I’ve had two discussions with clients today already on the role of full drive encryption ( FDE technologies such as Microsoft’s BitLocker, McAfee Total Protection, Sophos/Utimaco, Symantec PGP, Check Point, Trend/Mobile Armor etc) for fixed desktops.
Full drive encryption should be considered mandatory for laptops and most organizations have implemented this – either with Windows 7 and BitLocker, by adding encryption into their endpoint protection platform contract or by purchasing a point solution.
However, there are several use cases where the use of FDE makes sense for fixed desktops:
1) For areas where physical security is lacking and there is a risk that the hard drive and/or physical machine may be stolen
2) For defense in depth as machines are retired to ensure that data is wiped completely. By ensuring that the key is destroyed, access to the data is impossible. Without the keys, they don’t have your data. This would supplement (and potentially replace) any manual wiping that is performed as machines are returned/retired/recycled/destroyed.
3) For protection of images in transit being shipped to remote locations – for example to remote offices.
With advances in hardware processing making the overhead of FDE nearly negligible and with the significant downward pricing pressure in the market (in the case of BitLocker. “free” if you are purchasing Software Assurance on the Windows OS), FDE may make sense for many of your fixed desktops as well.