Encryption protects data by rendering it unreadable without the associated key. Thus, encrypted hard drives secure the entirety of data stored on a given device. While not a substitute for other cybersecurity measures that restrict access, disk encryption software provides a sort of “last line of defense” effort. When employed, it often means the difference between succeeding and failing to prevent data loss and its repercussions should a hacker breach your IT environment.
The Business Benefits of Encrypted Hard Drives
Every enterprise that stores sensitive or important operational data benefits from encrypted hard drives. Hard disk encryption ensures that all data stored on a given device is rendered unreadable and remains so without supplying the password necessary to access the encryption key.
Your organization’s data instantly becomes more secure by employing hard disk encryption, but understanding the benefits requires familiarity with:
- How disk encryption works
- Examples of situations where disk encryption is a difference-maker
- Disk encryption best practices
- Additional cybersecurity measures to combine with disk encryption
Enterprises not only benefit from disk encryption software, but the regulatory compliance frameworks they must adhere to may require it and other cybersecurity tools leveraging cryptography.
How Does Disk Encryption Work?
Disk encryption provides “always-on” passive security for devices. The data stored on an encrypted hard drive cannot be read directly or by a different operating system—it can only be read if the device also stores the password-protected encryption key.
Hard drives secured with this measure rely on symmetric encryption, which uses an algorithm-based key to encrypt and decrypt data. The encryption key may be stored on a single device or multiple devices, facilitating data transfer and readability across an organization’s network.
Disk Encryption Software Processes
When first installed and activated, disk encryption software will generate a key and begin making the device’s data unreadable without it. The initial encryption process may take a few hours to complete but should not noticeably impact computer processing or work activity speeds beyond that.
An individual must provide the set password that allows the encryption software to access the key, resultantly decrypting the data for use. For device-level encryption, the user must only enter the key password at or immediately following authentication.
Disk encryption software functions as an intermediary during daily operations to ensure protection without interrupting or delaying activity. When a program produces data, it is encrypted before being saved to the disk. When a user later accesses that data, it is decrypted before it’s presented to a given program.
Why Your Business Needs Disk Encryption—Scenarios
Cybersecurity requires a holistic approach for success, incorporating numerous and varied layers in case of an intruder managing to bypass a given protection. For example, if an intruder breaches your firewall perimeter by hijacking a user account, then the account’s configured permissions can still restrict access to specific network locations.
Similarly, suppose an intruder manages to access network storage locations successfully, or a lost or stolen device ends up in malicious hands. In that case, encryption prevents them from being able to use the data. Thus, disk encryption is necessary for businesses as it provides “failsafe-type” protection for individual devices and IT environments.
Disk Encryption Compliance Requirements
Aside from disk encryption’s inherent cybersecurity benefits, many organizations may require its implementation to adhere to applicable compliance frameworks. Most notably, organizations can meet the Payment Card Industry (PCI) Data Security Standards’ (DSS) cardholder data security requirements with disk encryption software.
PCI DSS Requirement 3 and its encryption-relevant sub-requirements state:
- Requirement 3 – Protect stored cardholder data.
- 3.2 – Don’t store sensitive authentication data following user authorization (even if it’s encrypted).
- 3.4 – Render credit card primary account numbers as unreadable wherever they are stored (e.g., portable digital media, backup media, logging, wirelessly received data).
- 3.5 – Document and implement procedures to prevent encryption key disclosure or misuse.
- 3.6 – Document and implement secure key management processes and procedures regarding cryptographic keys that encrypt cardholder data.
Nearly all organizations that store, process, or transmit credit card data are subject to the PCI DSS, which makes disk encryption a widespread compliance requirement across nearly all industries. Although the National Institute for Standards and Technology (NIST) issues guidance rather than explicit compliance requirements, numerous Special Publications cover disk and device encryption, including:
- NIST SP 800-53
- NIST SP 800-57
- NIST SP 800-111
Additional Forms of Device Encryption
Disk encryption software counts among various methods that leverage cryptography to secure data. Cybersecurity measures that provide similar device-level protections include disk encryption hardware and mobile device encryption.
Disk Encryption Hardware
Disks can also be encrypted via their hardware. This method separates encryption key storage from the device’s CPU, which eliminates a vulnerability in software-based encryption where unencrypted data may be stored in computer memory.
Hardware encryption also does not need to act as an intermediary between data and programs as software-based solutions do—providing additional processing speed. Initial disk encryption software previously caused significant operational lag due to the extra steps involved. However, processing delays have continually decreased as the technology develops further and is no longer an issue.
The most significant drawback of hardware encryption is that it’s expensive. An organization would typically need to replace its device inventory to implement hardware encryption. In contrast, software-based disk encryption provides a scalable solution that any organization can implement on all of its devices.
Mobile Device Encryption
Mobile devices do not rely on hard drives for their storage but, rather, solid state memory. However, regardless of the differences, smartphones may be encrypted at the device level to render their data unreadable.
Much like disk encryption, the encryption key cannot be accessed until the user authenticates themselves with the smartphone’s passcode. Until the device is unlocked, the data will remain encrypted.
Both iOS and Android devices natively support encryption, but users must activate the functionality. Organizations that provide their employees with work phones should require that device encryption be enabled as a part of their security policies and ensure that the setting has been enabled before distributing them.
