Data in the clear is no small cybersecurity risk for organizations of all sizes. When data is stored “in the clear,” it’s unencrypted, meaning that anyone with access to the storage device or file can view the data. In cases, full disk encryption is a necessary feature. Show
Encrypted data provides an obstacle and a layer of risk mitigation against loss since the data is not easily readable without the right encryption key. Encrypted data involves both data in transit and data at rest. For data in transit, TLS 1.3 (transport layer security) has long been the standard. For data at rest, there are multiple mechanisms and technologies, including file-based and full disk encryption options. Ultimately, FDE is about securing an enterprise environment’s endpoints. Full disk encryption provides a pervasive layer of encryption across an entire storage device, be it a spinning hard disk or solid-state drive (SSD). Read on for our full list of top full disk encryption software solutions. Follow it up with our Top Enterprise Encryption Vendors of 2021. Jump to:
Top Full Disk Encryption Software of 2021In this eSecurity Planet top products list, we spotlight the vendors that offer the top FDE software tools.
Apple FileVaultFileVault 2 is the best option for Apple macOS users, as it’s directly integrated into the default macOS operating system. FileVault is easily accessible from Apple’s System Preferences and Security & Privacy configurations. Using XTS-AES-128 encryption with a 256-bit key, users can create and deploy a FileVault recovery key as well as disable when unnecessary for staff or users. When enabled, FileVault starts working immediately to add another layer of security for device contents. Key Features and Differentiators
Check Point Harmony EndpointFormerly known as SandBlast Agent, Check Point’s full disk encryption resides in its revamped endpoint security solution, Harmony Endpoint. The centrally managed FDE software for endpoints operates as a feature in the overall security suite. Users can only boot and access an encrypted laptop or other endpoints after authentication, and MFA options include certificate-based smartcards and dynamic tokens. The full disk encryption solution supports multiple pre-boot authentication languages for global deployments. Key Features and Differentiators
Read more: Top Cybersecurity Companies.
ESET PROTECTESET PROTECT is a reasonable option for small to mid-sized distributed organizations looking to manage disk encryption. Within the vendor’s remote management console, administrators can access ESET Full Disk Encryption to encrypt system disks, partitions, or entire devices. Offering FIPS 140-2 validated and 256-bit AES encryption, clients have the ability to encrypt Windows and macOS machines from a single dashboard. ESET makes it easy to change licenses to adjust for organization scale. Key Features and Differentiators
Also read our full review of ESET PROTECT Advanced.
McAfee Complete Data ProtectionLooking beyond just full disk encryption, McAfee’s Complete Data Protection provides fine-grained controls for data and devices. McAfee – now under the Trellix name after merging with FireEye – offers an Advanced plan that provides a full disk encryption solution with pre-boot 2FA using McAfee-implemented encryption or through Microsoft’s BitLocker and Apple’s FileVault native encryption systems. Encryption can be managed centrally via McAfee’s ePolicy Orchestrator (ePO) management suite, which also manages other McAfee endpoint products. It can also synchronize security policies with Microsoft Active Directory, Novell NDS, PKI, and other systems. Key Features and Differentiators
Read more: McAfee-FireEye Merger Makes STG’s Plans Clearer
Micro Focus ZENworks Full Disk EncryptionMicro Focus ZENworks Full Disk Encryption is a good option for Microsoft Windows users looking for endpoint protection. Formerly a part of Novell, ZENworks includes tracking, configuration, security, and endpoint management from a web-based console. When devices are powered off or in hibernation mode, ZENworks FDE offers advanced encryption, pre-boot authentication, and self-encrypting hard disks. Key Features and Differentiators
Also read: Best Patch Management Software Solutions of 2021.
