You are here

3 endpoint encryption strategies you need to know

public://pictures/jasonb.jpeg
Jason Blackett, Director of Product Management, Micro Focus

Today, users expect to be able to create, edit, and review corporate data from any device they happen to have, at any time, from any location. The great news about this is that it means your end users are trying to be more responsive and effective.

The bad news, if you are an IT administrator, is that there's a huge amount of corporate data now on those endpoint devices.

As a result, you've got to get more serious about securing and protecting your endpoints to ensure that data is safe from compromise, unintentional leak, and/or loss or theft of the endpoint device.

There's a lot of capability available to protect endpoints today, including endpoint security management, patch management, and endpoint backup. But don't forget about endpoint encryption as a key part of your arsenal.

As you look to protect your data, it's important to understand what you want to accomplish and then match it to a solution that meets your needs. On the endpoint there are several kinds of encryption capabilities available. These include:

  • Full-disk and removable device encryption
  • Folder encryption
  • Transparent file encryption

Each of these has pros and cons, and each solves different problems. Before starting the search for a solution, make sure you understand the problem you are trying to solve.

Here is a walkthrough of the different endpoint encryption strategies you need to know.

[ GDPR, CCPA and privacy. TechBeacon's new guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]

Full-disk encryption

This technique encrypts an entire disk or device. This might be the hard drive in your Windows or Mac laptop, your mobile device, or a USB stick that you carry around with you. In any of these cases the entire contents of the drive are encrypted, and the data is protected at rest.

This means that your data is protected if the USB stick, laptop, or mobile device is lost or stolen. Choose this technique if you are concerned about the physical loss of the device.

Full-disk encryption solutions often include pre-boot authentication capabilities. These require the end user to first authenticate to the device before unlocking the device. The before the device won't boot or the removable device can't be read until authentication is completed.

Full-disk encryption is often used on corporate devices to protect data stored on the device in question.

One important thing to understand about full-disk encryption is that typically the data is no longer encrypted once it leaves the device. For instance, if you attach a file to an email, that file will no longer be encrypted when it gets to the recipient.

Another thing to keep in mind is that there is usually at least a minimal performance impact when you use full-disk encryption because the data gets encrypted on the fly.

[ Make sure that only the right people have access to the right things at the right times with TechBeacon's guide to identity governance. Plus: Download the report on IGA leaders. ]

Folder encryption

This technique flags a specific folder or set of folders, or even an application, for encryption. Folder-level encryption is helpful in use cases such as employees bringing their own devices—you don’t want to encrypt the entire device, but rather just make sure the corporate data is encrypted.

Many times, folder encryption is accomplished by using a user-specific key. This has the advantage of preventing access by other users on the same machine. Given that, you may opt to use file/folder encryption with full-disk encryption.

Examples of folder-based encryption is the Microsoft Encrypted File System (EFS) that's built into the NTFS file system or the application protection capabilities of Office 365.

With EFS you can right-click a folder and choose to encrypt the data. Again, the primary use is to protect the data stored on the device in the event it is lost or stolen, and to prevent unauthorized access by users to other users' data.

As with full-disk encryption, when data is copied from the folder or attached to an email, it will typically be decrypted.

Transparent file encryption

With transparent file encryption files are usually encrypted based on a policy that identifies sensitive data. For instance, a policy might identify any file that contains a credit card number as confidential and then automatically encrypt such files.

Unlike the other two options, in this case the file always stays encrypted.

Transparent file encryption is well positioned to prevent data loss by ensuring that the data, whether at rest, in motion, on the server, attached to an email, or on the endpoint, remains encrypted.

In addition, there is often policy information embedded in the file that controls who can access the file and what they can do with it. This policy is embedded in the file itself so that, no matter where the file is accessed from, the policy is enforced.

With this type of encryption, you’ll need some kind of transparent file encryption client on every device, so it knows how to read and enforce the policy and can decrypt the file. Anyone without the correct client won't be able to read the file.

Cover all the bases

Endpoint encryption should be a key part of your endpoint protection strategy. No matter which encryption capabilities you choose, be sure to select a solution that offers centralized key management so that if a user leaves or forgets his key, your company can retrieve the data.

As you work to protect your endpoint data, be sure to pick the right encryption tools to address the issues you are trying to solve. You’ll probably need more than one of the encryption types described above, and and may very well need all of them to fully protect your endpoint data.

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]