Limits of Full Disk Encryption
I've seen a couple of posts in the last week arguing that some security measure doesn't always work or doesn't offer complete security. The fact that there is no silver bullet solution is the closest thing we have to a fundamental theorem of information security. The article that caught my attention today was eWeek's Full-Disk Encryption Is Partial Protection, Analysts Say which includes:
But when it comes to protecting information overall, full-disk encryption is best thought of as only part of the solution, MacDonald and others said.
"It does nothing to improve DLP [data leak prevention] if a user has an encrypted hard drive, boots, supplies their pin and then proceeds to copy sensitive files into e-mail or onto USB storage in unencrypted form," he said. "File-based encryption supplements FDE, especially on machines and folders that are shared between users."
The first sentence could apply to any security technology, just substitute the phrase "full disk encryption" for your favorite security measure. The second paragraph basically says a screwdriver isn't useful for driving nails.
We use multi-layered security measures because (1) no implementation is without potential vulnerabilities, (2) each technology solves a subset of all possible ways to compromise the confidentiality, integrity and availability of our assets and (3) different forms of protection are required at different stages of information flows.
The eWeek article does finally conclude with a quote from Thomas Raschke, an analyst with Forrester Research who points out the need for multi-layered defenses:
Layered and risk-based security is what works best—ILP [information leak prevention] and encryption need to be integrated," he said. "ILP gives you a more fine-grained level of security: It can manage the use of pieces of sensitive content based on defined policies, e.g. one line in a Word doc."
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
