Performance and standards matters
Increasingly, compliance emphasis is being placed on encryption that meets the Federal Information Processing Standard (FIPS) developed by the United States Federal government. This entails the use of either Triple DES (Data Encryption Standard) or 256-bit AES (Advanced Encryption Standard) as the encryption algorithm.
Encryption performance is also a factor to consider. A common criticism levelled at FDE techniques is that they slow down the PCís performance, with the user experiencing delays while data is encrypted and decrypted on the fly. To a certain extent this is true, but misleading. A typical business-oriented machine from a corporate fleet of laptops, built in the last 2 to 3 years, will have the processing power and memory capacity to make any difference in running performance barely noticeable. In fact, the only times that FDE truly impacts on performance is on boot-up or going into hibernation Ė but this is a very modest trade-off for security.
Itís essential that the FDE solution you choose is operative during these wake-up and shut down periods, to avoid security vulnerabilities. Busy users often don't shut down their laptops at the end of a session: they put them into sleep or hibernate mode, so they can start again quickly. It is vital to ensure the FDE solution you choose can encrypt the contents of the laptopís memory during the process of it being written to the drive. If the solution does not do this, a thief can remove the disk drive from a stolen laptop thatís in sleep mode, mount it in another machine, and recall and read the data written from the memory. So support for laptopsí sleep and hibernation modes is critical.
For similar reasons, itís important to choose an FDE solution that encrypts data before the laptop operating system loads, on boot. The FDE solution should take control while the computerís BIOS looks for a master boot record to load, to prompt for the users for their login credentials. This ensures that only authenticated users boot the OS, and minimises the opportunities for manipulating data.
Security in hand
So far, so good and while the examples given relate to laptop PCs, the same concerns are just as valid for PDAs and smart phones which are also platforms for corporate data. Because these devices vary in operating system Ė from Symbian, Pocket PC and Windows Mobile to Palm Ė and architecture, an easy security solution is harder to define than for an Intel PC platform.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.