Laptops have been part of the IT culture for so long, many of us probably have forgotten the time when they were "new". Today, most users have a laptop as their primary work computer. Having a laptop means a greater degree of freedom. How many of us have taken our laptop home to "catch up" on work over the weekend?
But that work laptop is also a source of great worry. You have a lot of important information on a device that is easily lost, or stolen. The largest single type of security breach is the stolen or lost laptop, according to the Open Security Foundation, yet these computers are among the least protected of all IT assets. The key is in protecting the data that's on the laptop.
InfoWorld has a great article "Your laptop data is not safe. So fix it", which makes 2 recommendations:
- Full-disk encryption
- Virtual disk encryption
If the laptop is lost or stolen, encrypting all data on the hard drive limits the risk that data can be recovered by a "bad guy". The article also make a case for full-disk encryption coupled with the Trusted Computing Module ("TPM") available on most modern systems. However, most operating systems provide for some type of software encryption.
This is the less-expensive alternative to full-disk encryption is the virtual disk. Typically, you create a virtual disk (say, drive "X") and only encrypt that. Some may choose to partition the drive and create a separate area just for encrypted data. Whichever method, you get a performance gain because the operating system (drive "C") remains un-encrypted. But users have to be aware that drive "X" is there, and that they need to store their private files there.
While encrypting a virtual disk is certainly cheaper, there's always the risk that a user would save a file with private data on the "C" drive, thus rendering it readable.
I always encourage the use of full-disk encryption, with or without TPM. As we roll out Active Directory across the University of Minnesota Morris campus, we will ensure that encryption keys are backed up ("escrowed") into the Directory, so the University can recover the data if the original passkey is lost or forgotten.
I also like the full-disk encryption option because it means the user doesn't have to remember which area is encrypted (drive "X") and which is not (drive "C") because everything is encrypted by default. If the user doesn't have to do anything extra to get that level of security, I'm all for it.