As more organizations struggle to achieve compliance with IT standards such as PCI, SOC 2, HIPAA, GDPR, and many others, a key requirement is ensuring that data is encrypted. Much of this work has centered on ensuring that databases and their data in flight are properly encrypted, but one area of general weakness among organizations has been at rest data stored on laptops and desktops. This blog post is aimed at exploring full disk encryption (FDE) and compliance regulations.
What is Full Disk Encryption (FDE)?
Full disk encryption is the concept of locking down system data while the system is at rest (powered off). For instance, if a system is physically stolen, although the system itself may be locked, its hard drive can still be detached and its data harvested. With FDE, this data is encrypted, only accessible through logging into the system to decrypt the drive, or via a recovery key unique to the encrypted drive.
FDE has been a standard feature within Windows® and macOS® systems (Bitlocker and FileVault, respectively) for a few years now. However, the common challenge with FDE has been the implementation and management of FDE across an entire fleet of systems.
Traditionally, IT admins have manually enabled FDE on a handful of critical systems. Some will also use single OS systems management solutions such as Microsoft® Active Directory® or SCCM to manage FDE. The challenge is that most of today’s organizations are cross-platform, and, at the end of the day, simply turning on FDE isn’t enough.
In order to be compliant with many of today’s regulations, not only do you need to enable FDE on all systems, but you also need to be able to report enablement on those systems to prove compliance.
From an internal IT management perspective, there also needs to be secure storage of recovery keys, otherwise known as key escrow. Enabling FDE without proper storage of keys can be disastrous, as losing recovery keys can cause a loss of data. While compliance is critical, without proper access to the data, the organization can’t operate.
Compliant FDE Enforcement Solution
The good news is that there is a cross-platform system management solution that can enforce FDE across entire system fleets, as well as securely vault recovery keys in escrow. On top of FDE enablement, this cloud directory service has been reviewed by independent compliance auditor, Coalfire Systems, to help organizations achieve compliance for PCI DSS, HIPAA, and GDPR, with additional certifications for other regulations.
This cloud compliance solution is called JumpCloud® Directory-as-a-Service®. As a fully comprehensive cloud directory service, JumpCloud can also be used to federate identities to cloud apps, networks through RADIUS, servers, infrastructure, and more. Since it is completely vendor neutral, it can manage identity access to resources regardless of who makes them or where they are located. If your organization is in need of cross-OS FDE enforcement and key escrow, look to Directory-as-a-Service.
Try JumpCloud Free
What’s more, JumpCloud Directory-as-a-Service is completely free for your first ten users. That means, by signing up for JumpCloud, you can take advantage of all that Directory-as-a-Service has to offer for no charge, forever. Contact us with your questions and concerns to learn more, or visit our blog.