Thales Blog

Full Disk Encryption: What Is It Good For?

September 17, 2015

Andy Kicklighter Andy Kicklighter | Director of Product Marketing More About This Author >

Full Disk Encryption - What is it good forThere's an old 70's protest tune recorded by the Temptations and written by Edwin Star that goes "War. Huh. What is it good for?  Absolutely nothin'!".  This is not quite true when you substitute full disk encryption (FDE) for "War" when it comes to the data center, but it isn't far off.

ClickToTweet: Full Disk #Encryption (FDE): What is it good for? 

Let's look first at some things that you might expect an encryption solution to help you with that FDE is not good for.

1 - It won't help protect you a data breach that comes in via a remote internet-based attack.

FDE operates at the disk level - data that comes into a disk with FDE enabled, is encrypted.  But it's encrypted below the level of operating systems and applications.  As far as the OS and the applications that run on it are concerned, an FDE enabled disk is just like any other disk (except that someone needs to manage the encryption keys for each and every disk ... usually via an agent installed on the OS of the system, a NAS/SAN management environment or by way of third party key management solution that work with any of these).

The result?  It provides no protection against any attacker that has gained access to the OS or application where sensitive data is stored.  Once the attacker has access to the system or the right credentials within an application, it's game over.

With the reality today that "It isn't if your network will be compromised, it's when, for how long, and how many times."

2 - It won't protect you from privileged user abuse or a compromised privilege user account

A primary target for malicious insiders (like Mr. Snowden), nation state hackers, and criminals out to steal data are the accounts of those who manage and monitor systems - privileged user accounts (system administrators, storage administrators, domain administrators, Linux/Unix Root users, database admins and many others).  These accounts have traditionally had access to all the storage assets associated with the systems that the managed.  Since they have access available through the OS (or an application that they manage), FDE provides zero protection.

3 - It won't help to prevent contractors or service providers on your network from stealing data

If you are a multinational, that outsources even trivial tasks on your network, much less management of large portions of your IT infrastructure, to contractors or outside service providers FDE can't help.  Consider the Target data breach, the attackers came in via a compromise at an HVAC contractor (who had network access so that they could manage heating and cooling systems), and then proceeded to leapfrog to both POS systems and back end databases from there (by some accounts the back end systems were the bigger loss, with 70 million sets of customer data compromised).

Again, with access through the OS or a compromise of application accounts that have legitimate system access, no protection is provided by FDE.

4 - It won't help you with data residency issues.

Although some jurisdictions (like Germany and Spain) won't allow even encrypted personal information to be exported without explicit permission, others have more liberal rules that allow data that is encrypted to be exported.  Unless you are physically picking up the encrypted drives and moving them, you're out of luck.  And once those encrypted drives are installed and the key environment updated,  you are out of luck again ... as anyone with system level access can get to the data.

It might as well not be encrypted at all.

5 - It won't do much to protect data stored at your cloud provider (when FDE is part of the cloud provider's implementation)

The same problems apply to IaaS, SaaS and PaaS environments that your organization may use - even if the provider use drives with FDE enabled, access through applications or OS instances won't be hindered in any way.

But there are some good uses for FDE

  • FDE protects against loss or theft of the drive - If someone were to gain access to your data center and physically pull the drive out, you'd be protected (of course, if you used other encryption/cryptographic solutions that provider greater protection within OS instances and applications they would too)
  • On the desktop/laptop side if (again) the device is lost or stolen, you are protected
  • Retiring drives is easy - just throw away the encryption key (delete via the management environment) and the drive is a data brick.  But note that most data centers already have a secure drive disposal solution in place

You'll note that I didn't put "Meeting compliance requirements for encryption" on that list of good uses - Because it isn't one.

You can meet the checkbox requirement for encryption under PCI, HIPAA and other compliance regimes with FDE, but you'll be missing one of the other requirements - access control, as well as other layers of protection.  Some encryption solutions at the OS and Application levels provide access controls that help solve all of the problems above - you'll need to invest in a separate access control solution to meet that part of the compliance requirement if you use FDE. (FYI ... Vormetric solutions do include access control)

What's more, you'll be meeting the "letter" of the compliance requirement, rather than the "spirit" of it.  Since the requirements are there to help protect sensitive information, and any access from inside systems and applications is explicitly allowed with FDE, there's very little real protection within a data center environment from it's use.