Calculating the Cost of Full Disk Encryption

CowboyRobot writes "Is full disk encryption (FDE) worth it? A recent study conducted by the Ponemon Institute shows that the expected benefits of FDE exceed cost by a factor ranging from 4 to 20, based on a reduction in the probability that data will be compromised as the result of the loss or theft of a digital device. 'After doing all of the math, Ponemon found that the cost of FDE on laptop and desktop computers in the U.S. per year was $235, while the cost savings from reduced data breach exposure was $4,650.'"

One click for $235

[flyingfsck]

I am expensive, but not that expensive. I don't charge a customer $235 to click a full disk encryption check box while installing Fedora Linux. Maybe I should...

Re:One click for $235

[Joce640k]

The TCO of is more than the cost of installing it.

Re:One click for $235

Quote: "The study measured costs in 11 segments: licensing, maintenance, incremental costs, device pre-provisioning, device staging, tech time spent on password resets, end-user downtime spent during password resets, cost associated with re-imaging hard drives, end-user downtime associated with initial disk encryption, end-user time spent operating an FDE-enabled computer, and the value of tech time incurred for various administrative tasks related to encrypted drives. [...] The study found that the most expensive element of FDE is [...] the value of user time it takes to start up, shut down and hibernate computing systems while using FDE."

Re:One click for $235

[hairyfish]

I've been working in IT depts for roughly 20 years and can't remember ever having issues related to "data breach from lack of encryption". Not saying it doesn't happen, but I reckon for most people (outside of finance/defence/govt etc) it's overkill. It raises a question, how much security is too much? Do you have a lock on your front door? 3 locks? 45 locks? If you had 100 locks on your door and only locked 99 of them, would this be considered vulnerable? This is how I think of the security industry. One lock is fine. If that doesn't work, then no amount of extra locks will help. The bad guys will simply break a window.

Re:One click for $235

That's kind of a flawed way to look at things imo (no offence intented).

Having 99 locks on the frontdoor is indeed pointless, but that's because all those locks perform the same function. Using (for example) a virusscanner, a firewall and full disk encryption is more akin to having both a lock on the frontdoor but also a fire extinquisher in the hallway. It's a very sane and generally smart thing to have.

On a sidenote, having 2 (different) locks on a door may very well be a smart thing, because a Type A lock has different flaws than a type B lock. Having 2 different kinds means you potentially eliminate a variety of easy exploits that target a specific type of lock. I don't know where the "line" is but i find it hard to imagine more than 2 or 3 locks being a sane scenario for "regular" entrances.

Now it's obviously true that every security measure brings with it a "penalty" if you will, to legit users. For most locks this means the user has to carry a key on him, something most people in the west consider normal and not a high price to pay. Having to remember a PIN code to use your debit card is also a penalty on legit accountholders, but we accept it. Now wether or not full disk encryption is as pricey as the article seems to make out, i dunno, but lets look at the alternatives.

A) Unencrypted drives
B) Certain Encrypted drives/containers/shares/whatever
C) Full Disk encryption

In this day and age (dare i say it, the Information Age) there is a definite demand for encrypting sensitive and important data for almost everyone but the most untrained pc user. This makes option A a bad choice for almost everyone which means the decision is not just about "should we use FDE or not", it becomes "do we encrypt EVERYTHING or just cetain objects" and in order to make that determination you need to look at the price for both.

Let's not forget, simply enabling FDE is a minor act for the sysadmin whose installating the system, and since FDE is transparent to userspace applications, there is very little additional configuration or problems that arrise due to it. It will impact performance of the hardware, however one can take this into account during the purchase of new machine(s) and simply take a slightly faster system to make up for it (if that's even needed, usually it ain't). Only encrypting certain partitions, shares or folders means you have to deal with many additional administrative and training issues. How do you prevent ppl from moving sensitive files from the secure X:\ drive to the C:\ drive, how do you teach the (presumably non-IT) users where they can store which files. Which policies have to be enforced to ensure it all stays on the level. How often (if at all) do you audit the systems for "leaked" senstive files, etc.

