survey of current workstation encryption technologies
TRANSCRIPT
A Survey of Current Workstation Encryption Technologies for the Enterprise 1
A Survey of Current
Workstation Encryption Technologies for the Enterprise
Zanita D. Robinson
East Carolina University
Author Note:
Zanita D. Robinson, Department of Technology Systems, East Carolina University
Correspondence concerning this document should be addressed to Zanita D. Robinson,
Department of Technology Systems, East Carolina University, Greenville, NC 27858
A Survey of Current Workstation Encryption Technologies for the Enterprise 2
ABSTRACT
Data protection and security is fast becoming one of the greatest concerns for the enterprise
information technology infrastructure. With every technological advance that enables greater
system security and dependence, there are new vulnerabilities formed - waiting to be exploited
by individuals of malicious intent. Financial data, medical records, intellectual property, and
national defense information all face the possibility of theft or modification. With identity theft
on the rise, new federal and state level mandates necessitate strict compliance for protecting
personal identifiable information and stiff penalties are incurred when data breaches are
encountered. A single stolen laptop could potentially cost an organization millions in fines and
legal action alone, as well as irreparable damage to organizational brand. As a result, many
companies are looking to data encryption solutions to mitigate the threat of exposure, with an
overwhelming emphasis on protecting the most exposed endpoints – desktops and laptops.
However, with so many different options for encryption solutions, the task of identifying what is
best for any one organization must be given careful consideration.
The focus of this survey is to identify the current desktop encryption technologies that are
available for the enterprise. It will focus on file and folder level encryption, virtual disk and
volume encryption, and full disk encryption solutions. It will also provide a comparison of
product offerings from various vendors in the industry. This study will present the factors that
should be considered when determining which solution is best for a single organization. Finally,
it will discuss best practices to ensure maximum security.
Keywords: encryption, full disk, virtual disk, file and folder encryption, volume encryption,
personal identifiable information, encryption vendors
A Survey of Current Workstation Encryption Technologies for the Enterprise 3
INTRODUCTION
Within the past decade, there has been a significant increase in the amount and types of digital
data stored and transmitted within both the private and public sectors. As the shift to
computerization is accelerated, there is a growing push to make more information available via
electronic means. The purpose is to allow for greater accessibility, an increase in productivity,
greater competiveness, and the reduction of costs. A major example of this effort was seen when
the Obama administration pushed for the computerization of all health care records by 2014 in
the 2008 Stimulus Bill (McCullagh, 2008). Another example is seen in every financial
organization in this country that maintains its customer‟s data and transactions in electronic
form. Educational systems maintain computerized records to track student progress and
demographic information. More and more businesses are moving to computerized databases
with customer information, including financial data, spending habits, and lifestyle preferences.
The US government is even pushing toward a National Identification System (NID) to provide
“clear and efficient administration to government and convenient public services to citizen and
company (National IT Industry Promotion Agency, 2009).” However, by making so much data
readily available via computerized means, that data becomes more vulnerable to theft,
corruption, and manipulation. Thus there is a greater need for tighter security controls to ensure
data confidentiality, integrity and availability.
The need for tighter security can be seen in cases such as the stolen laptop from Ameriprise
Financial that contained lists of personal information on over 230,000 customers and advisers.
The information lost in this case included names and Social Security numbers for financial
advisers and account information for over 158,000 customers (Dash, 2006). The need for
A Survey of Current Workstation Encryption Technologies for the Enterprise 4
security control is also seen in the case of the stolen Veterans Administration laptop that held
sensitive personal data for 26.5 million veterans and 2.2 million service members. In this case,
the breach eventually cost the VA $48 million in notification and class action lawsuit (Hoover,
2010). The case of the stolen computer hard drive from a Georgetown University desktop in
2008 demonstrates that even “stationary” equipment must be protected (Kinzie, 2008). Table 1
details some of the major data breaches in the latter part of 2010 involving computers as reported
by Privacy Rights Clearinghouse.
Date of Disclosure Organization No. of
Records
Description
November 16, 2010 Messiah College,
Grantham, PA
43,000 External hard drive was lost or stolen;
included social security numbers, dates of
birth and transcripts for current, former and
prospective students
November 12, 2010 Visiting Nurse
Association of
Southeastern
Connecticut,
Waterford, CT
12,000 Laptop was stolen from a nurses car parked at
her home on September 30, 2010; contained
patient names, addresses, and medical
information
October 14, 2010 Accomack
County Virginia
residents,
Accomack, VA
35,000 Laptop stolen containing names, social
security numbers, and address information of
Accomack County residents
September 23,
2010
Alaskan AIDS
Assistance
Association
(Four A‟s),
Anchorage, AK
2,000 A data storage device was stolen from Four
A‟s executive director‟s car containing patient
names, contact information and social
security numbers
September 16,
2010
SanDiegoFit.com
San Diego, CA
Unknown Computer with customer information was
stolen from the building August 30, 2010
September 7, 2010 City University
of New York,
New York, NY
7,000 Computer with student information which
included names and social security numbers
was stolen.
