Encryption is the process of encoding or scrambling data so that it is unreadable and unusable unless a user has the correct decryption key. Endpoint encryption essentially protects the operating system from installation of “Evil Maid” attacks that can install a keylogger or corrupt boot files and locks files stored on laptops, servers, tablets, and other endpoints to prevent unauthorized users from accessing the data.
Organizations use endpoint encryption software to protect sensitive information where it is stored and when it is transmitted to another endpoint. Healthcare files, bank account information, social security numbers, and home addresses are examples of information that is often encrypted.
Two commonly used encryption standards are Rivest, Shamir, Adleman (RSA) and Advanced Encryption Standard-256 (AES-256).
Certification criteria for encryption software include the following:
Employees at organizations store and share volumes of valuable data on USB sticks, cloud storage services, network drives, browsers, email, and in other media—all of which are vulnerable to security breaches. This data may include sensitive information, such as financial data, customer names and addresses, and confidential business plans. Encrypting the data provides significant protection against theft.
An organization may want to encrypt its data for many reasons. For instance, businesses in high-tech industries such as pharmaceuticals or software development need to protect their research from competitors. Organizations in regulated industries, such as healthcare and financial services, need to encrypt patient and consumer data to comply with government regulations. The Payment Card Industry Data Security Standard (PCI-DSS) requires retailers to encrypt consumer credit card data to prevent unauthorized use.
Unregulated organizations are concerned about data security as well. A data breach can result in negative publicity, loss of business, and partner or customer lawsuits.
Cyberattacks and data breaches are increasingly common occurrences—and they're expensive. According to the Ponemon Institute's report Cost of a Data Breach Study, the average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% year over year to $148. By this measure, a mid-sized breach of 100,000 records could cost an organization $15 million and counting.
Encryption is an essential component of a layered data security strategy. Organizations typically incorporate multiple layers of protection, including firewalls, intrusion prevention, antimalware, and data loss prevention. Encryption acts as the final layer to protect data in case it falls into the wrong hands.
There are two basic types of endpoint encryption:
Whole drive encryption protects the operating system and data on laptops and desktops by encrypting the entire drive except for the master boot record. This is left unencrypted so the machine can boot and locate the encryption driver to unlock the system. When a computer with an encrypted drive is lost, it's unlikely that anyone will be able to access the data on it. Whole drive encryption is automatic, so any content stored on the drive is automatically encrypted.
There are two methods of authorizing a user on an encrypted drive:
File, folder, and removable media (FFRM) encryption encrypts selected content on local drives, network shares, or removable media devices. The encryption software deploys agents that encrypt files based on an organization's policies. File-based encryption supports both structured and unstructured data, so it can be applied to a database as well as documents and images.
File-based encryption keeps the data encrypted until an authorized user opens it. This is different from whole drive encryption, which decrypts all the data after the user is authenticated and the system has booted. Therefore, file-based endpoint encryption continues to protect the data even after it leaves the organization. For example, when an encrypted file is sent as an email attachment, the recipient must be authenticated to decrypt the file. Recipients who don't have the appropriate encryption/decryption software may instead receive a link to a portal that can authenticate them and decrypt the file or receive a container attachment file (like a password protected zip file), in which the recipient must enter a password communicated by the sender.
File-based encryption relies on an organization's encryption policy to define the types of content to encrypt and the circumstances that require encryption. Once configured, encryption solutions can automatically enforce policies and encrypt content.
A comprehensive endpoint encryption solution can enable IT departments to centrally manage all encrypted endpoints, including encryption that different vendors provide. This is more efficient than constantly moving between multiple consoles. Endpoint security solutions that support multiple vendors' encryption products help reduce administrative overhead and costs.
In addition, a central console provides better visibility into the status of all endpoints, and audits use of encryption on each endpoint. An organization can use this to demonstrate compliance if a laptop or USB drive is lost or stolen.
Endpoint encryption software may include a variety of management capabilities, such as:
Encryption is an important layer in an organization's security infrastructure. Security products such as firewalls, intrusion prevention, and role-based access control applications all help protect data within the organization. However, breaches have become increasingly common, and data encryption can protect data even after it leaves an organization. Encryption is a key defense against data theft and exposure.