Full disk encryption (FDE) is a critical security measure in today’s modern networks. With data security being more critical than ever, many IT admins are wondering how they can enforce full disk encryption across their fleets of cross-platform systems. Many organizations are also subject to compliance regulations including PCI DSS, which require FDE as a part of their compliance requirements.
Full disk encryption locks down a computer’s hard drive when said computer is powered off or at rest. If a computer with FDE enabled is stolen, the only thing the thief will make away with is the hardware; the data on the system will be encrypted and very difficult to acquire.
FDE programs (BitLocker for Windows, FileVault for Mac) utilize a recovery key as a method of authentication. When a user logs into their FDE-protected system, the drive is unlocked using their associated username and password. But in case a user forgets their password, is locked out or the hard drive needs to be removed and accessed for any reason, an IT admin uses the recovery key to decrypt the drive. Given the crucial nature of recovery keys, IT admins need to store them in escrow; that is, securely stored and categorized in relation to the system it belongs to.
The Payment Card Industry Data Security Standard (PCI DSS) is a compliance regulation that was created to ensure that credit card data is kept secure by companies that handle this critical customer financial information. PCI revolves around securing the cardholder data environment, or CDE, which houses all credit card information that passes through a company under compliance. There are 12 main requirements under PCI regulation, but Requirement 3 deals specifically with data encryption.
At its core, PCI Requirement 3 calls for installing proper security measures to protect data housed in the CDE. It is arguably one of the most important requirements for PCI altogether. FDE is an ideal way to ensure Requirement 3 compliance. By locking down at rest systems, IT admins can prevent unauthorized access due to a stolen laptop or hard drive.
In regards to encryption, Requirement 3 also demands that cryptographic keys are securely stored and maintained. Using recovery key escrow, IT admins can ensure that only the right people have access to cryptographic keys and also monitor when they’re used for access and who uses them.
When it comes to enforcing FDE across Mac and Windows for PCI compliance, IT admins might find that their options are limited. Many FDE tools on the market are only capable of enforcing either Bitlocker or FileVault—not both. Since many of today’s IT organizations are heterogeneous with regards to system platforms, an FDE solution that can only enforce one or the other simply won’t do and admins would rather not implement multiple solutions to reach the desired end.
Additionally, IT organizations need their FDE solution to securely store cryptographic recovery keys in escrow. This need limits the list of ideal FDE options even more. At the end of the day, with these requirements, there’s an excellent option that provides IT admins with a low overhead FDE experience suited for PCI compliance. Using JumpCloud’s Policies, IT admins can enforce FDE at scale across their Windows and Mac system fleets, escrowing individual recovery keys safely.
The emergence of low/no-code platforms is challenging traditional notions of coding expertise. Gone are the days when coding was an…
Datadog today published a State of DevSecOps report that finds 90% of Java services running in a production environment are…
Linux dodged a bullet. If the XZ exploit had gone undiscovered for only a few more weeks, millions of Linux…
We're going to send email messages that say, "Hope this finds you in a well" and see if anybody notices.
I am happy and proud to announce with Daniel Newman, CEO of Futurum Group, an agreement under which Futurum has…
Most developers are using some form of DevOps practices, reports the CDF survey. Adopting STANDARD DevOps practices? Not so much.