The Truth About Full Disk Encryption
Full-Disk Encryption: Five Questions To Ask Before You Buy
Does this FDE product manage the encryption of data on all of your devices from a Web-based console?
If you get a call at 3:00 a.m. from the CEO saying her laptop was stolen, can you log in and quickly verify that the data was encrypted, along with the date and time it was encrypted? Can you immediately send a suspend command to the computer so no one can access the data? With CREDANT endpoint data security solutions, you can. With CREDANT you can also manage the policy for USB drives, handhelds, smartphone, CD-DVD recorders, iPods and other devices from a central location.
Are the encryption keys stored on the user’s computer or on the corporate server?
Where the encryption keys are stored is important. If keys are stored on your user’s device and something goes wrong during encryption-- and with FDE, something often does go wrong—there are no keys to recover. Worse yet, many FDE solutions provide no key management and instead require anonymous shares be opened for key escrow – which leaves all keys open to attack by anyone with access to the share. With CREDANT, you have true automated and transparent symmetric key management. All encryption keys are centrally generated and securely stored automatically on the organization’s server before anything is encrypted.
What happens when a security or OS patch is required?
With FDE, everything on the disk is encrypted. So how do you apply a patch to the operating system if it is encrypted? You create a "ghost" user or construct the key automatically to allow the machine to apply the patch prior to log in—creating a potential data security breach. CREDANT does not require open keys or “ghost” user accounts and does not require any changes to existing patch management procedures.
Do you have to connect to the network to get policy updates?
Most FDE products are either on or off-- they have no local policies. What happens when a thief steals the laptop? With CREDANT, as soon as the thief logs on to the machine, a command is immediately sent to suspend all data access. But CREDANT does not have to wait for a network connection. Local policies on the computer can be set to automatically erase all data based on specific actions including the number of attempts allowed to log in.
Can you deploy a FDE product as part of your standard image?
With FDE, this is impossible. You have to apply your standard image and then add an additional step to your provisioning process to encrypt the disk. Bottom line, with FDE you defeat the purpose of a single corporate image. CREDANT can be included as part of your standard image.