Table 1: Various Major Data Breaches between September and November 2010 Involving
Computers
A Survey of Current Workstation Encryption Technologies for the Enterprise 5
Greater awareness has begun to surface for the value of data, from financial transactions and
corporate secrets to personal identifiable information (National Institute of Standards and
Technology SP800-122, 2010). With identity theft on the rise, lawmakers have become attuned
to the need to protect the privacy of its citizens from unauthorized data disclosure. As a result,
federal legislation has been enacted with the purpose to “protect personally identifiable
information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized
access or other situations where unauthorized persons have access or potential access to such
information for unauthorized purposes (Stevens, 2010).” These laws include the Privacy Act,
Federal Information Security Management Act, Health Insurance Portability and Accountability
Act (HIPAA), the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. In addition,
forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have all passed
legislation that requires notification of security breaches pertaining to personal information
(National Conference of State Legislatures, 2010). Many of these laws include civil penalties
and damages that must be paid in the event of a breach. In addition, notification of any breach
damages consumer trust and causes companies to lose business. For these reasons, many
companies are looking to encryption solutions to provide data protection.
But what is encryption? According to a definition presented by BusinessDictionary.com,
encryption is “scrambling sensitive information so that it becomes unreadable to everyone except
the intended recipient.” Encryption can be performed via hardware or software implementations.
The process of encryption involves a series of mathematical operations which incorporate
algorithms to generate the encrypted data using a secret key (see Figure 1). In order to decrypt
the information, a recipient must be in possession of the corresponding key to convert the cipher
A Survey of Current Workstation Encryption Technologies for the Enterprise 6
text back to its original format. Thus, encrypting information provides a means of securing that
data (US Department of Commerce FIPS PUB 41, 1975).
Figure 1: The Encryption Process
From an organizational standpoint, encryption is a layer of assurance that confidential
information is not disclosed to unauthorized individuals. Even if the equipment is stolen, a
system that has been encrypted with a strong cipher prevents intruders from accessing the data.
Thus, the loss is limited to the cost of the equipment itself. In fact, most legislation excuses
organizations from any disclosure in the event of theft if audit records will show that the drive
was encrypted (Schaaf, 2007). The question is no longer whether or not to encrypt; the question
is which implementation is right for each individual enterprise.
There are many vendors that offer various types of encryption implementations on the market.
Some products perform encryption on a file or folder basis, while others encrypt all the contents
on the hard drive. There are some products that create a virtual disk or volume for “on-the-fly”
encryption. Before any decision is made to move forward with an encryption strategy, one must
have a clear understanding of the benefits and drawbacks that each solution presents.
A Survey of Current Workstation Encryption Technologies for the Enterprise 7
FILE AND FOLDER ENCRYPTION
According to the National Institute of Standards and Technology, file encryption is “the process
of encrypting individual files on a storage medium and permitting access to the encrypted data
only after proper authentication is provided.” Folder encryption operates similarly to file
encryption, but it relates to individual folders instead of files (National Institute of Standards and
Technology SP 800-111, 2007). This type of encryption may be built into the Operating System,
or it can be installed with third party applications. The nature of this encryption method allows
for an especially granular amount of control for specifying information to be encrypted (“File or
Folder level Encryption Pros and Cons,” 2008.). Data that poses no security risk can be left
unencrypted. This is a major advantage, as it makes the encryption process fast and efficient.
Because the CPU is not constantly encrypting and decrypting information for files that don‟t
require encryption, there is a reduced impact on its load. However, any names of files or folders
encrypted using this method will be visible by anyone with access to the filesystem. Metadata is
also visible unless some sort of access control mechanism prevents it within the operating
system.
Another major advantage of file and folder encryption is that files maintain their encrypted state
when moved off the storage location. This feature is referred to as “persistent encryption” and is
a major benefit for those who wish to share sensitive information while maintaining a high level
of security (Bosen, 2008). Protected files stay protected until an authorized program or plug-in
decrypts the data. Non-authorized programs are unable to read the data. Even spyware is unable
to obtain a protected file from the disk. This allows files to be sent via email, instant message, or
to be transferred via USB device and still maintain the encrypted attribute.
A Survey of Current Workstation Encryption Technologies for the Enterprise 8
A third advantage to file and folder encryption lies in the ease of deployment (“File and Disk
Encryption,” n.d.). As encryption is applied to only selected files, there is less risk for losing
data due to an error in technology or implementation. This is a sharp contrast to the fears that
users might endure with full disk encryption, in which the entire disk is encrypted and corruption
could lead to total data loss.
