Local Encryption ... Why Not?



  • In a couple of my topics, I have inquired about local encryption of data, and the consensus here has been ... why do it?

    I know in this thread we are going to touch on physical security and also the concept of never having important data on a local endpoint. But my theory/question is, that if it is possible, and not too much of a hassle to the end user, why NOT do it? It gives one more piece of protection.

    For example:
    I install a self-encrypting SSD on a user machine. I install Embassy Security Manager from Wave Systems to enable the self-encrypting aspect of the drive. I create an admin user that only I know. The user account synchronizes with Windows, so the user never has to worry about a password. If they know their logon password, they can access the drive.
    Granted, I would not recommend this solution for everyone. But for instances where the user has an IT person (or is a step above the average user) I don't know see how doing this would harm anything, and provide immense protection in the case of theft.

    It has also been mentioned that in a doctor office, the staff cannot be instructed to enter a password, either for a NAS or for something like Bitlocker. But if it provides encryption of some sort, and gives another layer of protection, wouldn't this be a valuable use of something to train them on?

    I understand the concept of having no data on the endpoint, but is that realistic? Does no one sync their data from a cloud service (such as OneDrive or ODfB) to their PC? What about Outlook's local data store? What about temporary files?

    I also understand the concept that things like servers, or any device with important data should be locked up, and almost impossible to gain physical access to. But just in case, why not add the extra protection?

    I am under the impression that for HIPAA, if a laptop with PHI is lost, and the drive is encrypted, that is basically not a violation for them, as the data is deemed inaccessible. No encryption? It is a major issue.

    Annnnnd begin! 🙂



  • @BRRABill said:

    Data at rest, can be encrypted without issue, the trouble comes when you want to access that data, how does it get decrypted if not with a password?

    I know in this thread we are going to touch on physical security and also the concept of never having important data on a local endpoint. But my theory/question is, that if it is possible, and not too much of a hassle to the end user, why NOT do it? It gives one more piece of protection.

    Their providing credentials to decrypt the drive... so there is a password. Not the admin password. But still...

    For example:
    I install a self-encrypting SSD on a user machine. I install Embassy Security Manager from Wave Systems to enable the self-encrypting aspect of the drive. I create an admin user that only I know. The user account synchronizes with Windows, so the user never has to worry about a password. If they know their logon password, they can access the drive.

    Data at rest, should be encrypted, and not on a local device, but if you must, encrypt data at rest. (IE Power off the machine and encrypt the drive)

    Granted, I would not recommend this solution for everyone. But for instances where the user has an IT person (or is a step above the average user) I don't know see how doing this would harm anything, and provide immense protection in the case of theft.

    Again they are still entering credentials to decrypt the system

    It has also been mentioned that in a doctor office, the staff cannot be instructed to enter a password, either for a NAS or for something like Bitlocker. But if it provides encryption of some sort, and gives another layer of protection, wouldn't this be a valuable use of something to train them on?

    This is perfectly realistic with solutions like office 365.

    I understand the concept of having no data on the endpoint, but is that realistic? Does no one sync their data from a cloud service (such as OneDrive or ODfB) to their PC? What about Outlook's local data store? What about temporary files?

    Denying physical is a great start

    I also understand the concept that things like servers, or any device with important data should be locked up, and almost impossible to gain physical access to. But just in case, why not add the extra protection?



  • My boss recently came back from a conference where she heard just that - if your endpoints have encryption and they are lost or stolen, you don't have a break - basically you have a golden ticket.

    This is an overly simplistic view. For example, if the user is using a simple password, your encryption isn't really that secure.

    I'm like you, I definitely like the idea of encryption on endpoints, and like Scott, encryption in the DC is at least a huge pain in the ass up to completely crippling.

    If your HIPPA compliant workspace does not have a secure DC, then you really probably should be looking at encrypting your NASs and servers, but if you have at least pretty good physical security, then I'd skip it.



  • @Dashrender said:

    My boss recently came back from a conference where she heard just that - if your endpoints have encryption and they are lost or stolen, you don't have a break - basically you have a golden ticket.

    We've been dealing with a HIPAA consultant, and of course there is more to it, but that's the genral gist. They look at 256-bit encryption (with other policies) as not a breach.

    Here at my work, we use self-encrypting SSDs, and have complex passwords, so I feel pretty safe.



  • @Dashrender said:

    If your HIPPA compliant workspace does not have a secure DC, then you really probably should be looking at encrypting your NASs and servers, but if you have at least pretty good physical security, then I'd skip it.

