RE: Why not encrypt the whole Hard Drives?

["Mark Brunner" <mark_brunner () hotmail com>]

Cost and performance are definitely something to consider.  Realize that as
the system's disk fills up and fragments, it gets slower and slower, so
initial tests on a clean system do not provide good KPI's.  During system
use, the swapfile which will also be encrypted, may be used often.  This
will slow your user down as well.

You also have to worry about key management.  What happens when the user
forgets YAP (yet another password)?  What about when they leave?  Who can
access the system and its encrypted files?  How long will the password
remain the same?  How is it changed?  How is the change recorded by the
escrow (if there is one?)

What is to prevent the user from writing the password down (YAP)?  Probably
on a slip of paper in the laptop case, or a sticky on the keyboard.  This
was the situation at a large firm that I know of that provided loaner
laptops to staff for presentations and weekends.  Sticky attached with
domain, username, password.  Quite handy!  Thanks!

Going to use a token?  Great ieda, but what happens when that breaks?  I've
seen a number of RSA tokens that couldn't be read due to being caught in a
door, stepped on, etc.  What if it is lost?  It happens.  How is a new token
assigned?

Is it worth it?  Only if you are willing to invest the time and funds to do
it right, AND the users are willing and committed to make it work.  Measure
the cost of the whole solution agans the risk of theft and the value of the
data you are trying to protect.  (It's usually worth it, but it is more
costly than most estimates if done right.)

Cheers!
Mark

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of Saqib Ali
Sent: Thursday, October 12, 2006 6:00 PM
To: security-basics
Subject: Why not encrypt the whole Hard Drives?


Security Breaches Data reveals that most of the data leaks were caused
due to stolen laptops, which can be easily mitigated by using full
disk encryption on the laptop. So why not encrypt the whole drive?
Cost and performance impact are the usual arguments. Tests show that
access time increases by 56%-85% after encryption. And the cost of FDE
software usually ranges from $0-$300 depending on how good of a
software and support you wanna get. So is it worth it?

Data from tests (performance impact) of the FDE products:
http://www.xml-dev.com/blog/index.php?action=viewtopic&id=250

--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------