Despite the many advantages to using file and folder level encryption, there are several
disadvantages that should be considered. One major disadvantage is that the entire system is
prone to human weaknesses. This is because the decision to encrypt or not to encrypt lies
squarely with the user. Should a person forget or refuse to encrypt, confidential information
could be at risk. As stated in an article by Randy Nash in the InformIT publication, “relying on
people doesn‟t provide good security (2008).” No matter what policies you have in place to state
that sensitive information must remain encrypted, users will still have a choice in adhering to
those policies. From an enterprise standpoint, this risk must be considered carefully.
Another disadvantage to file and folder encryption lies in key management. With file and folder
encryption, each file or folder is usually encrypted with a different key. Even if the same
password is used for all files, it is hard to change all of the documents simultaneously (Tyurin,
2004). Even though this feature makes it difficult for someone to obtain access to all files by
cracking one password, it may be difficult for an individual to maintain. Therefore the risk of
data loss is greater. Furthermore, the lack of centralized key management makes recovery more
difficult.
A Survey of Current Workstation Encryption Technologies for the Enterprise 9
Freeware
Product: GnuPG
Website: http://www.gnupg.org/
GnuPG is a free implementation of the OpenPGP standard that enables you to encrypt and sign
data communications. It features a command-line utility that easily integrates with various
applications and operating systems, including Linux, Mac OS X, and Windows
95/98/NT/2000/ME/XP. It supports various encryption algorithms, including RSA, ElGamal,
AES, 3DES, and Blowfish just to name a few. Figure 2 is a view of the GnuPG main window.
Figure 2: GnuPG Main Window
Product: Mcrypt
Website: http://mcrypt.sourceforge.net/
A Survey of Current Workstation Encryption Technologies for the Enterprise 10
Another open-source application for encryption is Mcrypt. Mcrypt was created to be a
replacement for the former Unix Crypt, which was a popular file encryption program for UNIX
boxes. Based on the enigma encryption algorithm, it was considered trivialized. Thus Mcrypt
was created to use with more modern block encryption algorithms, including Blowfish, Twofish,
DES, 3DES, RC2, and Rijndael (and several other algorithms).
Encrypting Filesystems
There are many file and folder encryption products available on the market. However, many
Operating Systems have file encryption technologies built in. For example, Microsoft 2000 and
XP have the Encrypting File System (EFS) built into the NTFS filesystem. Figure 3 shows how
EFS allows for encryption to be set by modifying the advanced attributes of each file (Bragg,
2010). EncFS is another encryption technology that can be found in FUSE-based systems
(Linux). It runs without any special permissions and uses the Linux kernel module and the
FUSE library to provide the filesystem interface (“EncFS Encrypted Filesystem,” n.d.). Solaris
systems with ZFS filesystem also have built in encryption that allows blocks to be encrypted
using AES (Moffat, 2010). Some other notable general-purpose filesystems with encryption
include Novell Storage Services, AdvFS, and EVFS.
A Survey of Current Workstation Encryption Technologies for the Enterprise 11
Figure 3: Enabling Encryption with EFS
Commercial File/Folder Encryption Products
Product: Lock-iT
Website: http://www.iconlockit.com/
There are also a multitude of commercial applications to provide file and folder encryption.
Lock-iT is one easy to use package that allows you the flexibility to define user and group rights.
Files are encrypted when a file is dragged and dropped into the Lock-iT user interface. It gives
you the flexibility to lock an individual file, multiple files, or a folder itself. Figure 4 shows the
user-friendly interface that allows for quick and easy encryption. Lock-iT is supported on
Windows NT, 2000, and XP.
A Survey of Current Workstation Encryption Technologies for the Enterprise 12
Figure 4: Lock-iT interface
Product: Advanced Encryption Package (AEP)
Website: http://www.secureaction.com/encryption_pro/
Advanced Encryption Package (AEP) is file encryption software that uses both symmetric and
asymmetric algorithms, allows for the storage of encryption/decryption keys on USB flash
devices, and enables secure file deletion. Figure 5 shows the AEP interface, which tests the
strength of a password as it is keyed. AEP uses 20 encryption algorithms (including AES-256),
and allows for the creation of self decrypting versions for your encrypted files. Supported
configurations include Windows XP, Vista and 7.
A Survey of Current Workstation Encryption Technologies for the Enterprise 13
Figure 5: AEP User interface
VIRTUAL DISK AND VOLUME ENCRYPTION
When virtual disk encryption is used, data is held inaccessible in containers until the user is
authenticated to the appropriate container. A container is a single file located within a logical
volume. A container may hold many files and folders and is typically mounted as a virtual disk.
