They say it takes a big man to admit he was wrong – and for those who know me, I am a pretty big man.

Specifically, I was wrong about some things I have been saying and writing about encryption. In particular, about the choice of full-disk encryption (FDE) over file / folder encryption, for the purpose of protecting sensitive “data in use” on laptops.

In my role as an analyst, I have been saying these things for many years – at least as far back as September 2009, in a benchmark study I called Full Disk Encryption: On the Rise. Since this particular research report is now well outside the three-year window of research that is freely available to registered members of Aberdeen’s website, here’s the Executive Summary of what I wrote at that time:

Aberdeen Insights – Strategy In the strategic decision enterprises make between the precision of file / folder encryption (encrypting only specific files or folders based on content and pre-existing policies) and the brute force of full-disk encryption (encrypting everything on the endpoint), Aberdeen’s research shows that the general trend is towards the simplicity of full-disk encryption. This trend is observable over the course of several benchmark studies in data protection that Aberdeen has conducted over the past two years, and is expected to continue.

Both approaches are widely deployed, and the shift has been gradual, not sudden. In the current study, Best-in-Class organizations are about equally as likely to rely on end-user based enforcement of data protection policies (unaided by solutions) as they are to enforce data protection policies automatically (transparent to end-users). In comparison to Laggards, however, they are three-times more likely to automate enforcement transparent to end-users.

In addition to a shift towards not relying on the correct decisions and behavior of individual end-users, Aberdeen’s research indicates a shift towards not investing time and effort into developing fine-grained policies to address a complex and constantly changing compliance landscape. Best-in-Class organizations are consistently more likely than their Industry Average and Laggard counterparts to map security risks and corresponding controls to their particular matrix of compliance requirements, not the other way around. As a simple example: “if a resident of Massachusetts, then encrypt all personal information stored on laptops” becomes simply “encrypt all information stored on laptops.”

Chasing compliance requirements one at a time can lead to both overlaps (resulting in higher cost) and gaps (resulting in increased security incidents, and increased audit deficiencies) in security policies and controls. The “checkbox” approach to compliance consumes undue attention and resources, and makes it harder to succeed at the game of “do more with less.” The Best-in-Class approach to information security is to be secure first, then compliant; they are getting to a risk-based – as opposed to a regulation-based – view of protecting the business.

What’s so wrong about any of this, you ask? In fact, for the most part what I said then about full-disk encryption has proven to be quite correct:

  • To protect sensitive data in use at the endpoints, 87% of all respondents in Aberdeen’s research indicated current use of full-disk encryption in 2015, up from just 20% back in 2007.
  • More than 80% of the actual data breach incidents involving user devices were related to two primary root causes: physical loss or theft, and human error. For these risks, full-disk encryption provides a higher level of assurance that the desired data protection is actually in place, requires no involvement or decisions by the organization’s users about whether or not to encrypt, and has little to no impact on endpoint performance or user experience.

The problem is that I what I have been saying about the choice of full-disk encryption over file / folder encryption is correct in the context of protecting data in use at the endpoints. But when it comes to selecting an encryption solution for data at rest in back-end systems – for example, on file servers, network storage or cloud-based storage – the risks are dramatically different!

For data at rest on file servers, network storage or cloud-based storage, more than 85% of the actual data breach incidents were related to external threats (hacking), insider threats (misuse), or human error – which aligns with the strong adoption of file-level encryption for this use case, as observed in Aberdeen’s research. File-level encryption is actively protecting the organization’s data, whenever these back-end systems are online, available, and accessible – even if unauthorized access to these systems has been achieved by any of these most-likely actions.

At the same time, the risk of your NAS or SAN implementation being lost or stolen is obviously not as high as it is for your organization’s laptops, tablets, and smartphones. If your concern is for storage that gets decommissioned, then like any encryption solution, FDE would help to ensure that the organization’s data is not accessible. But based on the risk of physical loss or human error, the case for the simplicity of FDE just isn’t there when it comes to selecting encryption for data at rest in back-end systems. On the contrary, to protect sensitive data at rest in back-end systems, 4 out of 5 (78%) of respondents in Aberdeen’s research indicated current use of file-level encryption in 2015, up from 35% back in 2007.

The lesson, of course, is that the right approach is to carefully consider what risks you are trying to address, and to choose the technologies that are most appropriate to address them. As tempting as it may be to simply use a security technology that has worked in one area as the solution for another, when it comes to security one size doesn’t fit all.

To learn more about it, read the report called Selecting Encryption for “Data at Rest” in Back-End Systems: What Risks are You Trying to Address?, or watch the webinar on this important topic. In the meantime, try to avoid the mistake that I’ve sometimes made – which is to focus too quickly on the technologies, before properly thinking through the actual risks.