Microsoft BitLockerMicrosoft’s BitLocker full disk encryption software is the native encryption system that is supplied with the Ultimate, Enterprise, and Pro versions of Microsoft’s Windows Vista and later. For enterprise deployment, Microsoft BitLocker Administration and Monitoring (MBAM) provides centralized management. BitLocker can also be managed by third-party FDE systems such as Symantec and Sophos. MBAM allows security officers to quickly determine the compliance state of individual computers and enables administrators to automate the process of encrypting volumes on client computers. Key Features and Differentiators
Read more: Windows 11 Security Features & Requirements
Rohde and Schwarz (R&S) Trusted DiskR&S Trusted Disk is a good option for both individual systems as well enterprise networks running Microsoft Windows. Available within R&S’s cybersecurity solutions, the vendor offers full disk encryption, secure browser, VPN client, and more in its R&S Trusted Endpoint Suite. Trust Disk comes with full disk encryption and is functional for individual users up to large enterprise organizations. Together, the R&S endpoint stack ensures organizations mitigate data loss risk across endpoints. Key Features and Differentiators
Sophos Central Device EncryptionSophos Central Device Encryption extends the native capabilities of Windows BitLocker and macOS FileVault with additional management features. Sophos is deployable on endpoints centrally without any end user involvement, and encryption can be accelerated using Intel’s AES-NI instruction set. A single console provides management for all enterprise devices, including hard disks encrypted with Microsoft’s BitLocker, Apple’s FileVault 2 and Opal self-encrypting drives. This includes encryption status and reporting and auditing to ensure compliance with internal policies and external regulations. Key Features and Differentiators
Read more: Top MDR Service Providers in 2021
Broadcom Symantec Endpoint EncryptionSymantec goes beyond just integrated full disk encryption with a platform that can also be used to protect removable storage devices. Powered by PGP, Symantec Endpoint Encryption software can be deployed and managed centrally from a single console, offering full disk encryption for Windows and macOS devices. As well as managing its own endpoint encryption, the console can also be used to manage systems encrypted with Microsoft BitLocker and Apple FileVault, as well as Opal-compliant self-encrypting drives. The solution provides a choice of self-recovery and help-desk support for employees that forget their passwords and cannot access their systems. Key Features and Differentiators
Also read: Top XDR Security Solutions
Trend Micro Endpoint EncryptionTrend Micro Endpoint Encryption is another good option for organizations looking for a platform to manage full disk encryption as well data protection for removable media. The endpoint solution is compatible with Windows and macOS devices as well as laptops, desktops, USB drives, and other removable media. When deployed, Trend Micro Endpoint Encryption gives operators full disk, file, folder encryption capabilities to ensure secured access and protect devices across an enterprise environment. Key Features and Differentiators
Read more: Top Enterprise Network Security Tools Evaluating Full-Disk Encryption SolutionsOperating System: Microsoft and Apple both have their own default full-disk encryption systems that might be sufficient for some use cases. The need for broader coverage and control than default options is often the driver to look at other encryption products. Manageability: How easy (or hard) it is to manage and recover the encryption keys is an important consideration. Scope: Consider whether you need (or want) more than just the integrated disk encrypted, as there are solutions that will also handle removable and network-attached storage (NAS). Cost and value: With the default operating system choices, the cost for full disk encryption is negligible, so to look beyond that requires that there be additional value to justify the cost. How Full Disk Encryption WorksFull disk encryption works by encrypting a system’s entire hard drive – all the confidential data stored on it, but also the operating system and all applications. When the system is started, the user is prompted for the encryption key, which enables the system to decrypt enough to boot and run normally. Most full disk encryption products allow users to provide the system’s encryption key at the pre-boot stage in several ways:
A combination of two or more of these methods can be used to create multi-factor authentication (MFA), for greater encryption strength and added security. As information is read from the disk that is protected by full-disk encryption, it is decrypted on the fly and stored in memory – and any information written to the disk is also encrypted on the fly. Without the encryption key, the data stored on the disk remains inaccessible to thieves and hackers. Full Disk Encryption vs. File Level EncryptionFull disk encryption differs from file-level encryption (FLE) in that it secures all data stored on your hard drives automatically and transparently – including swap files and hidden files that may contain confidential data – without any user intervention. In contrast, FLE only protects specific files that are manually encrypted. And FLE generally depends on the user to perform some action to ensure that files are encrypted before storage. A drawback of whole encryption, however, is that it does nothing to protect files “in motion.” Once a file is sent via email or copied to a memory stick, it is no longer encrypted. For that reason, you may want to consider deploying FLE in conjunction with full disk encryption, so that users have the option to manually encrypt files that need to be shared with others. Read more: Disk vs File Encryption: Which Is Best for You? Features of Full Disk Encryption SoftwareAll full disk encryption systems encrypt a system’s entire disk, but they are certainly not all identical. Here are four key capabilities to look for when choosing full disk encryption software. Centralized Deployment And ManagementSome full-disk encryption software – notably most open-source whole encryption products – is designed for personal use and must be installed and configured on the device itself. In an enterprise setting, though, it is not practical to visit every laptop to install whole encryption software. FDE software should be configured centrally to ensure uniformity and to make it easy to send any configuration changes to every laptop whenever necessary. It is also generally desirable for admins to be able to lock down the configuration of a full disk encryption system, so it can’t be changed by end users. Thus a key consideration is a centralized management system. It may also be convenient to look for a management system that integrates or is part