It can be used on all types of end user device storage, including desktops, SANs, and external
media. Virtual disk encryption is often referred to as “on-the-fly” encryption. Volume
encryption is similar to virtual disk encryption, except that it is the encryption of an entire logical
volume. Access is permitted on the volume after proper authentication is established on the
particular volume. Implementations of volume encryption are most often seen on hard drive data
volumes and volume-based removable media (National Institute of Standards and Technology
SP 800-111, 2007).
A Survey of Current Workstation Encryption Technologies for the Enterprise 14
A key difference between virtual disk and volume encryption is that containers are portable and
volumes are not. With this quality, virtual disk protection allows containers to be burned to
media that is not volume based, such as CDs and DVDs. It also allows selective encryption
within the volume.
With virtual disk and volume encryption, a single sign-on solution can be configured to allow
access to the protected volumes upon sign-on to the workstation. While this method may add
convenience to the user experience, it also creates vulnerability because once authentication has
been provided to the system; all encrypted containers/volumes are accessible (McDermott, Will
& Emery, 2009).
In selecting a virtual disk or volume encryption solution, it is important to note that user
responsibility may vary between vendors. Some solutions may enforce that a user can only write
files to the encrypted container or volume. However, some solutions hold the user accountable
to place sensitive data directly into the container or volume. In these cases, if a user fails to
follow the required procedures, then data will be unprotected.
Freeware
Product: TrueCrypt
Website: http://www.truecrypt.org/
There are a number open source options for virtual disk and volume encryption. One example is
TrueCrypt, which promotes free open-source on-the-fly encryption. With TrueCrypt, encryption
is automatic, real time and transparent. It creates a virtual encrypted disk within a file and
mounts it as the real disk. TrueCrypt provides plausible deniability with the use of hidden
A Survey of Current Workstation Encryption Technologies for the Enterprise 15
volumes and hidden operating systems to protect against situations in which an adversary forces
you to reveal the password. Encryption algorithms used with TrueCrypt include AES, Serpent,
and Twofish, just to name a few. Furthermore, the program supports a variety of operating
environments, including Windows XP/Vista/7, Mac OS X and Linux. Figure 6 displays how the
easy to use interface makes it simple to mount and dismount an encrypted volume or container.
Figure 6: TrueCrypt Main Window Interface
Product: FreeOTFE
Website: http://www.freeotfe.org/
FreeOTFE is another open source application that enables virtual disk encryption for PCs
running Windows, and on personal digital assistants (PDAs) running Windows Mobile
(“FreeOTFE,” 2010). FreeOTFE also includes support for encrypted Linux volumes. It is
highly portable in the fact that a system can access FreeOTFE volumes without installing any
software. It supports numerous hash algorithms, including SHA-512, RIPEMD-320 and Tiger.
It also supports encryption algorithms such as AES, Twofish and Serpent in various modes.
A Survey of Current Workstation Encryption Technologies for the Enterprise 16
Figure 7 shows the Volume Properties Dialog, which allows for you to specify the main cipher
and device path.
Figure 7: FreeOTFE Volume Properties Dialog Box
Product: Cryptainer LE
Website: http://www.cypherix.co.uk/cryptainerle/
Cryptainer LE is yet another free encryption software that uses virtual disk encryption. This
software creates an encrypted container that can store any type of data with simple drag and drop
operation. It runs a 128-bit implementation of the Blowfish algorithm in CBC mode with a
block size of 64 bytes. Cryptainer is compatible with Windows (95/98/ME/2000/2003
Server/XP/Vista/7) operating systems only. Figure 8 is an example of the Cryptainer Volume
Details window.
A Survey of Current Workstation Encryption Technologies for the Enterprise 17
Figure 8: Cryptainer Volume Details Window
Volume Encryption in the Operating System
Product: BitLocker
Website: http://www.microsoft.com/india/windows/windows-vista/features/bitlocker.aspx
With the release of Windows Vista, Microsoft included BitLocker to enable volume data
encryption. It has since then been incorporated into the Windows 7 and Windows Server 2008.
BitLocker is Microsoft‟s response to frequent customer requests for data protection that is tightly
integrated into the Windows Operating System. By default, BitLocker uses the AES encryption
algorithm in CBC mode with a 128-bit key. This is combined with the Elephant diffuser for
addition disk encryption specific encryption that is not provided with AES (“BitLocker Drive
A Survey of Current Workstation Encryption Technologies for the Enterprise 18
Encryption,” 2010). Figure 9 displays how BitLocker can be enabled directly from the
Windows Control Panel.
