Disk vs file encryption - which is better at Data breach prevention?

20 Oct, 2022 9 min read
Nigel Thorpe
Nigel Thorpe
Technical Director

Data encryption and insurance - same, same, but different?

Data encryption is a bit like insurance - we all know we need it (a necessary evil you might say), but it’s difficult to decide what we need to protect, and with an increasing amount of options out there, it’s a mission in itself to find the right provider. That’s probably why when we take out insurance we tend to only get coverage when we feel it’s absolutely necessary – for example, for our property, our cars and when we travel.

Many businesses, small and large, feel the same about data encryption – they consider it a necessary evil and just do the bare minimum to solve their encryption problems. Often that means deploying full disk encryption (FDE) across their endpoints but this approach is simply a checkbox activity as it creates more problems with data encryption than most people realise. In reality, FDE is opening the floodgates to a range of encryption issues and errors and creating a false sense of security.

What is Full Disk Encryption (FDE)?

Full Disk Encryption (FDE) is a technology that protects information by encrypting every bit of data on a hardware storage device, including temporary files, programs and system files.

What does full disk encryption do?

Full Disk Encryption does indeed protect everything on a storage device, including the OS, user files, and any type of data therein without the user having to think about what to encrypt. But, that protection exists only when the machine is turned off and the FDE encryption key is not present. Most people don’t realise that when the computer is turned on, and the encryption key has been engaged, every file is automatically decrypted for any process, no matter whether the process is legitimate or malicious.

Ironically, the “full” in FDE does not mean comprehensive – it just means at the highest level, well, some of the time. According to the 2020 Verizon Data Breach Investigations Report, “Physical actions were present in 4% of breaches”, which includes the theft of laptops and hard drives. However, the remaining 96% of breaches were due to hacking, errors and misuse, and social and malware attacks, all of which require the computer system to be running and the storage device to be unlocked. We believe data Security should be at the highest level, all of the time.

Why doesn’t full disk encryption help?

Using FDE to establish protected locations, or security silos, makes us feel that our ‘sensitive data’ is better secured. For instance, BitLocker and other Full Disk Encryption solutions provide hardware security that protects data on your storage devices using encryption. It’s automatic and completely transparent to the user. But, as we’ve shown, the data when your system is running and you are actually logged in and using the device, or when it’s moved or copied outside its security silo is not protected by encryption at all.

You may also consider that all data held in corporate applications and databases is safe because it is held in application-specific security silos. If your staff do not need to run reports, analyse data, make presentations, or work on proposals then FDE could be enough. But the reality is, your staff will need to extract data from applications and databases in order to perform their job. Because of this, most IT staff will admit that they do not know where all corporate data is stored, so reliance on security silos means that data is left vulnerable to theft.

How do we prevent data breaches and leaks - the million-dollar question?

Most businesses have this question at the top of their boardroom agendas, but the irony is, the most common solution is one that doesn’t seem to be working - just take a look at the news headlines. Many businesses admit that they do not know where all this information lies.

In a 2020 Ponemon report, 67% of respondents say discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy. This is dangerous because just one successful ransomware attack that cruises around the corporate network, is capable of syphoning off all this locally stored data.

To overcome this, many businesses are relying on data classification technology to identify ‘important’ or ‘sensitive’ data so that it can be encrypted. But this is a significant challenge; the same Ponemon report also found that 31% of companies cited classifying which data to encrypt as difficult. If information classification continues to be used as a means to prevent encryption issues, then a significant amount of ‘sensitive’ information will be missed.

Why is data classification creating more encryption problems?

Let’s take a look at the steps required to classify information:

The first step is to perform a thorough assessment of the data held by the organisation, such as intellectual property, source code, merger and acquisition plans, financial records, customer records, personally identifiable information (PII), human resources records etc.

Then for each type of information, a detailed risk and business impact analysis must be executed, measuring the value of data to the business, taking into account aspects such as financial and operational considerations, regulatory requirements and the cost to reputation and brand in the event of a breach. These first two steps alone raise some significant issues.

- Most organisations don’t know where this data is stored. And even if it can all be located, how accurate is the classification process? Manual classification is impractical for most organisations, but automation means that search patterns and rules must be developed, all involving their own inaccuracies so it is highly likely that a proportion of ‘sensitive’ data will be misclassified.

