Full-disk encryption can save IT grief from lost laptops

Full-disk encryption can help enterprises comply with data security regulations, but it can hurt performance. See if the pros outweigh the cons for this laptop protection measure.

Losing your laptop can be an unpleasant experience, but you need to be prepared for such an event. Full-disk encryption can help protect your endpoint device even if it falls into the wrong hands.

Full-disk encryption, sometimes referred to as whole-disk encryption, is a process in which all of the data stored on a laptop's disk is encrypted, including user, system, swap, hidden and temporary files. A full-disk encryption solution prevents unauthorized users from accessing any data on a laptop (or similar endpoint device) if it is lost or stolen.

In the spring of 2011, a laptop was stolen from the car of a Massachusetts eHealth Collaborative employee while he was eating lunch. The laptop stored 13,687 patient records that contained names, Social Security numbers, birthdates and insurance information. Although the machine had been configured with security software, full-disk encryption was not one of those applications.

Such events are not surprising if you consider that 329 U.S. organizations lost over 86,000 laptops in 2009, according to a study by the Ponemon Institute. These losses cost each organization an average of $6.4 million in forensics, detection, legal fees, consulting, regulatory expenses, lost intellectual property and, of course, replacement costs. When added together, these figures come to a staggering $2.1 billion for one year's worth of lost or stolen laptops. And of those missing devices, only one-third had been configured with a full-disk encryption solution.

The wonderful world of full-disk encryption

In addition to encrypting the data, most full-disk encryption products install a proprietary operating system that intercepts and controls the boot sequence of the standard OS before it starts up. Once users have booted into the system via that proprietary OS, no other steps need to be taken to secure their data. Every file is automatically encrypted and decrypted without user interaction. In fact, except for the actual login process, all other processes associated with the full-disk encryption solution are invisible to the user.

The benefits to a full-disk encryption solution are many. The encryption and decryption process is transparent, so users never have to pick which data to encrypt, nor do they need to remember to encrypt sensitive documents. Unlike file and folder encryption, which relies on user interaction, users don't need to do anything to protect their critical data, other than install the full-disk encryption software. And because full-disk encryption also protects temporary and swap files, it is much more secure than simple file/folder encryption.

Full-disk encryption can also help ensure regulatory compliance. Laws or industry rules might require an organization to protect sensitive data, which can include intellectual property or personal information such as credit card numbers. Failing to protect such data properly can lead to hefty fines, legal battles and severely compromised reputations. If a laptop protected by full-disk encryption is lost or stolen, however, the organization is often absolved of any wrongdoing and not required to announce the mishap.

Many full-disk encryption systems also support pre-boot authentication, which prevents unauthorized users from getting into a protected computer. Even the startup OS files are inaccessible, thus adding another layer of protection. In addition, unauthorized users can't use alternative boot media to start up the system or access its files. With full-disk encryption, all data is protected.

Why isn't everyone using full-disk encryption?

One of the drawbacks of a full-disk encryption solution is that it can affect a laptop's performance. By some measures, such programs can double hard-disk access time, particularly if virtual memory is involved. Full-disk encryption technology has made significant strides, however, and users often won't even notice it's there. Still, full-disk encryption usually results in longer boot times because of the proprietary OS that intercepts the normal startup routine. That extra time shouldn't pose a problem if you know it's coming.

More on full-disk encryption and Windows security:

Full-system encryption with BitLocker vs. third-party alternatives

Common whole-disk encryption configuration weaknesses

Desktop backup oversights that can get you into a bind

Free open source security tools for finding and fixing Windows flaws

Full disk encryption: Safer and easier than file and folder encryption

Perhaps the bigger issues have to do with implementation and management. Deploying a full-disk encryption solution means that administrators have one more app to roll out and support. In addition, deploying full-disk encryption can be a complex process and therefore costly. Licensing fees and training must be taken into account.

IT must also have processes to set up the user accounts needed to access the proprietary OS boot-up system. In addition, admins must enforce authentication policies -- such as for password complexity and expiration -- and manage the authentication data on an ongoing basis.

Of course, the full-disk encryption solution must itself be managed from day to day, which involves not only making sure that the application keeps running, but also ensuring that support procedures and documentation are in place should it stop.

This brings us to a full-disk encryption user's biggest nightmare: The software gets corrupted or fails, leaving the system in an unrecoverable state. In such cases, the full-disk encryption solution becomes the user's -- and subsequently, IT's -- greatest enemy. Full-disk encryption solution is effective because of its ability to protect all data, but that feature can make it impossible to recover data if the software fails. And if no reliable and recent backup exists, everything may be lost.

A full-disk encryption solution is still better than nothing

Despite the disadvantages of full-disk encryption solutions, they're still among the most useful mechanisms available for protecting a laptop, short of handcuffing the device to the CTO's wrist. However, an effective full-disk encryption solution should have a minimal impact on worker productivity and be relatively easy for IT to deploy and manage.

Of course, each organization has to weigh the risks associated with losing sensitive data against the resources necessary to implement and maintain a full-disk encryption solution. In this world of ever-increasing mobility, however, few organizations can afford to have one of their laptops unprotected should it go missing.

Robert Sheldon
is a technical consultant and freelance technology writer. He has authored numerous books, articles and training material related to Microsoft Windows, relational database management systems, and business intelligence design and implementation.

Dig Deeper on Enterprise desktop management