Encryption is something all companies should use. Frank Schlottke from Applied Security looks at different approaches to data encryption and discusses the pros and cons that must be examined to ensure a best fit solution.

With stories of data going missing almost daily, it's difficult to understand why more of it is not encrypted. After all, the most effective countermeasure against the theft or loss of critical or sensitive data is to encrypt it. If it gets into the wrong hands, it remains worthless unless the keys can be compromised to decipher the information.

One of the problems may be that there is a multitude of software solutions on the market that claim to offer the answer and it is difficult to select the one that will best fit your needs. And get it wrong and your data could be lost forever.

Different methods for different requirements

Before choosing any encryption solution, it is essential to clarify exactly what the encryption is needed for to specify and classify the data that needs to be protected. If the aim is to secure correspondence with the outside world and data on the move for example, the ideal solution may be a virtual private network (VPN) or email encryption.

While it is easy to think that encryption is encryption is encryption, there are big differences in the solutions available on the market; and of course the most suitable method will depend on your requirements.

One of the biggest concerns about encryption is that it presents a barrier to day-to-day workflow and is complex to use and manage. So, a critical factor for enterprise systems is the ability to encrypt data automatically and seamlessly, without user interaction.

Hard drive encryption

Probably the most common solution is hard drive encryption, which is mainly used on notebooks and other portable devices. These encryption solutions encrypt the entire hard drive or at least one partition of it sector by sector.

Only by entering the correct password, which in many cases needs to be provided before booting (called pre-boot authentication or PBA), can the computer be started and data accessed as usual.

Even removing the hard drive or booting from CD won't work unless the correct password is known. Hard drive encryption solutions help in cases where a computer is stolen or lost. And since the entire hard drive is encrypted, users don't have to think about where to store data to ensure it is protected.

Unfortunately it does also have disadvantages that make it unsuitable for every encryption application. The biggest and perhaps the most crucial disadvantage is that hard drive encryption only has two states: all data locked or all data readable.

As soon as the user is logged on using the correct password, all data can be accessed - and this includes other users connecting to the computer via the network. This renders hard drive encryption solutions totally unsuitable for protecting running workstations or servers on a company network. And notebooks are not always operated offline so may provide a back door to sensitive data.

A hard drive encryption solution does not allow for the definition of different work spaces with distributed access rights to encrypted data for individuals, workgroups or departments, for example. It is also important to note that a hard drive encryption solution encrypts non-sensitive data and as every program start requires some decryption, this causes unnecessary system load and delays.

Container encryption

An encrypted container is a virtual drive that automatically encrypts all of the data stored in it. Only the owner of the proper key is able to open the container and decrypt the data.

For the authorised user, the virtual drive looks just like a partitioned drive. Technically speaking, a container is just a file encrypted for one individual user, so that data remains locked away and protected from anyone else; even when accessing the physical drive via the network.

One disadvantage of a container encryption solution is that users have to be careful when storing their sensitive information because it is only protected within the container. A more crucial disadvantage is that containers generally do not allow shared access for workgroups and provide no central administration, making them suitable mainly for single PCs.

File and folder encryption

As the name implies, solutions of this kind encrypt files in pre-defined folders. These solutions make use of the existing folder structure on file servers or local hard drives, so that the network administration does not have to be interfered with. Also, standard processes such as automated backups are not affected. The only difference is that the files written to backup are encrypted.

File and folder encryption solutions available on the market provide similar features like multiple user and workgroup support or central administration. Their differences lie mainly in manageability.

Potential buyers must be sure to check whether the many features promised on product data sheets actually match their requirements or whether they are just gimmicks that merely complicate administration without providing any real benefit. Less is often more.

File and folder encryption is the only one among the encryption solutions discussed here that provides protection for the network as well as for local hard drives. However, like container encryption, the user must be careful to store data in the correct place.

Security doesn't have to be complicated

Many providers of encryption solutions push their products on the basis of crypto algorithms, complex password rules and highly granular configuration options.

In the end, this can lead to a product that can't be used without costly training and consulting services. Also, some of the more complicated solutions have high requirements regarding the system environment required to operate the software or need an existing fully rolled-out Public Key Infrastructure, for example.

These issues must be clarified prior to the purchase. And other key aspects influencing the choice of a solution should be: 

  • Impact on the existing workflow of users;
  • Options for central administration;
  • Support for workgroups;
  • Easy and clearly laid-out configuration;
  • Separation of power between system administrator and security officer;
  • Emergency recovery in case of a key loss.

When making a decision on which product best meets your requirements, it is important not to be taken in and influenced by technical gimmicks. What really matters is the product's suitability for daily use.

It is not just a commodity or cost factor but also a very important aspect of security. And nothing is more insecure than a security solution that is poorly configured and makes companies think they are covered, while in fact it is not delivering that vital protection.