Data encryption is a necessary part of protecting your organization’s sensitive information. At the most, basic level data encryption is the process of scrambling text (called ciphertext) to make it unreadable to an unauthorized user. Individual files, folders, volumes, or entire disks within a computer or USB drive as well as files in the cloud can all be encrypted.
All organizations including SMBs, that collect any personally identifiable information (PII) including names, birthdates, tax ID numbers, etc. need to plan to encrypt sensitive information. Did you know you could be sued if you have a data breach and PII is stolen? Or if an employee’s laptop is stolen and the files on the device have PII and they are not encrypted, it could fall back on you.
To fully understand encryption, it’s helpful to remember that data exists in essentially three states: at-rest, in-motion, and in-use.
- Data-at-rest is information that’s stored in a digital form on a physical device, like a hard disk or USB thumb drive.
- Data-in-motion is digitized information that travels within and outside a network. For example, when users send an email, access data from a remote server, upload to or download files from the cloud, or communicate via SMS or chat functionality.
- Data-in-use is digital information that’s actively being accessed, processed, or loaded into RAM, such as active databases, or files being read edited, or discarded.
While there are various crossover points within these three states, data must be protected in all three, as well as during their transitions from one to the other. To do that we suggest you use full disk and file based encryption, here the perks of both:
Full Disk Encryption
As the name suggests full disk encryption (FDE) provides automatic encryption when data is being written to or read from a disk, but does not encrypt anything at the file level. It uses the same encryption key for the whole disk which will be immediately decrypted when the valid user credentials are entered. This means attackers can gain access to everything if the system is compromised. It’s similar to always keeping the outside doors to your house locked but then keeping the safe on the inside unlocked, once an intruder enters your home, they can take from the safe whatever they like.
The advantages of full disk encryption are:
- It’s simple to deploy
- Very low maintenance
- Eliminates any human error when it comes to if something on the disk is encrypted or not
- Everything is encrypted, nothing on the disk gets left behind
- Minimum impact on the performance of your device
- Protects files at rest within your network
File Based Encryption
File based encryption (FBE) encrypts individual files or directories instead of the entire disk. This can be done automatically or individually based on the user’s discretion. Each item in FBE is encrypted with a unique key. For comparison, FBE is similar to a lockbox at a bank, if the bank is robbed and the vault is accessed the intruder would still not have access to your lockbox.
The advantages of file based encryption are:
- Top to bottom encryption is ideal for concealing content within files
- In multi-user systems, because each key is unique to a specific person no two people can access the same file by default
- Because it encrypts files, it can be used for files in motion
- Allows for granular controls and access logs, so users can monitor their system and quickly detect any introducers
FBE or FDE: which encryption is better?
After reviewing the advantages of both you can see there is not one true winner. For organizations that have files in-rest, in-motion, and in-use a layered security approach is necessary. File based encryption fills many of the gaps that full disk encryption leaves behind, the layered approach is the perfect solution for your security toolbox.
For IT services in Kansas City, contact The Purple Guys today!