Drive Encryption – Why Use It, Who Should Use It and Options for Implementing It
Do you use computers in your organization to work with, process and store sensitive data that if stolen or disclosed could potentially result in damages to an employee, client, student or patient?
- Are your organization’s computers used to access, process or store protected health information (PHI)?
- Are computers in your organization used to work with, access, process or store personally identifiable information (PII)?
- Are computers in your organization used to accept, acquire, process, transmit or store cardholder/credit card data?
If the computers your organization uses have the ability to store information locally including sensitive information, installing disk encryption designed to protect and safeguard that information is a good business practice.
In some cases it is potentially required by State or Federal laws and may be necessary to meet certain industry standards. Listed below are some examples.
Social security numbers, student transcripts, financial aid information and individual’s health records are federally protected under laws like the Health Insurance Portability and Accountability Act (HIPAA) and Family Educational Rights and Privacy Act (FERPA). While encryption is not mandated under HIPAA it is an “addressable implementation specification”. Specific State privacy laws and institutional policies may impose more stringent requirements than FERPA.
The financial industry has encryption and data guidelines established in legislation such as the Dodd-Frank Act.
Cardholder/credit card data is required to be handled and secured in accordance with the Payment Card Industry Data Security Standards (PCI DSS).
Who should use it –
If your organization is a financial institution or your organization’s computers are used to work with health care data, student transcripts, financial aid information or cardholder/credit card data and this information can be saved locally, you should seriously consider assessing your risks and possible liabilities to determine if encrypting your data is a prudent or necessary safeguard.
To give you a simple example, if you work with protected health information and it is saved on an unencrypted hard drive a laptop computer that is lost or stolen, you will be in violation of the HIPAA security rule in which case you must report the security incident to the proper Federal authorities. You may be subject to fines and penalties as well as other mitigation remedies and required corrective actions. If the laptop hard drive was encrypted with appropriate full disk encryption software then there may be no need to report the security incident or incur fines and penalties since you had adequate safeguards in place to protect and safeguard the sensitive information.
Ultimately it is up to your organization’s management, their assessment of risk and due diligence review of the laws and regulations under which your organization operates on whether or not the data and information your organization’s computers access and work with should be encrypted. In most cases it is best to err on the side of caution and use full disk encryption to safeguard data and information.
Options for implementing encryption –
There are a number of tools available in the marketplace that implements disk encryption. You should be aware that they vary in features and security. A proper assessment of your risks and applicable laws and regulations will assist you in determining the most appropriate solution.
Disk encryption solutions basically fall into two categories: software-based and hardware-based within the storage device. Hardware-based disk encryption within the storage device are called self-encrypting drives (SED).
Examples of some software-based encryption applications would include BitLocker for Windows (Microsoft), Endpoint Full Disk Encryption (Check Point), Endpoint Encryption (Symantec) and VeraCrypt (CodePlex). There are a number of software solutions on the market so a due diligence review of your needs and product capability is a necessity.
SED drives are available from many hard drive vendors including Seagate Technology, Hitachi, Western Digital, Toshiba and from solid-state drive vendors such as OCZ, SanDisk, Samsung and Micron. SED drives do have several advantages over a software based solution. First, since the encryption is done within the storage device itself, there is little to no impact on the performance of your computer or your applications. Second, since the media encryption key never leaves the storage device it is not susceptible to viruses and malware that may impact the computer’s operating system or your applications.
If you would like some guidance or assistance with assessing your needs or disk encryption options please contact us.