Managing the Evolving Landscape of Hard Disk Encryption Technologies

Full disk encryption requirements

Compliance with data security and privacy regulations, and the need to protect intellectual property are the key business drivers for the adoption of data security solutions by enterprises. Ensuring consistent data security is a challenge. The IT environment is increasingly heterogeneous with a variety of uses and devices where data is stored. A number of complementary and alternate technologies for data protection are available today or will be in the near future. Full disk encryption is recognized by experts as one of the key data security technologies. Disk encryption is a rapidly evolving area. It is important for enterprises who are planning to deploy disk encryption or already have deployed it, to keep pace with the new developments. This article focuses on the various full disk encryption options available today and in the near future. Before one can decide which option works best for one’s environment, it is useful to list a few key criteria. Here are a few suggestions, which will be used in this article to evaluate the options:

• Allows consistent security policy enforcement in line with internal and/or external regulations. For example, if AES-256 bit encryption is mandated the chosen technology would need to support it
• Protection of all data stored on the hard disk. Some solutions may not encrypt all files, such as system files or temporary files
• Smooth integration into existing IT environments (incl. support of tokens for secure user authentication). It is important to ensure that existing business processes and technology investments are protected as far as possible as any change requires time, money and/or resources
• Easy roll-out through the network. The technology must be easy to deploy with minimal disruptions to end users
• Appropriate emergency procedures to recover forgotten passwords or lost tokens
• Transparent encryption minimizing additional end-user training
• Easy and central management. This is especially important for enterprises who have 1000s or 100s of 1000s of users. The ability to effectively manage different users, devices and encryption keys quickly and easily is very important
• Logging, reporting and audit capabilities for proof of compliance and forensic investigations
• Protection of data stored on other media. Often hard disk encryption is just one of the encryption technologies deployed. For example, enterprises may also choose to encrypt removable media. Solutions that provide a broader scope of protection may be appealing to some users
• Quick and secure decommissioning of drives, ensuing that the encrypted data can never be read later

Full disk encryption technology choices

The above list is not exclusive or exhaustive but is helpful in evaluating the benefits and limitations of the various options. The disk encryption options include software-based, operating system based, disk based and PC chipset based:

• Software based encryption of hard disks: In general, software based solutions are activated during pre-boot (before the PC’s operating system loads) via an authentication mechanism which results in a key that is used to access an encrypted media and subsequently to load the operating system. Usually these solutions are fully user-transparent. Only the administrator has to perform administrative tasks such as configuration, key- and user-management. The functionality includes full- or partial-hard disk encryption independent of file system, secure key management – enciphering key dynamically generated from the password entered – not stored on disk, secure protection in each power mode including hibernation and stand-by, and enterprise class recovery and reset of forgotten passwords. Pros – sophisticated and mature solutions protecting all types of use scenarios ( millions of installations are in operation worldwide) and cross-platform support (operating systems & hardware). Cons – an additional software solution that has to be integrated and maintained, and an additional application that uses CPU resources but one that is not normally ever noticed by end users especially with newer PCs.
• Operating system – Microsoft BitLocker™ Drive Encryption: With the launch of Windows Vista, Microsoft integrated BItLocker full disk encryption into the Wi ndows Vista Enterprise and Ultimate versions. Normally, BitLocker only encrypts the system partition. The system requires an active unencrypted partition, which contains the boot loader, and a rescue system if needed, to properly start the computer. BitLocker, by design, relies heavily on the security of the Trusted Platform Module ( TPM) . The software components are checked at boot time with the TPM and the volume will not be accessible if these components have been tampered with. Pros – BitLocker is included with the operating system. Cons – Requires the correct Vista version, requires refreshing the hardware with the correct version of the TPM for optimal security, does not offer protection for other types of devices such as removable media (even though the focus of the article is on full disk encryption, many enterprise customers also demand removable media encryption as a complement to full disk encryption)
• Hardware based encryption of hard disks: With this technology, data is encrypted by the hard disk as data is being written to it. The encryption and decryption is performed on the hard disk itself. The hard disk can be decommissioned (i.e. data wiped out) by erasing the keys on the disk. Pros – The encryption is faster than pure software based solutions, and keys are more secure as they are never stored in RAM. Cons – Proper key management, which covers the entire lifecycle of keys, authorized users, roles and groups is not done by the drive (an external solution is required), this technology cannot be deployed on existing drives; the drives have to be replaced, a time-consuming process in a large enterprise which have fixed hardware refresh schedules which span months or years, and similar to BitLocker Drive Encryption removable media encryption requires a separate solution.
• PC Chipset based encryption of hard disks:The data is encrypted by the PC motherboard chipset as it is being written to the drive. The encryption/decryption is done at the hardware level. (Note: Since this technology is not yet available, pros/cons are best guesses) Pros – The encryption is faster than pure software based solutions, and keys are more secure as they are never stored in the RAM, and different types of hard disks are supported. Cons – Management of encryption keys, multiple users, policies, logs may not be available natively and may require support from 3 rd party software. A homogenous infrastructure is necessary (every PC needs the latest chipset offering disk encryption capabilities) ; given hardware refresh cycles, this transition will not be immediate.

