Vormetric Big Data and Cloud Security

Vormetric Blog

Subscribe to Vormetric Blog: eMailAlertsEmail Alerts
Get Vormetric Blog: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Blog Feed Post

Locking Down Data – Full Disk Encryption vs. File Encryption

Screen Shot 2014-01-14 at 8.40.27 AMWarning, Warning, Caution – your system will become exposed in 10, 9, 8, 7… okay perhaps a tad dramatic. But before we compare full disk encryption and file level encryption let’s start with a quick story. Once upon a time, vaults were not effective as banks could control how and when they could be opened. Locking money in a vault did not enable the business unless it was also accessible. Encryption is very much the same. Just as a vault would need to be unlocked at certain times, encrypted data must be accessed securely while resisting threats. Therefore encryption without access control is much like a vault without a lock – it’s all useless.

ClickToTweet: Full Disk Encryption – File Encryption … What’s the difference? http://bit.ly/1GoDfbJ

In Charles Goldberg’s blog post titled ‘Don’t Let your Storage Team be your Company’s Justin Bieber’, he discussed how less than two years ago, individuals’ eyes glazed over when they heard the word encryption. What a difference 18 months (and some of the largest data breaches) can make. Not shockingly, there’s been a real change in the market’s acceptance of encryption.

For most organizations, data is one of their most valuable assets. Unfortunately, these valuable assets come at a premium and are thus the prime target for hackers. It’s no secret that protecting the network perimeter no longer provides the level of security needed to safeguard organizations. As a result, many are moving to protect data by encrypting it. In doing so, should someone get access to data, it’s rendered useless.

Let’s look at the key differences between these two technologies, and why one is a real safeguard for data, while the other is best for very limited protections from physical loss or theft.

1 – Full disk encryption (FDE):

FDE provides encryption at the hardware level and, as a result, is protocol agnostic. FDE automatically converts data on a hard drive into a form that cannot be understood unless someone has the key to unencrypt that data. Even if the hard drive is removed and replaced in another machine, without a proper authentication key, the data remains inaccessible. As protection is limited to when the device is shut down, it’s primarily used for laptops and other small computing devices that can be physically lost or stolen. With one key that encrypts the entire hard drive, once the drive is powered on, there is no protection against unauthorized users or administrators who have access to the machine through networks and management environments. It’s an all or nothing deployment where either the entire drive is protected or it’s completely exposed.

Many network-attached storage (NAS) and storage-area network (SAN) vendors now offer some form of FDE, which are generally built into the platform. FDE-enabled platforms:

  • Cost 30-40% more than those without built-in encryption
  • Quickly limits scalability; scaling typically requires a complete forklift upgrade

Primary use cases for full disk encryption solutions are protection from loss or theft of devices, and easy retirement of data center drives.

2 – File level encryption:

File level encryption is for devices that require data security while in operation and offline. File level encryption offers role-based access controls, making access much more granular based on the role an employee or partner has within the organization. When leveraging file level encryption, the “least privilege” users cannot access the data. For example, a policy can be set so the “least privilege” user can copy files but they are not able to see the file data in clear text. Following these basic practices allows organizations to meet basic compliance mandates while helping mitigate certain strains of malware, APTs and insider threats. Unlike FDE – file level encryption is also transparent to the underlying storage infrastructure. It does not restrict the ability to mix storage vendors which maintains a heterogeneous storage environment that keeps storage organizations at a competitive price.

For optimal security, find a file-level solution where you can encrypt databases alongside unstructured data files without making any changes to the user experience, app or database. Applying additional controls (such as only allowing specific users access to the data, enforcing least privileged user access, and restricting access to authorized applications and processes) delivers the continuous data security required to successfully defend data residing in data centers, clouds, and big data environments from many common data theft threats.

One primary concern in the past with this type of encryption solution no longer applies in many cases – the impact on performance.  Modern solutions (like those available from Vormetric) make use of the encryption capabilities built into current CPU’s and have minimal overhead.

If you are in charge of making security investments for your organization, think about your most critical risks and look at which investments will give the most value. Since people don’t typically run off with hard drives in data centers – when you look at encryption for the data center seriously consider when and how it’s applied.

In this day in age, security solutions are simply too important to not do your due diligence when deciding on the right solution. If any of these investments provide a false sense of security, the risks can be astronomical.

The post Locking Down Data – Full Disk Encryption vs. File Encryption appeared first on Data Security Blog | Vormetric.

Read the original blog entry...

More Stories By Vormetric Blog

Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, big data and cloud environments. Data is the new currency and Vormetric helps over 1400 customers, including 17 of the Fortune 30 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application’s data —anywhere it resides — with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence.