Calculating the Cost of Full Disk Encryption
The price of FDE goes beyond hardware and software--but according to a recent study, the benefits far outweigh the costs.
August 30, 2012
Is full disk encryption (FDE) worth it? A recent study conducted by the Ponemon Institute shows that the expected benefits of FDE exceed cost by a factor ranging from four to 20, based on a reduction in the probability that data will be compromised as the result of the loss or theft of a digital device.
The report, "The TCO for Full Disk Encryption," was conducted independently by Ponemon and sponsored by WinMagic. The stated purpose of the study was to learn how organizations are deploying software and hardware FDE systems, as well as to determine the total cost of ownership of such deployments across different industries.
"Encryption is important to mitigating the damage caused by data breaches, complying with privacy and data protection regulations, and preserving brand and reputation," states the report. "In order to make rational decisions regarding the optimum use of encryption, it is important to comprehend the total cost of ownership (TCO). This particularly applies to solutions believed to be free but may have significantly higher TCO than commercial products."
Ponemon surveyed 1,335 people in IT and IT security in the U.S., the U.K., Germany and Japan. Respondents had an average of 10 years of relevant experience.
The study measured costs in 11 segments: licensing, maintenance, incremental costs, device pre-provisioning, device staging, tech time spent on password resets, end-user downtime spent during password resets, cost associated with re-imaging hard drives, end-user downtime associated with initial disk encryption, end-user time spent operating an FDE-enabled computer, and the value of tech time incurred for various administrative tasks related to encrypted drives. The TCO was the sum of each of these costs per computer for one full year.
While the study found that the benefits of full disk encryption generally exceed the cost in all four of the countries studied, TCO varied by organizational size and industry. In terms of company size, the TCO is highest for organizations with fewer than 50 employees ($403) and for companies with more than 25,000 employees ($315). Highly regulated industries such as finance and healthcare saw the highest TCO ($388 and $366, respectively), while less regulated industries saw lower TCO. For example, the TCO in entertainment and media was $201.
The study found that the most expensive element of FDE is not the hardware or software involved, but the value of user time it takes to start up, shut down and hibernate computing systems while using FDE. Also adding to the cost is the time it takes technicians to complete full disk encryption procedures. These costs must be taken into consideration, the report suggests, when considering the use of free FDE systems and those included with operating systems as opposed to commercial products.
To gauge the cost benefit of FDE, Ponemon looked at the average number of laptop or desktop computers stolen in the four countries studied, as well as the average number of records potentially at risk on lost or stolen devices.
After doing all of the math, Ponemon found that the cost of FDE on laptop and desktop computers in the U.S. per year was $235, while the cost savings from reduced data breach exposure was $4,650.
Next: The Why Behind EncryptionThe research also revealed the reasons organizations choose to encrypt laptop and desktop computers in the first place. Across all four countries studied, and with respondents naming their top two reasons why data is encrypted on systems in their organizations, compliance with self-regulatory programs (32%) and national data protection laws (30%) came out on top. Following were:
• 25%: Minimizing exposure resulting from lost computers
• 23%: Avoiding harm to customers resulting from data loss
• 20%: Improving security posture
• 18%: Minimizing the cost of a data breach
• 17%: Complying with vendor/business partner agreements
• 10%: Minimizing the effect of cyberattacks
Whatever the cost or cost benefit, and whether free or commercial products are used, the Electronic Frontier Foundation is encouraging the use of FDE for protecting data on mobile devices. "Full disk encryption uses mathematical techniques to scramble data so it is unintelligible without the right key," said the nonprofit advocacy group. "Without encryption, forensic software can easily be used to bypass an account password and read all the files on your computer. Fortunately, modern computer systems come with comparatively easy full-disk encryption tools that let you encrypt the contents of your hard drive with a passphrase that will be required when you start your computer. Using these tools is the most fundamental security precaution for computer users who have confidential information on their hard drives and are concerned about losing control over their computers."
Likewise, Aberdeen IT security research fellow Derek Brink recommended that organizations "do something." In the report "Endpoint Security: Hardware Roots of Trust," which examines the increasing vulnerabilities in software and how hardware can be used to mitigate risk, Brink writes, "Regardless of which approach to data protection is taken, all companies should be doing something to mitigate this risk."
Aberdeen research has shown that between the models of encrypting only specific files or folders and the "brute force" of encrypting everything on the endpoint, the general trend is toward full-disk encryption and, increasingly, self-encrypting drives. SEDs include a circuit built into the disk drive controller chip that encrypts all data automatically.
Brink adds that any type of encryption should be integrated with existing processes, including identity management and helpdesk processes, backup and recovery, patch management and end-user training. "The extent to which endpoint encryption can be made systematic and integral to these types of processes will be the biggest contributor to success, particularly on large-scale rollouts."
Follow Deb Donston-Miller on Twitter at @debdonston.
You May Also Like