Security Basics mailing list archives
RE: Why not encrypt the whole Hard Drives?
From: "Mark Brunner" <mark_brunner () hotmail com>
Date: Fri, 13 Oct 2006 20:40:49 -0400
Cost and performance are definitely something to consider. Realize that as the system's disk fills up and fragments, it gets slower and slower, so initial tests on a clean system do not provide good KPI's. During system use, the swapfile which will also be encrypted, may be used often. This will slow your user down as well. You also have to worry about key management. What happens when the user forgets YAP (yet another password)? What about when they leave? Who can access the system and its encrypted files? How long will the password remain the same? How is it changed? How is the change recorded by the escrow (if there is one?) What is to prevent the user from writing the password down (YAP)? Probably on a slip of paper in the laptop case, or a sticky on the keyboard. This was the situation at a large firm that I know of that provided loaner laptops to staff for presentations and weekends. Sticky attached with domain, username, password. Quite handy! Thanks! Going to use a token? Great ieda, but what happens when that breaks? I've seen a number of RSA tokens that couldn't be read due to being caught in a door, stepped on, etc. What if it is lost? It happens. How is a new token assigned? Is it worth it? Only if you are willing to invest the time and funds to do it right, AND the users are willing and committed to make it work. Measure the cost of the whole solution agans the risk of theft and the value of the data you are trying to protect. (It's usually worth it, but it is more costly than most estimates if done right.) Cheers! Mark -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Saqib Ali Sent: Thursday, October 12, 2006 6:00 PM To: security-basics Subject: Why not encrypt the whole Hard Drives? Security Breaches Data reveals that most of the data leaks were caused due to stolen laptops, which can be easily mitigated by using full disk encryption on the laptop. So why not encrypt the whole drive? Cost and performance impact are the usual arguments. Tests show that access time increases by 56%-85% after encryption. And the cost of FDE software usually ranges from $0-$300 depending on how good of a software and support you wanna get. So is it worth it? Data from tests (performance impact) of the FDE products: http://www.xml-dev.com/blog/index.php?action=viewtopic&id=250 -- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Why not encrypt the whole Hard Drives? Saqib Ali (Oct 13)
- RE: Why not encrypt the whole Hard Drives? Mark Brunner (Oct 15)
- <Possible follow-ups>
- Re: Why not encrypt the whole Hard Drives? winshel (Oct 15)
- Re: Why not encrypt the whole Hard Drives? Saqib Ali (Oct 16)