You may already know that enabling full disk encryption (FDE) for your fleet of user systems can prevent a future disaster. But for those who need some convincing, here are five reasons to require FDE.
When every hard drive on every system at your office has data at rest encryption enabled, your security posture is stronger. A stolen laptop is no longer an existential security threat. The data simply won’t be accessible to the thief without another vector of attack (e.g. stolen credentials).
This is IT at its best: containing a broad, physical threat with a systematic, IT-based solution.
Any user who has ever used FileVault or BitLocker knows that it’s simple to enable FDE on their machine. In fact, it takes mere seconds to enable FDE on most systems. The challenge for most IT organizations is making enabling FDE automated and an auditable process. It must also be foolproof, which means having a securely escrowed recovery key. In order to check all of these boxes and to effectively require FDE at the scale of an enterprise or even an SMB, a solution must automate FDE enablement for both Mac and Windows systems, regardless of the number. These tools make full disk encryption simple: again, it can take just seconds to enable FDE on a system, or to enable it on every system.
While there are a couple of different solutions for FDE management out there, some make it more simple than others. If you have a heterogeneous environment and would like one tool that can manage both Windows® and Mac® systems, then we recommend you include our solution (JumpCloud® Directory-as-a-Service®) in your evaluation process. Learn more about requiring FDE with JumpCloud in this demo video.
#3 Minimal Downside
Every action has a possible negative consequence. This is notoriously true with IT security measures. Take MFA, for example: great for security, inconvenient for users. FDE has a couple of downsides, but they’re minor ones.
The biggest inconvenience with FDE is that it makes booting up the machine slightly slower. Obviously, nobody enjoys waiting longer to gain access, but we’re talking a matter of seconds added to the bootup process.
The biggest risk would be that if a user forgets their password and doesn’t have their recovery key, they could be permanently blocked from accessing their hard drive. But, good FDE management eschews this risk. For instance, with FDE from JumpCloud, recovery keys are always securely available from the admin console, allowing admins to decrypt FDE enabled machines as necessary.
All this to say, there is literally no good reason not to require FDE organization-wide. The user experience is largely unchanged. The security benefits are immediate and lasting.
#4 Peace of Mind
The truth is that your CTO’s Macbook probably isn’t going to be stolen – and if it is stolen, then the perpetrator probably doesn’t know what to do with any of the critical data or intellectual property contained within. A laptop thief is most likely to be looking to pawn it for cash – not take down your company from the outside.
Even more likely than petty theft is an employee simply losing their laptop. Employees have been known to leave their priceless portable workstations in bars, train cars, coffee shops, and airports.
Whether the laptop ends up in the hands of an international cyber-attacker or merely the ‘lost and found’ at the local library, FDE grants peace of mind that the data is protected. We’re not just talking about the peace of mind of the IT admin, but also that of the president of the company and the employee who’s missing their machine.
When you’re 100% certain that FDE is enabled on 100% of machines, then situations that would otherwise be cause for panic can be met by all with confidence and calm.
#5 Auditing/Compliance Requirements
If you’re looking to achieve PCI or HIPAA compliance, then FDE is going to be one of the all-important boxes to check. Regulatory bodies love requiring organizations to enforce FDE because of everything that we pointed out in reason #1.
Of course, part of the challenge with an audit isn’t just checking the boxes, but being able to demonstrate categorically that you’ve checked the boxes. Again, FDE management tools come into play here since through them you can run reports that prove your compliance with FDE requirements.
Ready to Require FDE?
We just spent a lot of time extolling the virtues of FDE for three reasons:
- Because we care about your security.
- Because we just rolled out BitLocker and FileVault 2 enablement policies that allow JumpCloud administrators to enforce full disk encryption for their managed Mac and Windows users.
- Our FDE management functionality is included with paid plans for no extra charge, and, of course, all free accounts can enforce FDE on up to 10 users (or 40 machines) free of charge.
JumpCloud’s mission with Directory-as-a-Service has long been to provide a unified cloud directory for securely managing user systems – whether Mac®, Windows, or Linux®. That’s why we rolled out our group-based security policies for systems (e.g. disable USB storage, enforce lock screen settings) and that’s why we’re adding full disk encryption enablement policies to our policy library.
You can learn more about the complete Directory-as-a-Service platform here or see specifically how to use our policies for FileVault 2 and BitLocker on our Knowledge Base. To try us for free, simply signup or visit our pricing page for more information.