Figure 9: BitLocker Control Panel Option
Product: FileVault
Website: http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1877.html
Mac OS X is another operating system that includes a volume encryption component. FileVault
allows a user to encrypt information in the home folder. It creates a separate volume for the
folder and encrypts the contents of it. FileVault uses AES 128-bit encryption. With FileVault,
other users that logon to the workstation will not be able to see the contents of the home folder.
To enable FileVault protection, you must be an administrator on the computer, or enlist the
assistance of an administrator. Figure 10 displays the master password screen that enables
FileVault protection.
A Survey of Current Workstation Encryption Technologies for the Enterprise 19
Figure 10: FileVault Master Password Creation Screen
Other Third Party Volume and Virtual Disk Encryption Products
Product: GiliSoft Private Disk
Website: http://www.gilisoft.com/product-private-disk.htm
GiliSoft Private Disk is encryption software that promotes transparent encryption through the use
of virtual hard drives. Files are stored in encrypted form on the virtual drive with password
authentication, but are decrypted on-the-fly when requested by any application. Private Disk is
compatible with Windows 2000/2003/XP/Vista and 7, and it even works with DOS applications.
As displayed in Figure 11, GiliSoft offers an easy to use wizard to mount or dismount a
protected drive.
A Survey of Current Workstation Encryption Technologies for the Enterprise 20
Figure 11: Private Disk Wizard
Product: SafeBit Disk Encryption
Website: http://www.safebit.net/
SafeBit Disk Encryption is another product featuring on-the-fly encryption. SafeBit creates
encrypted virtual disk drives in which a user can hide files and folders. It employs strong AES
256-bit encryption. “Safes” can be created on a local or external hard disk, USB device,
CD/DVD, and over the network. It includes a “Virtual Keyboard,” which allows you to enter
passwords in a way that is invulnerable to key logger software attacks. It also enlists an
automatic closure system that automatically closes the safe when the user is away from the
computer. SafeBit is compatible with the Windows (98/ME/2000, or XP) operating system.
SafeBit also has an intuitive user interface, as shown in Figure 12, which makes it friendly for
beginners and powerful for experienced experts.
A Survey of Current Workstation Encryption Technologies for the Enterprise 21
Figure 12: SafeBit Main Page
FULL DISK ENCRYPTION
Full disk encryption (FDE), also known as whole disk encryption, is the process of encrypting all
content on the hard drive used to boot a computer, including the computer‟s operating system.
Access is only granted to the data after successful pre-boot authentication to the FDE product.
Once successful authentication is obtained, the boot sector and operating system are decrypted,
allowing a user access the encrypted drive. However, all encryption and decryption activities
remain transparent to the user (Lubert, 2007).
When implementing full disk encryption, the dependence on user responsibility is eliminated.
Encryption is automatic and protection is persistent as long as the data remains on the storage
device. This includes any shadow copies, temporary files and metadata. It is important to note,
however, that once removed from the storage device, the encryption is also removed (“How Full
Disk Encryption Works," 2009). Furthermore, full disk encryption offers no protection against
malware, Trojans, or Rootkits that are designed to disable protection (Bosen, 2008).
A Survey of Current Workstation Encryption Technologies for the Enterprise 22
Full disk encryption can be implemented via either software or hardware based solution. One
major difference between hardware and software full disk encryption is that a software based
solution can be centrally managed, whereas a hardware based solution can only be managed
locally. Another major difference between software and hardware implementations is speed.
Because the encryption/decryption is being performed at the disk level for hardware
implementations, there is little performance impact within the operating system (“Full Disk
Encryption,” 2010).
Software Vendors
Product: PGP Whole Disk Encryption
Website: http://www.pgp.com/products/wholediskencryption/index.html
PGP Whole Disk Encryption provides high-performance full disk encryption for desktops,
laptops and USB devices. With an array of options which target different size and type
organizations, PGP Whole Disk Encryption provides a comprehensive, platform-independent
solution for encryption in the enterprise. Key features include rapid deployment, centralized
management, easy passphrase and machine recovery, as well as a user-friendly environment.
PGP Whole Disk Encryption is supported on Windows, Mac OS X, and Linux environments. It
utilizes AES 256-bit keys and enables two-factor authentication for Windows clients. Once the
software has been installed, users must be authenticated to access the device (see Figure 13).