Best Practices for and Complementary Measures to Disk Encryption
Disk encryption instantly improves any organization’s cybersecurity, but organizations should regard it as one component of a holistic strategy. Additionally, complementary measures should integrate with disk encryption software, and security policies should inform employees regarding their adherence to best practices that will help ensure optimal protection.
Complementary measures to and best practices for disk encryption include:
- Develop secure key management processes
- Change encryption keys often
- Combine disk and file-level encryption
- Back up data continually
- Adopt complex passwords and passphrases for securing keys.
- Implement a key recovery plan, should a password be forgotten or lost
- Protect all workstations and devices with robust endpoint management and security
Encryption Key Management
Keys must be managed appropriately for disk encryption software to provide security. Encryption key management spans their generation, exchange, use, storage, and disposal. Keys should only be exchanged through secure channels and never transmitted as plain text. Generally, secure key storage is based on keeping the key and the encrypted data in separate locations.
The most significant challenge for key management is maintaining secure processes at scale. As organizations expand, so does the sensitive data they must secure, often via encryption; increasing amounts of encrypted data require additional encryption keys. Security teams generally rely on dedicated management software for encryption key management and storage.
Change Cryptographic Keys Often
Organizations should frequently change their cryptographic keys to make data breach attempts even more difficult. This practice mirrors configuring your organization’s password expiry settings to require users to reset credentials over a fixed period (e.g., every 90 days).
However, security teams should not delete encryption keys immediately following a change on the chance they need to reactivate them to recover data. Once a key has been deleted or altered, the data cannot be decrypted for use.
If organizations need to dispose of sensitive data—as is the case for some compliance frameworks, like PCI DSS—they can use this permanent encryption method to destroy it securely. Deleting or altering cryptographic keys to render data forever unreadable is known as “crypto-shedding.” Alternatively, some encryption management systems allow for key recovery via backup decryption capabilities.
Adding File-Level Encryption
Data may be encrypted at the disk or file level, or both for even more robust security. One key is used to protect the entire hard drive with whole disk encryption, whereas file-level encryption relies upon individually specific keys. A primary advantage of whole disk encryption is that it’s comprehensive, protecting the operating system, software programs, directories, and all other data on the hard drive.
Encrypting a hard drive could be considered analogous to locking your car. Without the key (and fob) to unlock it, your vehicle and personal items kept inside remain secure. However, locking your car doors merely provides an external barrier of protection. Should the intruder swipe your car keys, they can unlock the vehicle and ransack it. Likewise, if a cyber attacker gains access to your encryption key, whole disk encryption‘s security is similarly negated.
For this reason, many organizations may choose to incorporate both whole disk and file-level encryptions. Continuing the analogy, many old cars commonly had different keys that drivers for accessing other parts of their vehicle. For example, you might have separate keys to lock the doors, turn the ignition, and access the glove compartment. Combining whole disk and file-level encryption protects your data even if the former becomes compromised.
Continually Performing File Backups
Organizations should back up all encrypted data as a routine best practice, especially before performing the initial hard disk encryption. Organizations should adopt this as a best practice for the same reasons that security teams can rely on crypto-shedding to perform secure deletion. If the encrypted data is critical to operations, an organization cannot afford to lose it permanently due to a lost key.
Complex Passwords and Passphrases
Organizations need to adopt strict management policies and require sufficient complexity for the passwords that grant key access to drive encryption software. As NIST aptly states: “[Encryption] keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration.” Therefore, the passwords that secure the “safe combination” must be protected similarly.
To adopt the utmost security, organizations should use randomly generated passwords or passphrases. While randomly generated passwords provide excellent protection, they are challenging to remember, leading to employees writing them down. However, sticky notes cannot themselves be encrypted, and—should a malicious agent discover a written password—all other security efforts will become useless.
In contrast, passphrases can be readily remembered by users while providing similar protections. It’s significantly easier to remember a familiar phrase than a random string of alphanumeric characters regardless of its length. However, choosing too-common of a phrase or one easily determined via social engineering will not likely provide sufficient security.
Endpoint Security Management
Implementing endpoint security or contracting a third-party service to manage these efforts provides one of the best compliments to hard disk encryption. The encryption protects device data, but as stated, it should not be relied upon exclusively. Endpoints (i.e., all devices and workstations connected to an organization’s network) increasingly complicate attack surfaces as they provide hackers with possible entry into systems and storage locations.
Organizations may choose to implement their endpoint management software on their own or contract the responsibility out as a service to cybersecurity experts, such as RSI Security.
Among other measures, endpoint management should include:
- Kernel-level event analysis
- Detection and response
- Virtual private networks (VPNs)
- Web and email filtering
Implementing Disk Encryption Software
Disk encryption software should sit high atop the priority list of any organization merely for the cybersecurity improvements cryptography offers, especially if employees are provided with laptops or other mobile devices. The propensity to lose a device and malicious hackers’ capabilities of accessing its data require stricter methods than exclusively relying on authentication and access control.
If an intruder cannot access or read encrypted data regardless of their successful breach attempt, they cannot perform any actions on or activity within it. That is the value of encrypted hard drives.