Should you care about Full Disk Encryption?
If you’re living on this big rock, the answer is yes.
Full-Disk Encryption (FDE) is a crucial security feature designed to protect private data from getting into the wrong hands. Considering the growing number of cybersecurity threats, and the astronomical resolution costs that come with them, safeguarding data is paramount.
Look no further than Kaseya for motivation. The remote monitoring and management (RMM) provider compromised up to 1,500 organizations because of a ransomware attack in 2021. Rumor has it Kaseya forked over $70 million in ransom to resolve the issue.
While there are several security measures that admins can reasonably opt out of taking, full disk encryption isn’t one of them. This article will explain FDE, the regulations that back it, how to implement it for both Apple and Windows devices, and how to cut implementation time in half.
What Is Full-Disk Encryption?
Full-Disk Encryption (FDE) is an information protection technology that allows IT admins to convert data into unreadable code only accessible by authorized personnel.
Essentially, it’s a way to decrypt and lock down data, limiting accessibility by logging into the system or using a unique recovery key. FDE, also referred to as whole disk encryption, secures all hard disk content, including files, operating systems, and other forms of data.
Why Does It Matter?
The purpose of FDE is to protect sensitive data should a device become lost or stolen. It’s worth mentioning there are several types of encryption, but FDE is a good place to start.
FDE is a crucial security feature that every organization should take into consideration when following data security compliance regulations, such as PCI and HIPAA among others.
In addition, full disk encryption helps organizations properly store and access critical data. Once implemented, FDE relies very little on the actions of the end user, hence fewer data privacy issues arise. But, like every other system, FDE comes with its own challenges.
Challenges of Full-Disk Encryption
One of the major drawbacks of full disk encryption is that decrypted data cannot be recovered if users lose both their password and recovery key. Depending on the circumstances, this could bring organizational operations to a complete halt. Permanent data loss is no joke.
Unfortunately, FDE presents the following challenges:
- Doesn’t protect data in transit: FDE doesn’t protect data while it’s in transit. So, sharing data between devices or email still leaves it vulnerable to hacking.
- Slows down devices: FDE encrypts the entire drive; users must key in authentication credentials every time they need to access the data. This slows down desktop operating systems and worker productivity.
- Has cross-platform limitations: Traditionally, organizations deployed a single type of operating system, but most of today’s businesses include a mixture of Windows, macOS, and/or Linux devices. Heterogeneous environments make it difficult to implement and manage FDE across a fleet of systems. Turning on FDE isn’t enough to do the trick anymore!
In addition, FDE implementation and management can be costly.
User experience challenges such as reduced productivity during the initial encryption implementation process, having to deal with additional access passwords, and remote employees having to physically bring their devices for encryption are common concerns.
Which Regulations Require FDE?
According to the IBM 2021 Cost of Data Breach Report, high-level compliance failures cost organizations an average $5.65 million per year in fines, penalties, and lawsuits.
The most highly regulated industries include the public sector, education, energy, healthcare, consumer goods, financial, technology, and pharmaceuticals. They have compliance regulations that may require FDE to pass an audit in these industries.
Common data security regulations include:
- Payment Card Industry Data Security Standard (PCI DSS): The PCI safeguards critical credit card information handled by financial institutions. It revolves around securing the cardholder data environment (CDE). Requirement 3 of the regulation specifically deals with data encryption.
- Gramm-Leach-Bliley Act (GLBA): This regulation also targets the financial industry. It’s also known as the Financial Modernization Act of 1999. The GLBA requires institutions that offer financial products such as loans, insurance, and financial/investment advice to safeguard sensitive data and explain their information-sharing practices to customers.
- Health Insurance Portability and Accounting Act (HIPAA): Developed in 1996, the primary aim of HIPAA is to protect the privacy and security of certain health information. The HIPAA Security Rule covers identity and access management. It requires health institutions to ensure unique user access, authentication controls, and audit logging.
- Fair Credit Reporting Act (FCRA): Besides governing the type of information credit bureaus collect about individual consumers and how they do it, FCRA also limits who is allowed to see a credit report. It was developed to address the fairness, accuracy, and privacy of the personal information in the hands of credit reporting agencies.
- General Data Protection Regulation (GDPR): The GDPR is intended to safeguard the personal data for European Union (EU) citizens globally. While it doesn’t apply to EU citizens and Americans living in the US, US companies are subject to the regulation if they store or process the personal data of EU residents. There are also several federal and state-level privacy regulations in the US that offer some similar protections to the GDPR. Examples include the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA).
In order to comply with these regulations, admins must implement FDE on their systems and prove compliance by reporting enablement.
Understandably, reporting is one of the most tiresome, confusing, and time-consuming aspects of remaining compliant. We recommend unifying point tools wherever possible to promote reporting consolidation.
The JumpCloud Directory Platform allows IT managers to combine advanced reports with invaluable data from the software’s System Insights. Admins enjoy a bird’s-eye view to monitor user access to internal resources, user permissions, patch and operating system versions, system information, and more for enhanced security management.
Full-Disk Encryption for Microsoft
Microsoft offers an in-built FDE feature called BitLocker for organizations using Windows OS. It supports devices running on Windows 10 Pro, Education, or Enterprise editions but not the Home edition.
To activate BitLocker, simply choose a Windows system then turn on BitLocker. This action will send a signal to encrypt the hard drive when at rest during the next system reboot.
The first BitLocker encryption usually takes some hours to complete depending on the drive features. After which, user experience and boot up times speed up. As previously mentioned, the downside of data encryption is the potential for permanent data loss. Yikes!
Choose a recovery option in case you:
- Forget the user account password (if you’re using BitLocker with a Trusted Platform Module (TPM) chip)
- Forget the decryption PIN or lose the USB startup key (if you’re not using a TPM chip)
- Upgrade your OS
- Install a new motherboard
- Update your computer’s BIOS
- Transfer the encrypted device to a new computer
- Change the boot configuration settings
Finally, never turn BitLocker off when planning system upgrades or hardware/configuration changes. Doing so decrypts the drive, necessitating starting over once updates are complete. Instead, just suspend the feature until you’re done.
Full-Disk Encryption for Apple
Apple promotes its flagship software FileVault for full-disk encryption. It performs the same function as BitLocker but for MacOS devices. As expected, the installation/management process is similar to that for BitLocker.
Choose a recovery option during setup in the event of a forgotten password. It’s worth emphasizing that enabling FileVault does not affect the user experience; they can still log in, navigate folders, and save files as normal. All data stored on the drive will be encrypted once admins enable FileVault.
JumpCloud: Compliant Managed FDE
Choosing between BitLocker or FileVault FDE is ineffective for today’s heterogenous and largely remote work environment. You need a device management solution that allows system management from a central platform in heterogenous environments.
Use the JumpCloud Directory Platform to enforce FDE for both Windows and Mac systems in one pane of glass. With JumpCloud, admins can store their recovery keys in a secure escrow so they won’t get locked out in the face of lost credentials. The best part? JumpCloud is a cloud-based solution that supports remote employees working on mobile devices from home.
What’s more, JumpCloud offers free Directory-as-a-Service for the first ten users. This means that if you are a small to medium-size enterprise (SME) with less than 10 employees, you can enjoy JumpCloud for free forever.