By Zach DeMeyer Posted January 6, 2019
Full disk encryption (FDE) is quickly becoming an industry security standard for most of today’s market spaces. With an increasing focus on data security through the past decade, Apple® and Microsoft® both realized that encrypting the hard drive was an important step to creating a more secure data environment. FileVault was introduced several years ago as the macOS® solution for full disk encryption. The challenge has been to manage that across an enterprise. In this post, we’ll discuss what is FileVault management and how IT teams can implement it across their organization.
What is FileVault?
The concept behind FileVault (and FDE in general) is to encrypt data stored within a hard drive when it is at rest, or not in use. FDE ensures that only the correct user can access the encrypted data typically by entering their unique user credentials (username and passphrase), which decrypts the volume. The result is that if a laptop and/or its hard drive were stolen, a bad actor would also have to know the user’s credentials. As an additional measure in the case the hard drive is removed, a unique recovery key, known only to the organization’s IT admin, can also be used to decrypt the drive. For many organizations where a data breach could be catastrophic, such as the healthcare industry, full disk encryption services are mandatory.
The challenge for IT organizations has been that implementing FDE across an entire organization has been difficult because it isn’t an fully automated process. Not only does it need to be enabled for each user/machine, there is a second step that is virtually mandatory; securely storing recovery keys. If a user forgets their password, they are no longer able to decrypt the drive rendering the data useless. Both FileVault and BitLocker (the Windows-based FDE solution) have implemented recovery keys that admins can use to decrypt the drive. Of course, these keys need to be stored securely, or escrowed.
The Struggle of FileVault Management
This ability to implement and report on FDE and manage recovery keys is what FileVault management boils down to. Without an automated system to handle this, however, it is virtually impossible for IT organizations to properly implement full disk encryption at scale. As more and more organizations turn to FDE, IT admins struggle to find a proper method to manage FileVault (and BitLocker).
Some solutions exist on the market today to help with FileVault management. Unfortunately, these solutions do not deliver the full package. Some provide full fleet FileVault implementation, but have no key escrowing abilities. Others may have key escrow (and institutional recovery keys at that – which are not nearly as secure as individual recovery keys), but can’t tackle a full fleet of systems, be them macOS or Windows®.
FileVault Management at Scale with Directory-as-a-Service®
Thankfully, there is a next generation cloud directory service which includes full-fledged FileVault management policies. These group policy object (GPO)-like capabilities are able to not only enforce FDE across both macOS and Windows fleets, but can escrow recovery keys with ease, tying them into a user’s identity directly. As a cloud directory service, this solution also authenticates these user identities across their various IT resources (systems, applications, networks, file servers, etc.) regardless of their choice of service or location.
JumpCloud® Directory-as-a-Service is the world’s first comprehensive directory service. Turnkey and serverless, Directory-as-a-Service has reimagined Microsoft Active Directory® for the modern era. To learn more about FileVault management with a cloud directory service, be sure to check out our YouTube channel and contact us with your questions. You can try JumpCloud absolutely free, with ten users included to get you started.