Full disk encryption (FDE) is a critical security measure in today’s modern networks. With data security being more critical than ever, many IT admins are wondering how they can enforce full disk encryption across their fleets of cross-platform systems. Many organizations are also subject to compliance regulations including PCI DSS, which require FDE as a part of their compliance requirements.
What is FDE?
Full disk encryption locks down a computer’s hard drive when said computer is powered off or at rest. If a computer with FDE enabled is stolen, the only thing the thief will make away with is the hardware; the data on the system will be encrypted and very difficult to acquire.
FDE programs (BitLocker for Windows, FileVault for Mac) utilize a recovery key as a method of authentication. When a user logs into their FDE-protected system, the drive is unlocked using their associated username and password. But in case a user forgets their password, is locked out or the hard drive needs to be removed and accessed for any reason, an IT admin uses the recovery key to decrypt the drive. Given the crucial nature of recovery keys, IT admins need to store them in escrow; that is, securely stored and categorized in relation to the system it belongs to.
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) is a compliance regulation that was created to ensure that credit card data is kept secure by companies that handle this critical customer financial information. PCI revolves around securing the cardholder data environment, or CDE, which houses all credit card information that passes through a company under compliance. There are 12 main requirements under PCI regulation, but Requirement 3 deals specifically with data encryption.
Using FDE for PCI
At its core, PCI Requirement 3 calls for installing proper security measures to protect data housed in the CDE. It is arguably one of the most important requirements for PCI altogether. FDE is an ideal way to ensure Requirement 3 compliance. By locking down at rest systems, IT admins can prevent unauthorized access due to a stolen laptop or hard drive.
In regards to encryption, Requirement 3 also demands that cryptographic keys are securely stored and maintained. Using recovery key escrow, IT admins can ensure that only the right people have access to cryptographic keys and also monitor when they’re used for access and who uses them.
How to Enforce FDE to Achieve PCI Compliance
When it comes to enforcing FDE across Mac and Windows for PCI compliance, IT admins might find that their options are limited. Many FDE tools on the market are only capable of enforcing either Bitlocker or FileVault—not both. Since many of today’s IT organizations are heterogeneous with regards to system platforms, an FDE solution that can only enforce one or the other simply won’t do and admins would rather not implement multiple solutions to reach the desired end.
Additionally, IT organizations need their FDE solution to securely store cryptographic recovery keys in escrow. This need limits the list of ideal FDE options even more. At the end of the day, with these requirements, there’s an excellent option that provides IT admins with a low overhead FDE experience suited for PCI compliance. Using JumpCloud’s Policies, IT admins can enforce FDE at scale across their Windows and Mac system fleets, escrowing individual recovery keys safely.