A Survey of Current Workstation Encryption Technologies for the Enterprise 23
Figure 13: PGP Whole Disk Encryption Pre-Boot Authentication
Product: WinMagic SecureDoc Full Disk Encryption
Website: http://www.winmagic.com/
WinMagic‟s SecureDoc Full Disk Encryption is a solution providing whole disk encryption for
laptops, desktops and removable media. While taking advantage of Opal compliant Self-
Encrypting Drives and Intel Anti Theft Technology, SecureDoc places everything encryption
related for data at rest under one centralized enterprise server. Using AES 256-bit encryption,
SecureDoc is a highly certified solution for the enterprise. It is robust, allowing for integration
of strong authentication, including tokens, smartcards, biometrics, and PKI. SecureDoc is
supported on the Windows, Mac OS and Linux platforms, making cross-platform management
easier. When it is centrally deployed, the SecureDoc Enterprise Server (SES) simplifies
deployment, reporting and administration. Even the addition of new user accounts can be done
remotely, as seen in Figure 14.
A Survey of Current Workstation Encryption Technologies for the Enterprise 24
Figure 14: SecureDoc Enterprise Server New User interface
Product: Check Point Full Disk Encryption
Website: http://www.checkpoint.com/products/datasecurity/pc/
Check Point‟s Full Disk Encryption suite (formally called Pointsec) is a popular full disk
encryption program with comprehensive platform support for Windows, Mac OS, and Linux. It
is a highly scalable product, allowing for deployment to more than 200,000 seats. Check Point‟s
Full Disk Encryption uses AES 256-bit encryption, earning it the highest security certifications,
including FIPS 140-2, Common Criteria EAL4 and BITS. Implementations can be centrally
managed from a single console, enabling central policy enforcement and configuration. It also
has the Remote Password Change and One-Time Logon remote help feature to simplify technical
support. This software also supports multi-factor authentication, such as certificate-based smart
A Survey of Current Workstation Encryption Technologies for the Enterprise 25
cards and dynamic tokens. From a single user interface, users are able to view security status and
log files and make basic configuration changes as allowed, as seen in Figure 15.
Figure 15: Check Point Full Disk Encryption Status Page
Hardware Solutions
Product: [hiddn] Full Disk Encryption
Website: http://www.hiddn.no/solutions/
As technology enables for greater security, many companies are also moving toward hardware
implementations. [hiddn] Full Disk Encryption is a hardware solution, developed by High
Density Devices, that incorporates full disk encryption at that lowest level. It is highly secure, as
no encryption keys are stored on the hard drive or in the unit. It incorporates the [hiddn] Crypto
Module (as seen in Figure 16), which has an ATA interface that can be operated with an internal
or external card reader. Physically separate encryption keys and secure tokens are required to
A Survey of Current Workstation Encryption Technologies for the Enterprise 26
unlock the protected drive and enable decryption of the data. The hardware uses AES 256-bit
encryption algorithms with split-key implementations. With [hiddn] Full Disk Encryption, there
is no annual licensing fees, no lost passwords and zero end-of-life disposal cost. Furthermore,
performance is real time with no delay, and no drivers or software is required.
Figure 16: [hiddn] Crypto Module
Product: Seagate Momentus Laptop Hard Drive
Website: http://www.seagate.com/www/en-us/products/laptops/laptop-hard-
drives/#tTabContentOverview
Seagate is another vendor that has broken into the hardware FDE arena with the Momentus
Laptop Hard Drive. With capacities up to 750 GB and FIPS 140-2 validation, The Momentus
provides high performance encryption that doesn‟t slow down your system. It also incorporates
G-Force Protection technology that enables data recovery after a fall, even if the laptop is
destroyed. Figure 17 is a picture of the Momentus drive.
A Survey of Current Workstation Encryption Technologies for the Enterprise 27
Figure 17: Seagate Momentus Drive
Product: Hitachi Ultrastar and Travelstar Hard Drives
Website: http://www.hitachigst.com/internal-drives/self-encrypting-drives/
Hitachi has a wide range of full disk encryption (also called self-encrypting) drives for the
enterprise. The Ultrastar and Travelstar lines combines performance and high capacity, while
ensure data security via its hardware based encryption models. Portability is improved, because
there is no system-level dependence with the encryption engine inside the drive. Also, with
enhanced secure erase capability, the need is eliminated for time consuming data overwrites.
The Ultrastar 15K600 (see Figure 18) is just one of Hitachi‟s full disk encryption drives.
A Survey of Current Workstation Encryption Technologies for the Enterprise 28
Figure 18: Hitachi‟s Ultrastar 15K600 self encrypting drive
CHOOSING A SOLUTION
The encryption solutions mentioned in the previous sections represent a small portion of options
available for the enterprise. With so many options available, each claiming to be the answer, it
becomes difficult for administrators to determine the method that will work best for their
organization. When choosing a solution to fit the needs of a particular organization, the options
that are selected are highly dependent on the way that data is used and shared within the network.
Thus, different organizations may require different levels of protection.
