By Nick Scheidies Posted December 9, 2018
With the rise of data breaches, organizations are interested in adopting a zero trust security approach. In fact, Computer Weekly reports, “71% of security-focused IT decision makers are not just aware of the zero-trust security model, but are actively pursing that.” Part of that approach includes fortifying their systems with full disk encryption (FDE). Choosing to enforce (FDE) could be one of the smartest decisions an IT organization makes. Below, we’ll explain how to make full disk encryption part of your security policy and how to do it easily with a cloud-based FDE management solution.
Why FDE Should Be Mandatory
FDE is a mission-critical initiative because your data is the lifeblood of your organization. Your Mac® and Windows® devices likely contain sensitive information on their hard drives. In the event that a device with an unencrypted drive is lost or stolen, there’s no way to stop a thief from accessing the information stored on it. This is true regardless of whether the thief has the password for the system. Savvy hackers can bypass the need for credentials and access an unencrypted drive without breaking a sweat.
Here are the top five reasons to require FDE.
How to Enable Full Disk Encryption
Enabling FDE on an individual system is simple. Windows and macOS both offer native apps for FDE with BitLocker and FileVault 2, respectively. While, enabling FDE manually might be simple to do on your personal system, it’s a little more complicated when deployed across an organization. For starters, simply deploying it can be a pain. You can ask users to do it themselves, but there’s no way to tell if they actually did. And what happens when they’ve locked themselves out of their system? Do you have the recovery key? In order to make FDE part of your security policy, you should consider a system management provider that can enable FDE to your entire fleet in just a few clicks, mandate that it be enabled by users and securely escrow their recovery keys.
How to Make FDE Part of Your Security Policy
If you’re currently using Active Directory® (AD), there are group policy settings available that backup recovery keys to AD. If your not using AD, this will be a manual process, or you’ll need a 3rd party tool to manage process.
While there’s not a tool native to Macs to manage FDE, there are a variety of tools that offer Mac-centric organizations control over a critical system security features, including FDE. These solutions vary in their capabilities to securely and easily escrow individual recovery keys.
With the growing trend of both Macs and Windows systems in today’s organizations, a complete FDE management solution should be able to enable and manage FDE for fleets of Mac and Windows from the cloud, including securely escrowing recovery keys for each operating system and device. With JumpCloud’s Directory-as-a-Service®, you can enforce a point-and-click security policy to require FDE on both Windows and Mac systems. FDE is part of JumpCloud’s policy library, along with security policies that regulate screen lock settings, USB access, and more.
Deciding on an FDE Policy Solution
Whenever making an important IT decision, it’s best to do your due diligence and consider all of your options. Some important factors included in your evaluation:
- Does this solution allow for remote management of FDE?
- Does this solution provide secure escrow of individual recovery keys (not just institutional keys which is a far less secure approach)?
- Does this solution work across all relevant operating systems?
- Can I easily determine who has FDE enabled and who does not?
- Does this solution strengthen system security in additional ways (e.g. MFA)?
- Does this solution work with my regulatory requirements (HIPAA, PCI, GDPR)?
If you have any questions about FDE or if you would like to learn more about how JumpCloud can help make cloud managed FDE part of your security policy, you can reach out to us here. We’re happy to help you evaluate. You can also try out the complete JumpCloud Directory-as-a-Service platform by signing up for a free account.