    This is another area I'd like to touch on in this thread.

    As an example, a small, 10 person doctor office. They obviously have PCI on their server. If the server is locked in a room, which resides in their office that is also locked and security alarmed, is that enough? I thought a requirement of HIPAA was data at rest had to be encrypted, but it seems like the general gist here is "skip it".



  • @BRRABill said:

    I understand the concept of having no data on the endpoint, but is that realistic?

    Nothing is "always possible." But this is extremely realistic. Unbelievably realistic. Tons and tons of companies have been doing this for a long time and the number one selling device for end points on the market today (not including phones) works this way. This isn't just realistic, it is rapidly becoming the norm even without IT oversight or a concerted push to do so. The benefits are so great that it is simply taking over.



  • @BRRABill said:

    I know in this thread we are going to touch on physical security and also the concept of never having important data on a local endpoint. But my theory/question is, that if it is possible, and not too much of a hassle to the end user, why NOT do it? It gives one more piece of protection.

    It does give another piece of protection and if you both have data on a device and have no downsides to it, I would agree that you should always do it. It always creates cost, performance loss and complications, though, including risk to data retrieval.

    It provides protection against physical theft of locally stored data. This is true. But it does this by making that data harder to recover as well.

    Basically what I am saying is that it is a set of tradeoffs and while there are times that end point encryption does make sense, just doing it as a blanket thing does not.



  • The biggest problem with endpoint encryption, IMHO, is that it empowers and encourages the very behaviour that we want to avoid - putting critical data in dangerous places. If we are truly stuck and need data in dangerous places, okay, then let's protect it as best as we can. But let's not protect something that doesn't need to be at risk just to make the risk seem less.



  • @scottalanmiller said:

    Nothing is "always possible." But this is extremely realistic. Unbelievably realistic. Tons and tons of companies have been doing this for a long time and the number one selling device for end points on the market today (not including phones) works this way. This isn't just realistic, it is rapidly becoming the norm even without IT oversight or a concerted push to do so. The benefits are so great that it is simply taking over.

    How do these systems deal with my questions, though?

    • local outlook data store
    • temporary files created
    • synced files from cloud providers

    I'm from a small shop mentality, but do larger companies really not do any of those things these days?



  • @BRRABill said:

    I install a self-encrypting SSD on a user machine. I install Embassy Security Manager from Wave Systems to enable the self-encrypting aspect of the drive. I create an admin user that only I know. The user account synchronizes with Windows, so the user never has to worry about a password. If they know their logon password, they can access the drive.

    Is this product free? How reliable is it? What happens if you have Active Directory issues? Do you now have to track individual admin passwords for each machine?



  • Potential Issue to address:

    In the Wave / Samsung scenario... I had a laptop that had Active Directory fail from Microsoft. Would this have made the data on my laptop unavailable to me? How would I retrieve it in a situation where AD has failed and I no longer have access to my laptop?

    (This did not affect me as I neither encrypted nor stored data on my laptop. But in theory...)



  • Potential Issue to Address:

    I recently had a Mac do an OS update. In doing so it broke the encryption system and I lost the ability to boot the OS. This left me stranded in another country without a working laptop. I could do nothing as it was encrypted. I could not boot nor repair nor retrieve data. How would you address this?



  • @BRRABill said:

    How do these systems deal with my questions, though?

    • local outlook data store

    Outlook is an outmoded product and has been for a long time. Even MS barely uses it any more. This is a perfect example of using fat, local software where lean, remote software works better in most cases (always an exception.)

    I use Exchange but don't use Outlook. Works far better with OWA than with Outlook. What we are talking about here is not using products like this.



  • @BRRABill said:

    • synced files from cloud providers

    Why would you by syncing? Again, the point is not to do these things.



  • @BRRABill said:

    • temporary files created

    There are options here...

    • Destroy at shutdown
    • Not store at all (not very reasonable)
    • Keep unencrypted because.... how often does this matter?
    • Encrypt via the application.


  • @BRRABill said:

    It has also been mentioned that in a doctor office, the staff cannot be instructed to enter a password, either for a NAS or for something like Bitlocker. But if it provides encryption of some sort, and gives another layer of protection, wouldn't this be a valuable use of something to train them on?

    Training is not a concern. Usage is the concern. Experience with these types of users is that they will at best regret the decision, typically blame IT for making things complicated and very often you will lose the client to another MSP who shows the doctor how to "fix" the problem.

