What's stopping your company from implementing full disk encryption?


You may have heard about the stolen NASA laptop, with its large amount of personally identifiable information of at least 10,000 NASA employees and contractors. 

The surprising question here, of course, has to do with the glaring absence of encryption. NASA says that that the laptop in question is scheduled to get encryption, though it would seem that not all laptops will get the same treatment. I can think of a couple of reasons for this, which I outline below.

Cost of encryption

The first issue that many businesses may have neglected to consider is this: Implementing full disk encryption, or FDE, costs money. This could be in terms of swapping out the default hard disk drive in favor of self-encrypting drives, or implementing full disk encrypting software using Microsoft's (NASDAQ: MSFT) BitLocker drive encryption.

The latter is only available in the Ultimate and Enterprise editions of Windows 7, and in the Pro and Enterprise editions of Windows 8. For some businesses, this may entail acquiring the requisite license at an additional cost. Other free FDE tools do exist, though they require more work--and manpower, to implement.

Clunky integration

Aside from FDE, some businesses may opt for data-at-rest tools that encrypt specific folders or data volumes. Unlike FDE, which occurs entirely in the background, such encryption utilities often come with imperfect integration with existing software and processes, necessitating additional steps to encrypt or decrypt specific files. This typically translates into user resistance, which is usually heard the loudest at the management and executive levels--the very people who need encryption the most.

Count the cost ... of not encrypting

At a time when even smartphones support device encryption and password lock, my opinion is that all PCs and laptops can benefit from the use of encryption. Attempting to justify the cost of implementing encryption is a losing battle, however. CIOs and security managers should instead start by considering the cost of not encrypting data should laptops containing highly confidential or valuable data, get misplaced or stolen. From there, it should be a simple matter to draw out a budget to prevent the worst-case scenario from happening.

Have you implemented FDE in your company yet? If not, is there any particular reason why? - Paul Mah  (Twitter @paulmah)

Filed Under