To begin, organizations should determine the level of protection needed for their
environments. For example, a bank with an abundance of data containing customer
financial information and personal identifiable information would require a much higher
level of security than a major grocery chain. Where a hospital would be concerned about
data exposure for most systems because of the nature of information that it holds, a major
construction firm would mainly be concerned about human resources data and customer
A Survey of Current Workstation Encryption Technologies for the Enterprise 29
contact information. What external requirements have motivated the company to
implement an encryption solution?
Another aspect that companies should consider when looking for an encryption solution
is platform support. Will the company encryption program run on the latest version of
Windows? Is it compatible with Mac OS and Linux? Will it provide protection for smart
phones and USB devices? If not, is the vendor developing solutions for the future? If
information is shared between platforms, a company needs a multiplatform solution to
eliminate the possibility that data can end up on a non-supported and unprotected
platform, vulnerable to compromise.
Data recovery should be considered carefully when choosing an encryption product.
Without a reliable recovery method, encryption is a data loss waiting to happen.
Hardware fails; passwords are forgotten; and smart cards and dongles are misplaced.
How can that data be recovered? Is the data recovery method manageable for the size of
the organization? How secure is the recovery method?
Key management questions should be answered before going with any vendor. The
organization must have a thorough understanding of how keys are created, where they are
stored, how they are changed and archival procedures. There should be a clear
understanding of any vulnerability that stems from key management. If passwords are
used, is it possible to enforce a strong password policy? Can keys be changed if
compromise is suspected?
Location of the data should also be considered. If it resides inside a high level security
building with physical access restrictions and limited networking capabilities, that data
may not need to be encrypted. On the other hand, a life insurance salesman that carries a
A Survey of Current Workstation Encryption Technologies for the Enterprise 30
laptop to input individual policies for customers may require an encryption product with
hibernation support and secure file deletion.
Auditing and reporting requirements are another crucial factor to consider. In the event
that a data breach has occurred, an organization needs a way to show that sensitive data
was encrypted to prevent disclosure.
RECOMMENDATIONS AND BEST PRACTICES
Protecting critical data using encryptions requires a combination of strategic actions. According
to a study by the Aberdeen Group, “Full Disk Encryption on the Rise,” 91% of all best-in-class
companies use full disk encryption to secure their end points (2009). In addition 77% of those
companies also utilize file and folder encryption. Removable media and USB drive encryption
shows 23% and 50% participation respectively. In other words, these companies are using a
myriad of protection to secure the data. Based on their threat analysis, encryption is added
where it is needed.
Many vendors are realizing this need for different types of encryption in the enterprise. As a
result, many companies now offer suites of encryption products to provide file and folder
encryption, virtual disk and volume encryption, as well as full disk encryption that can be
integrated into one unified threat solution. Examples include Check Point‟s Endpoint Security
suite, which includes full disk encryption, media encryption, antivirus and antispyware, remote
access VPN, and network access control (Check Point Technologies, 2010). McAfee „s Total
Protection for Data includes full disk encryption, persistent file and folder encryption, access
control, advanced auditing and reporting, and seamless integration with the existing structure
(McAfee, Inc. 2003).
A Survey of Current Workstation Encryption Technologies for the Enterprise 31
In addition to having a multi-level approach to encryption, companies with the lowest number of
security breaches realize the importance of user education (Brink, 2009). With clear and
consistent policies and the sustainment of compliance requirements in addition to educating end
users about data protection policies and procedures, companies are more likely to benefit from a
more secure environment.
CONCLUSION
There are many different types of encryption implementations available. Companies must
carefully consider all of the benefits and disadvantages that each solution presents. For best
results, a multi-layered approach with centralized management and reporting combined with a
full communication and education strategy should be implemented. Whether the choice is to
pursue file and folder encryption, virtual disk and volume encryption, or full disk encryption,
companies must make a concentrated effort to protect the data.
A Survey of Current Workstation Encryption Technologies for the Enterprise 32
REFERENCES
McCullagh, D. (2009, February 10). US Stimulus bill pushes e-health records for all. cnet
News. Retrieved from: http://news.cnet.com/8301-13578_3-10161233-38.html
National IT Industry Promotion Agency. (2009). National Identification System. (Version 2).
Retrieved from:
http://www.egov.iist.unu.edu/cegov/content/download/1911/48114/version/2/file/NID_S
ystem_4_UNU.pdf
Dash, E. (2006, January 26). Ameriprise Says Stolen Laptop Had Data on 230,000 People. New
York Times. Retrieved from:
http://www.nytimes.com/2006/01/26/business/26data.html?_r=1
Hoover. J. (2010, May 14). Stolen VA Laptop Contains Personal Data. InformationWeek.
Retrieved from:
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID
=224800060
Kinzie, S. (2008, January 30). Stolen Hard Drive Had Personal Data. The Washington Post.