    As the MSP you'll either have to put the doctor at risk by forcing them only to keep the password and have no one to turn to when they lose or forget it or you as the MSP will have to track the password and then you carry a risk that you don't want to carry.

    I see, in the real world, few good scenarios for this. Training is not a concern, long term usage and happiness will be the big factor. When a NAS stays online for three years, all staff turns over and suddenly it reboots and all data is lost and the business is "down" because of the "darn MSP making things complicated" you don't want to face the ire of people who don't remember why this was done in the first place.



  • @BRRABill said:

    I also understand the concept that things like servers, or any device with important data should be locked up, and almost impossible to gain physical access to. But just in case, why not add the extra protection?

    Because encryption always adds risk. It might take risk away, but it always adds risk too. It's always a tradeoff in risks. When the risk you are taking away is completely trivial, you don't really want to make that tradeoff.

    I've worked in some of the most secure environments in the world and even there they would only encrypt in the most specific circumstances. Even their security team (we are talking potentially seven figure security advisors) and their entire IT team would general advise against encryption for 90% of workloads because it introduces big risk while reducing effectively none.

    If the biggest, riskiest, most attacked, biggest budget, most secure environments in the world think that it is a silly waste of resources and that it does not add any meaningful protection: it is worth listening.



  • @scottalanmiller said:

    Is this product free? How reliable is it? What happens if you have Active Directory issues? Do you now have to track individual admin passwords for each machine?

    It is not free. It is $39 standalone.

    Been reliable so far except when an AV program broke it. And even that didn't break it, it just broke the single sign on for that client, which I do not have enable on my machine anyway.

    I guess it would depend on the AD issues. If worst came to worst, I could log in as the SED Admin account I created on the drive and unlock it.

    You do have to track admin passwords. They have software that integrates in a larger environment, but for me it's just as easy to track the admin passwords. I use a huge complex password, and keep it the same on all the devices I need to manage.



  • @BRRABill said:

    I am under the impression that for HIPAA, if a laptop with PHI is lost, and the drive is encrypted, that is basically not a violation for them, as the data is deemed inaccessible. No encryption? It is a major issue.

    This is a grey area. There are no checkboxes with HIPAA. There are "anti-checkboxes", meaning things that you can never do, but there is nothing that you always have to do. Things that must be avoided but nothing that has to be done.

    HIPAA is about "reasonable efforts at security." And much of that will come down to expert witnesses and a judge making a determination. If I had a laptop stolen and it was encrypted and someone broke that encryption I'd hate to face an expert witness and a judge who ask me "so why did you have data on a laptop in the first place?"

    Encryption would be expected in that situation, but if not implemented well it would no more protect you from a HIPAA fine than if you did not have it. It's a good starting point once you assume you are doing things like putting data on endpoints. But we will keep coming back to asking "why are we being so risky in the first place and does encrypting those devices encourage reckless behaviour?"



  • @BRRABill said:

    I guess it would depend on the AD issues. If worst came to worst, I could log in as the SED Admin account I created on the drive and unlock it.

    You do have to track admin passwords. They have software that integrates in a larger environment, but for me it's just as easy to track the admin passwords. I use a huge complex password, and keep it the same on all the devices I need to manage.

    So if that one password was to be compromised, all encryption would be useless? And if that one password is not available, all of that data is at risk? I don't like the sounds of those odds. I can see cases where that would make sense, but I'd feel pretty worried in any situation where I felt the need to deploy it.

    If I have data stored somewhere, I want to know that it can be retrieved reliably. If I don't need it retrieved reliably, why store it there?



  • @scottalanmiller
    I agree here... if there is no data on the endpoint.. there is nothing to worry about - at that end. You move it to the convenience and the host.

    You also pretty much pull all your costs back to your network and your host as you need next to nothing but a terminal at the user.



  • @BRRABill said:

    It is not free. It is $39 standalone.

    Not bad but that adds up, too. If the question is "why not just do it", I'd say that it needs to have a clear value in excess of $39 as a starting point. For most machines that I deal with, it would not. The cost of the license and license management alone would be too costly before we consider any risk that it introduces, performance loss that it causes or IT overhead cost that it brings in.



  • @scottalanmiller said:

    So if that one password was to be compromised, all encryption would be useless? And if that one password is not available, all of that data is at risk? I don't like the sounds of those odds. I can see cases where that would make sense, but I'd feel pretty worried in any situation where I felt the need to deploy it.