- The initial effort to catalogue and assign classifications to all existing data must then become an ongoing process for users to assign classification tags to data as new information is created, modified and shared. This is likely to be automated – with the same potential for misclassification as before – but often, the user is allowed to override the assigned classification. And this raises the next problem: Classification and Data Loss Prevention (DLP) rules are unfair.

Are Data Loss Prevention rules creating more encryption issues?

Unfortunately, data classification rules penalise everyone because of a few bad actors. This makes employees less efficient and encourages risky behaviour. Staff who just want to get their jobs done will often subvert or circumvent the system, or intentionally misclassify data to avoid draconian policies and procedures.

Let’s now assume that the organisation has performed a successful deployment of a classification and DLP system. What happens when the world changes? Perhaps data privacy legislation is altered, or a new line of business is opened, or you notice that some kinds of sensitive data have been misclassified.

When this happens, the classification and security rules need to be updated. As we said, this should be an ongoing process, and if the organisation is small, or it holds a relatively small amount of data, an ongoing approach may be feasible. But for most organisations, it’s bordering on impossible to implement effective data labelling policies for the purpose of assigning security measures and maintaining accurate asset tagging at scale.

Protecting your data at the file level - here’s what you need to do

Data encryption has been with us for decades. It’s tried and trusted technology but it should be used to protect all data – not just that which is classified as the most important. We need to ask ourselves, what is it that we’re trying to achieve?

Today, our data needs protection, from theft by external parties, insider exfiltration, and from accidental exposure. That means ALL data, not just the seemingly ‘sensitive’ stuff.  Otherwise, what is its purpose? Since cybercriminals are adept at connecting small pieces of data to form a bigger picture, even seemingly trivial information can be useful in the wrong hands.

So, why is it that the accepted norm is to encrypt only the ‘most important’ data, or only data that is stored? What about data that is in-use, or in-transit?

We believe the reasons why encryption problems are growing stems from the abundance of access controls and authentication mechanisms that only put control barriers in front of the information. If we keep adding more stringent access controls and authenticating at every step with multi-factor systems it’s just like building higher security fences with stronger locks. If someone manages to digitally pick the lock or cut through the wall, the data behind the fence is still unprotected.

There is a better way - the SecureAge Security Suite harnesses the power of file encryption technology, to provide 100% Data protection - every file, every place and every time.

What is file encryption?

File encryption, also known as file-based encryption (FBE), is a type of encryption where individual files or even small groups of files on a disk are encrypted.

Why SecureAge file encryption is better than full disk encryption?

Capability Full Disk Encryption SecureAge File Encryption
Data is secured in a running system No Yes
Data is secured in sleep mode No Yes
Data is secured in a powered-off or removed drive Yes Yes
Encrypts data in all local and network locations No Yes
Encrypts data in a defined disk drive Yes Yes
Decrypted data is only available to authorised users when unlocked No Yes
Decrypted data is available to all users & processes when unlocked Yes Yes
Data-centric security where data is the encryption target No Yes
Hardware-centric security where hardware is the encryption target Yes Yes
Transparent data decryption and use for users and applications Yes Yes
With SecureAge, data is encrypted and secured against data breach, theft and unauthorised access all the time, even when it’s in use. SecureAge’s file encryption provides data security which is just as easy to use as FDE but with none of the disadvantages. With SecureAge, it’s the data that is important, not on which storage device or in which security silo it happens to be stored.

SecureAge file encryption automatically encrypts files for each authorised data owner. It provides the same level of convenience and transparency as FDE and TDE, but it ensures that data is always encrypted whether the system is switched on or powered off. Encryption and authentication become part of the data, persisting no matter where files are copied.

Best of all, it offers real-world usability with a simple approach that is inherent and invisible. In short, it doesn’t force anyone to become a cybersecurity expert, instead, it allows people to work as they normally do without sacrificing security. Visit our SecureAge Security Suite page to find out more and get in touch with our representative to see live in action how SecureAge Security Suite works.

Our website uses cookies to ensure you get the best experience and can find what you need. Read our cookie policy