Retrieved from: http://www.washingtonpost.com/wp-
dyn/content/article/2008/01/29/AR2008012902333.html
National Institute of Standards and Technology. (2010). Guide to Protecting the Confidentiality
of Personally Identifiable Information (PII). (SP 800-122) Gaithersburg, MD:
McCallister, E., Grance, T., Scarfone, K.
A Survey of Current Workstation Encryption Technologies for the Enterprise 33
Congressional Research Service. (2010). Federal Information Security and Data Breach
Notification Laws. (7-5700). Washington, DC: Stevens, G.
National Conference of State Legislatures. (2010). State Security Breach Notification Laws. [Go
13489]. Retrieved from: http://www.ncsl.org/default.aspx?tabid=13489
Encryption. (n.d.) Business Dictionary online. Retrieved from:
http://www.businessdictionary.com/definition/encryption.html
US Department of Commerce / National Bureau of Standards. (1975). Computer Security
Guidelines for Implementing the Privacy Act of 1974. (FIPS PUB 41). DC: US
Government Printing Office.
Schaaf, A. (2007) Full Disk Encryption – An Executive‟s Introduction to How it Works and
Other Issues. Ezine Articles. Retrieved from: http://ezinearticles.com/?Full-Disk-
Encryption---An-Executives-Introduction-To-How-It-Works-And-Other-
Issues&id=650714
National Institute of Standards and Technology. (2007). Guide to Storage Encryption
Technologies for End User Devices. (SP 800-111). Gaithersburg, MD: Scarfone K.,
Souppaya, M., Sexton, M.
Security Procedure Information System Auditing Resources. (2008). File or Folder level
Encryption Pros and Cons. Retrieved from: http://www.securityprocedure.com/file-or-
folder-level-encryption-pros-and-cons
A Survey of Current Workstation Encryption Technologies for the Enterprise 34
Bosen, B. (2008). File Level vs. Full Disk Encryption. ITSecurity Journal.com. Retrieved from:
http://www.itsecurityjournal.com/index.php/Latest/File-Level-vs.-Full-Drive-
Encryption.html
EFF Surveillance Self Defense Project. (n.d.). File and Disk Encryption. Retrieved from:
https://ssd.eff.org/tech/disk-encryption
Nash, R. (2008). Data Loss and Full Disk Encryption. InformIT. Retrieved from:
http://www.informit.com/articles/article.aspx?p=1217041&seqNum=2
Tyurin, I. (2004). Top Reasons to Use File Encryption. Retrieved from:
http://disk.privateshell.com/
Bragg, R. (2010). The Encrypting File System. Microsoft TechNet. Retrieved from:
http://technet.microsoft.com/en-us/library/cc700811.aspx
Author Unknown. (n.d.) EncFS Encrypted Filesystem. Retrieved from:
http://www.arg0.net/encfs
Moffat, D. (2010, November 19). ZFS Encryption what is on the disk? Retrieved from:
http://blogs.sun.com/darren/entry/zfs_encryption_what_is_on
McDermott Will & Emery. (2009). Regulatory Update: HITECH’s Security Breach Notification
Requirements. Boston, MA: Bernstein, S., Broccolo, B., Echols, H. Timko, A., Ward, M.
White, S.
Wikipedia. (2010). Free OTFE. Retrieved from: http://en.wikipedia.org/wiki/FreeOTFE
A Survey of Current Workstation Encryption Technologies for the Enterprise 35
Wikipedia. (2010). BitLocker Drive Encryption. Retrieved from:
http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption
Lubert, H. (2007). Full Disk Encryption (FDE) vs. File Encryption Technologies.
INT2View.com. Retrieved from http://www.int2view.com/content/view/29/46/
Spam Laws. (2009). How Full Disk Encryption Works. Retrieved from:
http://www.spamlaws.com/how-full-disk-encryption-works.html
Bosen, B. (2008). Hard Drive Passwords Easily Defeated; the Truth about Data Protection.
ITSecurity Journal.com. Retrieved from:
http://www.itsecurityjournal.com/index.php/Latest/Hard-Drive-Passwords-Easily-
Defeated-the-Truth-about-Data-Protection.html
Wikipedia. (2010). Full Disk Encryption. Retrieved from:
http://en.wikipedia.org/wiki/Full_disk_encryption
Aberdeen Group. (2009). Full Disk Encryption on the Rise. Boston, MA: Brink, D.
Check Point Technologies. (2010). Retrieved from:
http://www.checkpoint.com/products/endpoint_security/index.html
McAfee, Inc. (2003). Retrieved from:
http://www.mcafee.com/us/enterprise/products/data_protection/integrated_suites/total_pr
otection_for_data.html