Security Experts:

Full Disk Encryption Proves Its Worth, Ponemon Study

The benefits of using full disk encryption far outweigh the costs of deploying the product, which is more than just the cost of purchasing the software, according to a new study.

The Total Cost of Ownership for Full Disk Encryption study released Tuesday examined the benefits and costs of deploying full disk encryption (FDE) products within the organization. When compared to the potential damage caused in the advent of a data breach, the cost of encrypting every single bit of data stored on the drive is a "fraction" of the value gained by protecting the information, the study found. The primary benefit was the lower probability of having a data breach as a result of a lost or stolen coputer.

The study, sponsored by WinMagic and conducted by Ponemon Institute, surveyed 1,335 IT and IT security professionals in the United States, United Kingdom, Germany, and Japan. The survey participants represented various industry sectors and on average had 10 years of IT experience.

"The results clearly show that the benefits for encryption are extremely compelling" said Larry Ponemon, chairman of the Ponemon Institute.

However, companies underestimate the total cost of ownership for encryption, such as the amount of time it takes a technician to perform a procedure, the study found. The software cost of the product license and maintenance contract was only a "small fraction" of the total cost to the organization.

Organizations don't always understand the amount of technician time that is required to complete a procedure or the amount idle time by users because they can't access their computers during the encryption process. The most expensive component of having full disk encryptions comes for the amount of time it takes to work on an encrypted machine. Machines with fully encrypted disks took extra time to start-up, shutdown and hibernate, adding 42 seconds to each day. In one year, that amounts to nearly three hours per employee lost.

The smallest and largest organizations fared the worst in the report's total cost of ownership analysis. FDE deployment and maintenance had a total cost of $399 for organizations with fewer than 50 employees and $313 for organizations with more than 25,000 employees. Amount of regulation also matters, as heavily regulated industries such as financial services and healthcare had the highest total costs, with $385 and $363, respectively.

"This study really allowed us to get very granular as it relates to the optimum use of encryption and understanding the total cost of ownership," Ponemon said.

German organizations were more likely than other countries in the report to encrypt sensitive and confidential information. More than 50 percent of German respondents said their organizations encrypted trade secrets, financial confidential documents and employee records.

With the exception of Germany, organizations in the remaining countries reported nearly a third of the stolen computers contained sensitive information that had been encrypted. German organizations said that only a quarter of the computers had information in clear text.

Reasons for Encrypting DataThe reasons for encrypting the data also vary across regions. Respondents from the US, Germany and Japan looked for strong security when evaluating encryption products. UK organizations are more concerned about performance and speed.

"WinMagic has long held the belief that innovative features can help to significantly reduce the cost of deploying and operating full disk encryption, while optimizing compliance and user satisfaction," said Garry McCracken, vice-president of technology partnerships at WinMagic.

U.S., UK and German organizations mainly encrypt their data to comply with state and national data protection laws. In contrast, Japanese organizations encrypt data at rest to comply with industry and self-regulatory requirements, such as PCI DSS, ISO and NIST, the report found.

WinMagic said the report found that the costs of deploying full disk encryption are higher than just the cost of the software license. Using "free" encryption products bundled with operating systems doesn't really affect total cost, since there are other issues to consider. In fact, WinMagic said the free products may have significantly higher costs than commercial products if they interfere with existing user and IT processes.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.