    If it was compromised the encryption wouldn't be useless, the person with the compromised password could just access the data. So they would have to have somehow gained access to my very complex password AND stolen the machine with the SED.

    The password is always available, unless I am dead. And even in that instance, the user still have their password so they could get in, and the data on these systems are all backed up. (Also with encryption both locally and in the cloud.)

    I think the switchover point is around machines, where they recommend central management. But for a one-off here and there it wouldn't make sense.



  • @scottalanmiller said:

    HIPAA is about "reasonable efforts at security." And much of that will come down to expert witnesses and a judge making a determination. If I had a laptop stolen and it was encrypted and someone broke that encryption I'd hate to face an expert witness and a judge who ask me "so why did you have data on a laptop in the first place?"

    But again, what are the odds of this?

    As has been discussed in other threads, there is a still a lot of data on endpoints, right or wrong. Or at least, that is my feeling. Would love to hear other thoughts of people in the wild or this.



  • In your "all on the cloud" example...

    Let's say a covered entity transfers a file of mailing addresses (PHI, obviously) to me. It stored on a HIPAA-compliant cloud service, so no issues there. I want to bring down the file to locally make labels and print on my machine.

    How does this work? I assume you'd download it, do your work, and then delete all instances?

    I guess in this scenario, I could use a product like "Deep Freeze" so there is NEVER any data on there. But that is a very limited case.



  • @scottalanmiller said:

    Why would you by syncing? Again, the point is not to do these things.

    Usage on a laptop when there is not WiFi?

    Or if they are very large files, so as to not have to wait to work with them?

    Or if they are files for which there is no cloud-version available. Such as a lot of the third party software we've been discussing. And while products such as QuickBooks or Lacerte might have better alternatives, a lot of the proprietary stuff you'd see in a doctor's office, or financial planner's office might not.



  • @BRRABill said:

    @scottalanmiller said:

    So if that one password was to be compromised, all encryption would be useless? And if that one password is not available, all of that data is at risk? I don't like the sounds of those odds. I can see cases where that would make sense, but I'd feel pretty worried in any situation where I felt the need to deploy it.

    If it was compromised the encryption wouldn't be useless, the person with the compromised password could just access the data. So they would have to have somehow gained access to my very complex password AND stolen the machine with the SED.

    The password is always available, unless I am dead. And even in that instance, the user still have their password so they could get in, and the data on these systems are all backed up. (Also with encryption both locally and in the cloud.)

    I think the switchover point is around machines, where they recommend central management. But for a one-off here and there it wouldn't make sense.

    Unless the encryption system has some type of OS that boots before windows, how does that part work?



  • @BRRABill said:

    In your "all on the cloud" example...

    Let's say a covered entity transfers a file of mailing addresses (PHI, obviously) to me. It stored on a HIPAA-compliant cloud service, so no issues there. I want to bring down the file to locally make labels and print on my machine.

    How does this work? I assume you'd download it, do your work, and then delete all instances?

    I guess in this scenario, I could use a product like "Deep Freeze" so there is NEVER any data on there. But that is a very limited case.

    Well, if you are working with something like O365 and ODfB and SharePoint, you don't download it in the traditional sense. it's downloaded to your application where you do what you need.. when you close it.. the temp files are deleted by default and the file is saved back to the cloud where you go it, all automagically.



  • @Dashrender said:

    Unless the encryption system has some type of OS that boots before windows, how does that part work?

    It is built into the drive.

    Once the machine boots past the DELL logo, a WAVE screen comes up asking for a password.



  • @BRRABill said:

    @scottalanmiller said:

    So if that one password was to be compromised, all encryption would be useless? And if that one password is not available, all of that data is at risk? I don't like the sounds of those odds. I can see cases where that would make sense, but I'd feel pretty worried in any situation where I felt the need to deploy it.

    If it was compromised the encryption wouldn't be useless, the person with the compromised password could just access the data. So they would have to have somehow gained access to my very complex password AND stolen the machine with the SED.

    The password is always available, unless I am dead. And even in that instance, the user still have their password so they could get in, and the data on these systems are all backed up. (Also with encryption both locally and in the cloud.)

    I think the switchover point is around machines, where they recommend central management. But for a one-off here and there it wouldn't make sense.

    I don't know, the bigger the scale the bigger the risk and the more important that it is to keep the data off of the machines completely. The bigger you get, the more this kind of stuff costs in raw numbers.

    Also, keep in mind your number one thread is end users themselves and social engineering both of which bypass encryption automatically.


Log in to reply