Sorry for the general lack of updates the past few days, but I managed to get sick while down in Mexico for a friend’s wedding. No, not that kind of sick, just some flu I picked up from one of the many children running around. Aside from setting me back at work, it makes me a bit sad since my copy of Wii Fit showed up while we were gone and I’ve been too out of it to start my Nintendo-inspired workout regimen. Yeah, I’m just that geeky.
Enough of my personal life, let’s talk encryption.
I used to joke about the client who once told me their management mandated “double encryption” on all financial information after a breach. In their case, they were encrypting their database and backup tapes. Not that there isn’t a valid reason to encrypt databases and backup tapes, but the way they were implementing provided no additional security. Once those card numbers were encrypted in the DB, re-encrypting at the tape level added no value (this wasn’t a case where they were encrypting the tapes to protect information not already encrypted).
But if we go back to the Three Laws of Encryption, there are circumstances where you might consider multiple layers. The most common case is encrypting for media protection, and simultaneously for separation of duties.
Full disk encryption is your best bet to protect yourself from information loss due to a lost or stolen laptop, but there are situations where FDE is not enough. It doesn’t protect content from multiple users on a system- say the sensitive financials on the CFO’s laptop from the lowly system administrator; nor does it protect content as it moves- say to a USB drive. File level encryption allows more granular control and protection in a wider range of circumstances. But since users are unreliable, and there are places (like virtual memory) where sensitive data can hide, file encryption doesn’t obviate the need for FDE (or an FDE equivalent).
Thus file encryption is complementary to full drive encryption; each solves a different part of the data protection puzzle. With file encryption you can protect content as you move it off the laptop, protect it from other users (especially administrative users) on the same system, and encrypt data that’s shared across a team using group keys.
Long term, file encryption will become more interesting as it combines with DLP. We are starting to see products that encrypt files based on their content, managed by central policies. Have something with a credit card number in it? It’s automatically encrypted using a corporate key. While FDE doesn’t need to pick and choose what to protect, over the long term file encryption (and DRM) will need to use content and context awareness to reduce the burden on users, comply with corporate policies, and improve the practicality of encryption.