From The Expert Feature Article
March 02, 2017

When FDE Isn't An Appropriate Data Security Solution

By Special Guest
Raffi Jamgotchian, President and CTO, Triada Networks

For managed service providers (and I should know), software-based full disk encryption (FDE) is the traditional default method for providing encryption to organizations that need to secure devices such as desktops, laptops, phones and tablets that contain sensitive data. Full disk encryption, true to its name, functions by encrypting all data on a disk, effectively wrapping it in protection that renders all data unreadable until credentials are entered and access is granted.

But this popular method is actually often quite cumbersome and obtrusive for both users and MSPs for a number of reasons.

While most MSPs (and again, ourselves included) focus on providing value through remote system management – implementing solutions, performing maintenance, and resolving issues without requiring direct contact with a company’s devices – full disk encryption doesn’t fit this framework. Encrypting the full disk necessarily makes it so that MSPs aren’t able to easily access the disk and address any issues with the solution, at least not without resorting to specialized tools or approaching from the hardware side of things. FDE also blocks any ability for MSPs to perform remote management functions without the help of an on-site user or administrator, severely limiting the services MSPs commonly provide. This means with FDE, devices can’t be remotely powered on, and there’s no chance of remotely performing updates, diagnostics, or troubleshooting when issues occur.

In practice, this can and does lead to MSPs needing to contend with compatibility issues, as FDE effectively traps the OS on a device in amber and makes it impossible to upgrade the OS if it becomes incompatible with other solutions the MSP provides. FDE solutions also present an issue in that they most often require software purchases through upfront payment and then install it on machines or servers. This payment model contradicts the usual flow of how MSPs have built themselves to provide ongoing services, and how customers use them.

Speaking of the issues companies using FDE can face, I’ll give an example from experience. A chemical company we provide services for required an encryption solution for laptops and mobile devices in the field, which were used by traveling salespeople and contained proprietary chemical formulas, client lists, internal data and other sensitive information which absolutely needed to be safeguarded for the good of the business.

Initially, we provided an FDE solution to meet this need. We quickly learned that a transparent and easy-to-use solution would be ideal for this company’s needs – which FDE was not. With FDE, we found that users’ logins often wouldn’t work, due to the many different caching systems that computer manufacturers put on their machines, which would clobber the FDE solution’s encryption keys so badly that we were performing remote challenge responses to boot up these machines every day when logins failed. This was frustrating for end users, who had to sideline their hardware fairly often while we went through the cumbersome process of resetting their ability to login properly. This was frustrating for us as an MSP as well, to have a solution that so problematically required non-stop maintenance, and made that maintenance overly complicated to provide.

In the end, we moved on to a cloud-based encryption tool from Beachhead Solutions, which made it possible to deliver encryption and data security transparently enough that end users could forget it was present on their devices. Moving to a cloud solution showed us peripheral (but substantial) benefits as well. With remote management capabilities back on the table, we’re now able to remotely control access or wipe data as the situation may dictate. This gives us data protection when a PC may be lost, stolen or in the hands of a no-longer-authorized user. These features have indeed protected the company from breaches that could have been greatly harmful if allowed to occur.

In our experience, cloud-based encryption has proven to be much more manageable and in step with clients’ needs than FDE. While FDE strategies aren’t likely to go extinct anytime soon, a cloud alternative gives MSPs and the businesses they serve increased transparency and flexibility when issues inevitably arise.

About the Author

Raffi Jamgotchian is the President and CTO of Triada Networks, an IT services firm that caters to boutique investment and other security conscious firms in Metro New York. Triada Networks focuses on providing IT practices that help firms reduce risk and data loss.

Edited by Alicia Young