I'm not a sysadmin myself, but i do work in IT and have a fair understanding on their job, and to me at a quick glance it appears FDE is a LOT cheaper and easier for everyone involved than encrypting only sensitive files.

Re:One click for $235

[Dodgy+G33za]

Surely if it means a lot to you but not to anyone else then encryption is not as important (if at all) as backing up?

I have lost personal data. I also have a few old and fairly important files kicking around that I password protected many moons ago and forgot the password.

I have chosen not to encrypt, but I have a very solid backup routine.

But then I can't imagine having data that is so personal (and yet irreplaceable) that I would rather lose it than have some random look at it.

Re:One click for $235

[dbIII]

The other side of the coin is managing it properly. For example I've had to restore from an unencrypted backup purely because somebody who was managing their own disk encryption had forgotten how to access their files and needed whatever earlier copies were available as a matter of urgency. If it's not done properly with people at multiple sites having details of how to access the files it's not worth doing at all. An encrypted volume should not be a room full of people that have eaten the salmon mousse away from being permanently inaccessible.

Re:One click for $235

[Alan+Shutko]

I've gone paperless, so I have tax returns, medical info, SSNs, etc on my laptop. Full Disk Encryption means I don't have to worry about it.

With FDE, you have to decrypt it every time you use the computer, so you're not going to forget the password. If you're worried about that, put the password on a piece of paper in a safe deposit box or some other type of storage at home.

Am I the only one that read...

[yourtallness]

A recent study conducted by the Pokemon Institute... :-P

User still a risk point

[N1AK]

One issue with IT security is that policies and security measures like this are only one small part of the picture. My partner works in a government affiliated company and has to use FDE for all PCs. Because of how they have implemented it they virtually all still use the default key (which wasn't random) and if you change it then you thwart the original intent of having quasi-hotdesks.

Passwords written on desks, stuck to the screen etc are common in many places. Sending files off-network to places like dropbox or email to get around security 'hassles' is widespread. The owner of my current firm wants to use an iPad, because we won't let it on network he does most email from a web email account!

FDE with rubbish passwords is entirely pointless as anyone with motivation to get in can. If you start requiring complex passwords the risk of people writing it down and storing it with the PC increases. We need to stop thinking about security as a technical issue and work out how to produce 'secure enough' systems which users don't subvert or misuse.

If removing security breaches is worth nearly $5k a year then surely using some kind of RFID security card that must be near the PC/Laptop to unlock would be cost effective. I could keep it in my wallet or as a keyring. Even better would be combine it with a RSA style password device for two-factor authentication when providing a password (thus making less complex passwords less of an issue).

translation

[Hazel+Bergeron]

'After doing all of the math,

"After applying some simplistic formula"

Ponemon

"the guy promoting his firm with this /. article"

found that the cost of FDE

"without specifying any important parameters such as number of computers or environment in which they are used"

on laptop and desktop computers

"but noting that some were laptop and some were desktop because that makes the result sound a little more convincing"

in the U.S. per year

Encryption is a lot more expensive in Scotland. They can always look up yer kilt and ken yer keys!

was $235,

If this were a porn moneyshot, TFA author would now be panning away from the dick and squirting liquid soap everywhere, seemingly drenching the victim.

while the cost savings from reduced data breach exposure was $4,650.

Or $100,000, or life imprisonment, depending on your particular situation. Statistics: on average, not very useful.

Re:Real Costs

[pthisis]

At least partially:

"The study found that the most expensive element of FDE is not the hardware or software involved, but the value of user time it takes to start up, shut down and hibernate computing systems while using FDE. "

But this study doesn't pass the smell test. Take this, for instance: "The cost savings from reduced data breach exposure was $4,650." Imagine that FDE takes the risk of data breach on a stolen disk from 100% down to 0%. And imagine that any given computer has a 1% chance each year of being stolen by someone who's going to exploit the data on it (rather than just reformat it and sell or use it). Both of those are very generous estimates.

The average value of a lost computer to my company--either in terms of profits lost or competitor's profits gained--would have to be $465,000 for the math to work. Which as a median doesn't make sense.

