In the current IT environment, where encryption is as essential as anti-virus, the ease of deployment and cross-OS support is vital for anyone in the channel trying to secure orders for IT security. Furthermore, in a sales environment where one of the greatest barriers to investment is a fear of excessive disruption in roll-out and subsequent uptake, the ability to remove the need for support for low-level queries such as password recovery is a surprisingly powerful pitch.
Securely encrypting a device, either mobile or desktop or server, is a process that can be fraught with complications. Does that device run a hard drive (HDD), a Solid State Drive (SSD) or is it equipped with a Self-Encrypting Drive (SED)? This is before you have to consider external devices such as USBs, DVDs and CDs. At a singular level this can be tricky enough, but imagine the potential problems at SME and large enterprise level to secure their mobile and desktop devices.
Drive encryption is now considered the de facto standard for all stationary and mobile data devices. But administrators of large organisations, helpdesk staff and end users are still continually put to the test when trying to remotely access secure networks and implement updates. It is time consuming for end users who perhaps forget their password and then have to go through a lengthy process with a member of the IT Security team to regain access; this resource could and should be used more efficiently. In addition, the drawn out process of updating software leads to frustrated administrators and impacts on productivity.
To avoid users bypassing the security measures altogether to access their data and consequently creating flaws in the data security process, would it not be more productive if data encryption could be managed centrally from a single console?
A solution would be to offer disk encryption authentication without impacting end users through a network connection during the pre-boot phase. This allows all existing business processes to be carried out without any further adjustments and without specialised training for helpdesk staff, thus reducing the time and cost of implementing a secure network.
The helpdesk will have the ability to create passwords in Active Directory without having to resort to additional tools for creating challenge/ response codes. Administrators can install security updates via Wake-on-LAN without extra effort and end users do not have to be granted additional administrative access rights to encrypted computers – access can be as it was in an Active Directory. This in turn reduces the total cost of ownership (TCO) and effort that an organisation has to go through to implement a data security programme.
Leading pre-boot authentication systems will not store the cryptographic information locally on servers required to boot, so even if the server is separated from the secure internal network or on a single hard disk, the data will remain protected.
There are also a few exceptions that support SEDs without duplicating any encryption. If a device already has an SED installed then there is little point encrypting that device twice and slowing down the performance of the device. For example, it would take time to encrypt the drive a second time and then it would continue to double encrypt on an ongoing basis defeating the performance advantage of the SED.
SSDs are expensive due to their higher performance rate, therefore it is imperative to use one of the very few software encryption solutions available for SSDs that limits the impact on the performance. The end result of implementing a pre-boot networking solution is a secure data encrypted network that has little impact on the end user.
Empowering the helpdesk to use Active Directory for password resets of encrypted computers significantly reduces the time and process users would have to go through to retrieve a forgotten or lost password. Having a single point where the encryption can be managed in addition to any existing security software significantly reduces the headaches of implementing a full data encryption rollout.
