With the event of self-encrypting drives
(SED’s) manufacturers have not only removed the performance penalty but also made the devices extremely secure, not least because the encryption keys for the devices are stored on the physical drive itself. The encryption function is also implemented in silicon rather than software, making it more secure and just as importantly keep the encryption overhead down. Due to the way the self-encrypting drives are designed, the key never leaves the device, making key extraction virtually impossible.
“Implementing self-encrypting drives that provide hardware-based AES 256-bit encryption has fast become an easy to manage and cost-effective solution to stop data breaches through the theft or loss of computers, laptops and tablets containing confidential company, customer and client information.” – Pasi Siukonen, Team Leader Technical Resources Group at Kingston Technology.
Now that we have discussed the why, it is time to turn attention to a high level “how”. As part of those business requirements, a forward- looking company will design and develop processes to deliver the needs and the processes required to manage the encryption related calls that will come in.
One of the most important things to consider is the management of a chosen encryption system. There are several practicalities that must be considered when looking at the “how” of setting up encryption for mobile devices within a business.
The business must be able to manage the encryption and the devices in question centrally. Administrators need to be able to manage not only the encryption but also access to the management platform. Good security and auditing of the critical cryptographic platform are key. It should also go without saying that the cryptographic management platform should be redundant. Avoid putting all the eggs in one basket (server).
Conversely, the encryption and security must be as clear as possible to the end-users. End-user downtime causes lost productivity and therefore directly impacts costs as well as creating non-positive perceptions of the IT department.
At the same time, any data on the drive must remain accessible. Frequently, employees leave and the data must be available even after its owner may have left but also remain secure against loss or theft at the same time.
For this reason, solutions such as BitLocker and VeraCrypt while robust secure, can be more complex to manage and usually miss the key feature, an agnostic management framework that provides the full range of requirements for deployment at scale or are restricted to a single operating system. A solid framework is both agnostic and easy to consume. Amongst the most well-recognised frameworks is TCG (Trusted Computing Group) Opal.