: Global Analysis, Ponemon, 2014) Ponemon stated that the cost of a data breach per record exposed was $201. Just think about this number and imagine a million records being stolen. In the same study the research group estimated that the average organizational cost of a data breach was $5.85 million over 2 years. For most companies, this is a huge loss and underscores the potential for a data breach taking a company out of business.

Hard Drive Encryption Options


There are a couple of different options to choose from when selecting an encryption solution for your mobile devices. Any or all of these options can be used in combination with each other to cover all of the different potential mobile device scenarios that exist in a modern company.
•Whole Disk/Full Disk Encryption (FDE)


The first and most thorough of the available options is Whole Disk Encryption, Volume Encryption or Full Disk Encryption (FDE). When using this method of encryption, a drive is completely encrypted, including all of the operating system (OS) files and even the temp files created by certain applications. This solution requires that the user enter a passphrase before a device is allowed to boot (which can also be referred to as Pre-boot authentication). Without this passphrase, the device's drive information is typically useless (limited to the type of encryption used). Both Microsoft (BitLocker) and Apple (FileVault) have native encryption mechanisms that can be used to provide this functionality in their respective operating systems.
•File/Folder Encryption

Another method is File and/or Folder encryption. When using this method only a targeted file or folder is encrypted and decrypted when an authentication method succeeds. This type of encryption is reliant on a system for authentication, which can be a proprietary solution, Windows Authentication, or another open option (Certificates); it depends on the solution.
•Encryption for Removable Drives

Finally, the third option is encryption for removable drives. While some companies simply don't allow the use of removable devices, for those that do a reliable solution is important as it is much easier to lose a flash drive than it is to lose an entire laptop. These solutions also offer the ability to encrypt information with a specific destination individual or group in mind; the information is then encrypted for that individual or group alone.

Encryption Features And Support

There are a number of different features that are supported by these encryption options. The following are some of the major features to look for in a solution:
•Support for Self-Encryption Drives (SED) -- This includes support in a product of drives that automatically encrypt everything. This encryption is always on and begins at the factory when the drive is manufactured.
•Support for Native Encryption -- Both Microsoft and Apple have built in Whole Disk Encryption options, which can perform better than alternative options, into their operating systems. Many data encryption products offer support for the management/integration with these features.
•Support for Software Encryption -- While having the most recent equipment is nice, many businesses are still running systems that are a bit older and don't support SED or native OS solutions. Here where a software only solution that provides the ability to support these types of devices comes useful.
•Multi-Factor Support -- While a highly secure password is typically suitable for protecting information, the addition of a secondary mechanism of authentication can also be used. These solutions are referred to as multi-factor, or two two-step solutions where a password is used in combination with a token or smartcard.
•FIPS 140-2 Compliant -- The National Institute of Standards and Technology (NIST) issued the Federal Information Processing Standard (FIPS) 140-2 publication to coordinate a series of requirements and standards for both hardware and software. The FIPS 140-2 evaluation of products implementing encryption is required for sale to the Federal government.
•Common Criteria EAL+ Compliant -- Like FIPS 140-2, the Common Criteria (CC) Evaluation Assurance Levels are used to indicate a level of assurance that a product meets a minimum level of CC assurance.
•Cloud Support -- This involves product support for the common commercial cloud providers. Since many workers use cloud services it is an important addition to extend authentication to these services to make sure it does not become an easy target for potential attackers.
•MDM Support -- An important piece of any solution is going to be its integration with a Mobile Device Management (MDM) offering that provides security and policy solutions for mobile phones and tablets.

Now that we've examined the different mobile device encryption options and what to look for in an encryption solution to ensure that security is maintained, page two outlines the top five mobile device encryption solutions on the market today and what they offer to help alleviate this problem.