Limitations of the newer full disk encryption technologies
One can draw several conclusions from the above discussion. First, traditional software based encryption will eventually be replaced by alternate technologies as described above. Second, in the immediate future, enterprises will have several technologies to choose from and this will lead to a mixed environment which will have to be managed consistently for compliance. Third, the newer alternative technologies (i.e., OS-, disk-, chipset-based) do not yet have enterprise grade encryption management capabilities and would need to interface with the functionally mature encryption management consoles of existing software-based encryption which have evolved over many years and millions of deployments. The security-mature consoles also provide an important function of allowing administrators consistent security control in IT environments that have a mix of the technologies described above.

When compared with the management offered by software-based encryption, the shortcomings with the newer security technologies – hardware or operating system based – include:

1. Effective central Administration of security policies: The ability to use existing definitions (e.g. users, keys, roles) available in directory services such as Active Directory and to apply security policies based on those definitions. Consistent policy enforcement is vital for ensuring compliance. Another important consideration is that that the newer solutions do not allow the separation of system management from security management functions – an important consideration within huge enterprises where an organizational separation of these duties is already implemented per security best practices.
2. Key management : Fundamentally encryption requires appropriate key generation and management, which include the entire lifecycle of keys, authorized users, roles and groups. It needs to provide answers to questions such as how to create, distribute, manage, recover, protect and withdraw keys and the associations between machines, users (or groups) and their keys. Regardless whether keys are stored on media, smartcards or even in the TPM. Central key management and single point of administration whereby all users, keys, security policies and incidents are managed are mandatory.
3. Appropriate recovery and emergency procedures in case of forgotten passwords or lost tokens
4. Integration into existing IT environment: tokens for user authentication or biometric methods
5. Limited logging, reporting and audit capabilities
6. In addition to disk encryption, protection of data stored on other media – encryption of removable media (incl. USB sticks, CD/DVD) , files stored on servers, e mails

A proposal for managing the newer encryption technologies
The new technologies provide a basic set of functionalities. As discussed above, the technologies need to be extended for enterprise use. Existing software solutions need not compete with newer solutions but instead integrate them in a way that will complete and manage such solutions in order to effectively meet the demands of enterprises for security of data at rest – combining the strength of a basic function set with the advantages of the existing software product portfolio. This ideal encryption solution would include:

• Integration, enhancement and management of basic 3rd party basic security mechanisms: For e.g., regardless whether BitLocker Drive Encryption or FDE drives are used, both basic security approaches are well integrated into the environment of encryption management solution. Therefore customers can rely on an easy to use solution, which complements the basic infrastructure measures where it is necessary to address enterprise demands. Mixed environment would also be supported. Customers benefit from investment protection if the have these technologies deployed.
• Encryption of all data: By offering solutions which encrypt data at rest, in motion and in process, the basic 3rd party basic security mechanisms can be integrated very easily into a holistic concept which covers almost every need for data security, especially protecting data on removable media, network shares or e-mails which are not covered by above solutions.
• Other requirements that are summarized in the first section.

Solution Example: Administration of BitLocker in an enterprise environment
SafeGuard Enterprise is the first and only solution that fully manages Windows Vista BitLocker Drive encryption. It extends the manageability of BitLocker Drive Encryption by providing key management, centralized reports/logs, and password recovery. SafeGuard ensures consistent security in mixed OS environments, including Vista.

Figure 2: “BitLocker preferred” option in SafeGuard Enterprise