Installing full-disk encryption
GCN QuickFind No. 861
- By David Cassel
- Oct 19, 2007
Will full-disk encryption be hard to implement? Maybe not. It's often not as bad as you think.
"If you have a distribution tool in place, encryption software is just another package you send out," said John Girard, vice president and distinguished analyst at Gartner. He recommended giving users a certain time frame to perform the installation and suggesting that they run it overnight so it won't disrupt their work. "These encryption products will all tell you that you can continue to work while they're installing, but it's not a good idea. I don't think it's a good idea to interrupt something that's encrypting your hard drive."
If all your hardware meets the necessary specifications, Girard sees smooth installations, though he still recommends trying it on a test group first.
"Test on your platform, make sure they all have enough RAM and memory, and you can roll this stuff out very fast. I've seen thousands of installations in a week," he said. But a little training might also be necessary before the first sign-on to keep users from being locked out of their own systems. "There's a certain amount of interaction that's required for the user to identify themselves to their machine," said Girard, "and I've seen users mess this up."
With some solutions, that first full encryption can take hours. But at the Burton Group, senior analyst Trent Henry puts it into perspective. "If the encryption chose to only encrypt the boot partition table, it'd be faster, but weaker. That's almost always a trade-off."
"There [are] configuration things that you have to do with every product," said Oregon Treasury security administrator Dan Roddy, though he quickly added a cautionary note to vendors: "I have a pain threshold." Fortunately, it only took him a couple of hours to install Voltage's SecureDisk solution on his 25 laptops.
And at California's Franchise Tax Board, systems security analyst Chris Rushkin is having an even easier experience: New laptop PCs are ordered with the encryption component already installed.
"We buy it with every single new PC we purchase now. We implemented a program of making sure that all laptops'were ordered with the Encryption Plus product," from GaurdianEdge, he said.
Before this blanket approach, however, full encryption could be a time sink for the agency. "When I first had a laptop, it took me a couple hours to fully encrypt a 40-gig drive initially. But since our IT asset center deploys the laptops to the end user, it's already installed for them."
That ease of use is an experience Seagate seeks to replicate with their hardware-based solution. "Ours just automatically encrypts," said Joni Clark, notebook marketing manager at Seagate. "Once you write, you're encrypting."
David Vergara, marketing director at CheckPoint, said his company's Pointsec encrypts in the background so it doesn't impact users. "There are some software out there where the initial encrypting ties up the machine. On ours, we actually have a throttled-back deployment mechanism that puts us as a secondary item on the machine and allows the user to use the machine while it's encrypting all the contents in the background," he said. Even if there's a power outage or the machine suddenly crashes, "once you log back on and power up, it's going to continue doing it in the background until it's 100 percent encrypted."
And Pointsec is also aiming for transparent user experience, said Vergara. "It gets deployed like any other IT software ' the user is completely unaware. They will only see if it's configured for the pre-boot authentication. If the enterprise decides that they want to do a Windows-integrated sign-on, the user will not even know it's there."