Thales Blog

Locking Down Data – Full Disk Encryption vs. File Encryption

June 23, 2015

Andy Kicklighter Andy Kicklighter | Director of Product Marketing More About This Author >


Warning, Warning, Caution – your system will become exposed in 10, 9, 8, 7… okay perhaps a tad dramatic. But before we compare full disk encryption and file level encryption let’s start with a quick story. Once upon a time, vaults were not as effective as they are today because banks could not control how and when they could be opened. Anyone with the combination or key could open them at any time. Today, vaults can require multiple combinations, specific time of entry, and multiple authentications to open. Encryption is very much the same. Just as a vault today can be unlocked only at certain times, by specific methods and using set credentials, securely using encrypted data requires controls that limit access to the right person or user, at the right time, and in the right way. Encryption without access control is much like one of those old vaults – it’s not useless, but has very limited applications.

ClickToTweet: Full Disk Encryption – File Encryption … What’s the difference?

In Charles Goldberg’s blog post titled ‘Don’t Let your Storage Team be your Company’s Justin Bieber’, he discussed how less than two years ago, individuals’ eyes glazed over when they heard the word encryption. What a difference 18 months (and some of the largest data breaches) can make. Not shockingly, there’s been a real change in the market’s acceptance of encryption.

For most organizations, data is one of their most valuable assets. Unfortunately, these valuable assets come at a premium and are thus the prime target for hackers. It’s no secret that protecting the network perimeter no longer provides the level of security needed to safeguard organizations. As a result, many are moving to protect data by encrypting it. In doing so, should someone get access to data, it’s rendered useless.

Let’s look at the key differences between these two technologies, and why one is a real safeguard for data, while the other is best for very limited protections from physical loss or theft.

1 – Full disk encryption (FDE):

FDE provides encryption at the hardware level and, as a result, is protocol agnostic. FDE automatically converts data on a hard drive into a form that cannot be understood unless someone has the key to unencrypt that data. Even if the hard drive is removed and replaced in another machine, without a proper authentication key, the data remains inaccessible. As protection is limited to when the device is shut down, it’s primarily used for laptops and other small computing devices that can be physically lost or stolen. With one key that encrypts the entire hard drive, once the drive is powered on, there is no protection against unauthorized users or administrators who have access to the machine through networks and management environments. It’s an all or nothing deployment where either the entire drive is protected or it’s completely exposed.

Many network-attached storage (NAS) and storage-area network (SAN) vendors now offer some form of FDE, which are generally built into the platform. FDE-enabled platforms:

  • Cost 30-40% more than those without built-in encryption
  • Quickly limits scalability; scaling typically requires a complete forklift upgrade

Primary use cases for full disk encryption solutions are protection from loss or theft of devices, and easy retirement of data center drives.

2 – File level encryption:

File level encryption is for devices that require data security while in operation and offline. File level encryption offers role-based access controls, making access much more granular based on the role an employee or partner has within the organization. When leveraging file level encryption, the “least privilege” users cannot access the data. For example, a policy can be set so the “least privilege” user can copy files but they are not able to see the file data in clear text. Following these basic practices allows organizations to meet basic compliance mandates while helping mitigate certain strains of malware, APTs and insider threats. Unlike FDE – file level encryption is also transparent to the underlying storage infrastructure. It does not restrict the ability to mix storage vendors which maintains a heterogeneous storage environment that keeps storage organizations at a competitive price.

For optimal security, find a file-level solution where you can encrypt databases alongside unstructured data files without making any changes to the user experience, app or database. Applying additional controls (such as only allowing specific users access to the data, enforcing least privileged user access, and restricting access to authorized applications and processes) delivers the continuous data security required to successfully defend data residing in data centers, clouds, and big data environments from many common data theft threats.

One primary concern in the past with this type of encryption solution no longer applies in many cases – the impact on performance.  Modern solutions (like those available from Vormetric) make use of the encryption capabilities built into current CPU’s and have minimal overhead.

If you are in charge of making security investments for your organization, think about your most critical risks and look at which investments will give the most value. Since people don’t typically run off with hard drives in data centers – when you look at encryption for the data center seriously consider when and how it’s applied.

In this day in age, security solutions are simply too important to not do your due diligence when deciding on the right solution. If any of these investments provide a false sense of security, the risks can be astronomical.