of a broader system that can manage all aspects of endpoint security, such as anti-virus software, as well as full-disk encryption. Other key functions to look for in a management system are remote patching and updating, and the ability to update the underlying cryptographic system. AuthenticationA whole encryption system is only as good as the authentication system that allows users to access their computers, so ensure any system you consider offers a range of two-factor authentication (2FA) methods such as the use of a card-based authenticator or a USB key. Some products also allow biometrics to be used as a second factor. For ease of management, it may be most convenient to use a system that can tie in with your existing corporate authentication system and directory service such as Active Directory. Also read: Best Identity and Access Management (AIM) Solutions Key Management And RecoveryOne of the most common problems with full disk encryption is that users can get locked out of their computers and unable to work because they have forgotten their password or lost their second-factor authentication credentials. Laptops and the data they contain can also become inaccessible if a staff member leaves the organization and no knowledge transfer occurs. That means it is important to verify that any FDE solution you consider has an adequate key management and recovery system that meets the security policies of your organization. For example, some management systems offer self-service key recovery – allowing users to get back into their systems quickly after supplying information such as their date of birth or Social Security number. But if that provides insufficient security for some or all users, you should look for a system that offers key recovery only via an administrator. Operating System SupportSince it is only practical to deploy and manage full disk encryption centrally, it follows that it is important to ensure that any FDE product you consider supports the full range of operating systems in use by employees. In particular, if your organization has a BYOD culture then you should investigate whether OS X (and even Linux) are supported and, if so, whether all features are supported on those OSes. Read more: Homomorphic Encryption Nears Reality, Pushed by IBM, Google Full Disk Encryption Security ShortfallsNo security system is 100 percent secure, and whole disk encryption can be vulnerable to various attacks including: Accessing The Encryption KeyWhen users store a USB drive containing the encryption key along with a computer, accessing the encryption key becomes trivial for a thief. Users can also be fooled into revealing their passwords through social engineering. Theft Of Device While RunningFull disk encryption only protects data when the computer is turned off. So if a laptop is stolen while it is running but unattended (or while the user is distracted), the data will be fully accessible to the thief. Also read: New Python-based Ransomware Encrypts Virtual Machines Quickly Advanced In-Memory TechniquesFDE systems require encryption keys to be held in memory while the system is running. Since the contents of DRAM chips persists for a period of seconds to minutes after a system is shut down – and this time period can be extended by chilling the DRAM with canned air – it is possible to cut the power to a laptop that has been left unattended and boot it from a memory stick or CD into another operating system, then read (and save) the contents of the DRAM. The key can then be extracted from this data and used in a subsequent attack. It’s also worth noting that some software applications place information on the main drive’s boot sector, and this can get overwritten by full disk encryption systems, causing them to stop working. Questions to Consider: Full Disk Encryption SolutionsIn addition to researching the above features, enterprises will want to seek answers to these four questions: What cryptographic system is used, and has it been implemented securely? Any system you consider should use strong, standard, certified encryption algorithms such as the Advanced Encryption Standard (AES) with 256-bit keys. To ensure that the cryptography subsystem has been implemented securely, look for FIPS 140-2 certification. Is the system compatible with any uncommon software you use? Full disk encryption products may overwrite parts of the disk (such as the boot sector) that other software already uses. If that’s the case, whole encryption may make this software unusable. In most cases, the only way to be sure is to conduct thorough testing. How does the full disk encryption software handle brute force attacks? The only practical way to decrypt encrypted drives without access to the key is to make repeated attempts to guess the password. This can be prevented by ensuring that the full disk encryption product you choose has a password lockout that disables logins either permanently or for a fixed period (perhaps two hours) after a certain number of failed login attempts. Does the product support AES-NI instructions for hardware-accelerated encryption and decryption? Intel introduced a set of seven new instructions after 2008 to improve the speed of applications performing encryption and decryption using AES. Full disk encryption systems involve some processor (and therefore power) overhead to carry out the on-the-fly encryption and decryption; the impact of this depends on the amount of disk I/O that individual applications demand. For users carrying out typical email and office productivity activities, the performance impact is unlikely to be noticeable – but it can be significant for very data-intensive activities such as video processing unless the computer’s main processor and the full disk encryption product both support Intel’s AES-NI instructions. Read more: The Case for Decryption in Cybersecurity Updated by Sam Ingalls on November 5, 2021. What kind of windows full disk encryption can be used with removable drives?BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system.
What kind of full disk encryption FDE is built into the enterprise edition of Windows?Full-Disk Encryption for Microsoft
Microsoft offers an in-built FDE feature called BitLocker for organizations using Windows OS. It supports devices running on Windows 10 Pro, Education, or Enterprise editions but not the Home edition. To activate BitLocker, simply choose a Windows system then turn on BitLocker.
Which type of encryption does Windows BitLocker offers network storage remote connectivity memory?BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
When encrypting file system data How can you apply encryption to individual files and folders?Right-click (or press and hold) a file or folder and select Properties. Select the Advanced button and select the Encrypt contents to secure data check box. Select OK to close the Advanced Attributes window, select Apply, and then select OK.
|