Thales Blog

Full Disk Encryption Is Physical Security, Not IT Security

January 8, 2015

Full Disk Encryption for Data CenterWhat threats are you trying to mitigate with full disk encryption? For a laptop that is moved around from office to home or out on a business trip full disk encryption should be standard. You need to protect that asset in the event of theft or loss of the device. It's a great physical security. When properly implemented full disk encryption will render any information stored on that device useless. That's great for a laptop, but what about your data center?

ClickToTweet: Full Disk Encryption - Physical Security, Not IT Security #DefenderOfData

How much risk do you have of someone stealing disks from your datacenter? Take the average life span of a hard drive. The enterprise class hard drive is designed to last a minimum of 5 years. During that 5 years a SAN or NAS filled with hard disks is expected to have at least 99.999 percent uptime or better. So if you take the same approach to securing data in your datacenter as you did with your laptop, what risk have you really mitigated? None. 99.999% of the time, as that disk is up and running in the datacenter you have provided ZERO additional protection for your data. Just because it says encryption on the label does not mean security.

Can you name a single major breach in recent years that was a result of someone stealing a server or a hard drive, or a drive that was lost from a datacenter in shipping? If it's happened, it certainly wasn't reported in the media and wasn't a significant impact. So where does that leave you for securing data in your back office? When you look at encryption for the data center seriously consider when and how it's applied. Look for a solution that can mitigate risks to that data while the data is available in the datacenter. Your solution should:

  • Block out unauthorized users - this should include root/admin users
  • Lock out unauthorized processes
  • Implement quickly - not require significant re-architecture or re-design on your applications
  • Work with 3rd party applications where you cannot change the data structure or code

Vormetric is a market leader because of the options you have in applying controls to that data in multiple different ways. You can encrypt you sensitive data in storage for your databases as well as your unstructured data without making any changes to the app or database. Vormetric applies additional controls to that encrypted data to lock it down so only specific users and approved processes have access to the data. This additional level of security for your data can lock the data down and remove the threat of an admin or root account being compromised, or malware trying to access the data at rest on your most critical systems.