In Blog, Security

Why you should require FDE

If your company values data security, then you’ve probably considered the best way to require Full Disk Encryption (FDE) on all those Macs® and Windows® systems that you hand out to new employees. But here’s the hard truth: if you’re not currently mandating that all Windows and Mac users to have full disk encryption enabled, then you’re making a potentially disastrous error.

The risk to your company’s data (and possibly your career) is simply unnecessary – especially with two perfectly good FDE tools for Mac and Windows in the form of FileVault and BitLocker, and with powerful cloud IAM tools that can simplify FDE enablement and management.

The Risk of The Unencrypted Drive

Why you should require FDE

Forbes says that “One laptop is stolen every 53 seconds.” Additionally, nearly 41% of all data breach events from 2005 through 2015 were caused by lost devices such as laptops, tablets and smartphones.

The Wombat User Risk Report discovered that 65% of participants will leave their laptop or tablet in the car when they meet someone for dinner. A car is a safe place to store a laptop, right?

Think again. A study from computer accessory company, Kensington, found that laptops are most likely to be stolen from a car (CIO). “When Kensington asked respondents where company employees had experienced IT theft, the No. 1 response was ‘cars and transportation’ at 25 percent.”

Another CIO article demonstrates that everyone is at risk, not just the average Joe. “Even NASA laptops are vulnerable to theft and poor security practices: 48 NASA laptops or mobile devices were stolen from America’s space agency between April 2009 and April 2011, including one – unencrypted – laptop containing control codes for the International Space Station (ISS).”

If full disk encryption was required in any of these cases, sensitive data could have been protected and peace of mind ensured for the owning companies. Clearly, today, full disk encryption is no longer optional. FDE is a prerequisite for real, enterprise-grade security.

FDE for Security & Compliance

For several compliance regulations, FDE may be required to pass an audit. For example, encryption factors heavily into PCI and HIPAA compliance. But any security-conscious organization should require full disk encryption as part of their general security protocol.

Let’s say that your CEO’s car is broken into while they’re at the gym. Their Macbook Pro is stolen – and with it, a hard drive that contains critical financials and intellectual property. At that point, the billion dollar question is, “Was FileVault enabled on the Macbook?”

You better hope the answer is yes. A disk that is encrypted when at rest cannot be easily compromised (unlike an unencrypted disk where the conventional OS boot up authentication can be bypassed by even low-level hackers, or the drive removed and plugged into an existing system).

So if you work in IT and you want to sleep well at night, then the trick is not to hope that FDE is enabled on a stolen Macbook. The trick is to require FDE for all critical work systems—whether Mac or Windows—and manage it to ensure that is the case.

How to Require Full Disk Encryption on Mac and Windows

FDE for Mac and Windows machines

FileVault and BitLocker are both so simple to enable that literally any of your users could do it. But getting them to do it is another matter—and guaranteeing that they do it is really only possible through use of enterprise-grade identity management tools. After that, managing the recovery keys in case people forget their passwords is additionally critical step.

FileVault, for the uninitiated, is the full disk encryption tool that has been included with Macs since 2003. BitLocker is the Microsoft® answer for FDE, which first shipped with Windows Vista in 2006. But neither FileVault or BitLocker are designed for IT to manage them at scale.

For that, there’s a whole menagerie of tools out there that you can use to require FDE. They all use the same brutally simple tactic: revoke access to the system until the user enables FileVault/BitLocker.

Here’s what truly requiring FDE at scale looks like:

  • Admin enforces a security policy for FDE on a system or a group of systems
  • User is prompted at login/logout to enable FDE
  • User must enable FileVault/BitLocker or cannot login

While the basic tactic is the same, these FDE automation tools are not all created equal. Some are legacy, requiring on-prem infrastructure (e.g. Microsoft® Active Directory®). Others are cloud-based and suited only to FileVault (no Windows compatibility).

This last point gets to the heart of the core problem with most all FDE management solutions:  they either work for FileVault or BitLocker. Not both. That’s fine if you’re an all-Windows or all-Mac shop. But homogeneous OS environments are becoming increasingly rare these days.

While you can buy and maintain two FDE tools, it’s not ideal. Two tools cost more than one. There are twice as many portals to manage and twice as many points of failure. A cross-OS FDE tool is just better.

FDE in Action: JumpCloud Demo

At JumpCloud, we’re building the world’s best cloud directory that includes robust management policies that can be applied to Mac, Windows, and Linux® systems.

By assigning FDE to a groups of systems, you can intelligently automate which systems are required to enable FileVault and BitLocker, and you can do it in bulk. Admins can also enforce policies dictating USB lock, screensaver settings, and multi-factor authentication (MFA).

You can read more in-depth material about JumpCloud’s capabilities with FDE here, or view the complete JumpCloud Policy library. Of course, JumpCloud is free for the first ten users (forever), you can just signup for a free account and get your hands dirty with the JumpCloud platform right now.

If you have questions for a technical expert, you can contact JumpCloud here or attend one of our regular interactive webinars.

Recent Posts