If it's a mean, it only makes sense because there are a handful of computers whose value is tens or hundreds of millions of dollars counterbalancing the vast array of other computers worth far less--but if that's the case, the right solution probably isn't to lump all machines together for analysis purposes, it's to segregate out the high-value targets and treat their security differently from the low-value targets.

Re:Real Costs

[neyla]

Agreed on the smell-test. No matter how good a security-measure is, it cannot save more money than is lost without it. (i.e. the best possible security is 100%)

Thus for FDE to save $4650/computer/year, the current cost of data-loss that would be avoided with FDE must be atleast the same amount.

There's about 100 million computers sold annually in USA, essentially none of which have FDE. The average computer is used for atleast 3 years. The total *current* cost of data-losses must thus be atleast: 100M * $4650 *3 = $1395 billion/year.

That doesn't pass the smell-test. It would mean the losses add up to $12500 a year for each household, which is utterly ridicolous.

No kidding

[Sycraft-fu]

In a corporate environment, you have to have some kind of key management system. You can't do FDE with a free utility that is just "Enter the password to get in to the computer." Well why not? Tow big reasons:

1) What if the person suddenly up and dies, and you need to get at the data? A backup won't help if said backup is also encrypted with the same password that only they knew. You need to have a system to get in.

2) More commonly, what do you do when a user forgets their password? This happens ALL the fucking time. People cannot remember passwords, just how it is. Just losing data is not an acceptable answer, so you have to have a system that can get in.

Now there are systems out there like that. They have central key stores, key recovery facilities and so on all while maintaining cryptographic security. However all the ones I've seen cost money. Then on top of that is the cost of administering such a system.

As an example at work a lady forgot her password, as she is known to do on days ending in "y". So she couldn't get in the encrypted laptop that has key codes for the doors (she deals with that). She also hadn't put the laptop on the 'net in like a year, so it was all desync'd with the Active Directory. This meant my boss couldn't log in to do any kind of override. So he had to hook it up, go through this key recovery thing where the console give you a bigass key to enter in to the system, then get it to sync passwords, then he could log in and get everything working. Took a fair bit of time to do.

You have to count all that kind of thing in cost calculations. You can't pretend like it isn't a cost. Yes you already pay his salary but he has about 5,000 other thing to be doing that weren't being done while he worked on that. Needless to say if this were being used for more than a couple systems (we only use it in special cases) it would quickly need one or more people who's job was to administer it and deal with all the problems caused by it (meaning by users).

Re:No kidding

[bertok]

Now there are systems out there like that. They have central key stores, key recovery facilities and so on all while maintaining cryptographic security. However all the ones I've seen cost money. Then on top of that is the cost of administering such a system.

Security only costs extra if you had nothing to begin with, which basically never happens. Any corporation with data worth stealing is likely to have Active Directory, which has a convenient key escrow functionality built right in.

If you've already purchased Windows Server and have standardized on Windows 7, then full disk encryption with all the goodies is just a few button clicks away, and costs nothing but the 60 minutes it takes to read through the relevant technet articles and then setting a few settings in group policy.

She also hadn't put the laptop on the 'net in like a year, so it was all desync'd with the Active Directory.

That's not her fault, that's the IT department's fault. That laptop can't possibly have been properly patched, its data synchronized, or up-to-date security policies applied. That should have rung alarm bells in the system, or locked her out until she did synchronize successfully.

Which can be done wirelessly these days. From home. Using transparent VPNs that require zero user interaction. All of which can be monitored centrally.

So he had to hook it up, go through this key recovery thing where the console give you a bigass key to enter in to the system, then get it to sync passwords, then he could log in and get everything working.

Wait, wait, wait.. let me get this straight: she failed to authenticate properly with the system for something like a year, which then correctly locked her out after the timeout expired, protected the data on her laptop, allowed you to recover the data as designed, and all of this required just a few minutes of typing? And to top that off, the security system insisted that her hopelessly out-of-date credentials cache be updated to verify her account?

OH MY GOD THE HORROR! The hassle! Why doesn't the crypto system just fall dead and recognize how important this lady is and unlock all of her data, despite her ongoing blatant violation of IT security policy! The nerve of Microsoft for designing such a thing! Next thing you know, they'll insist that you use passwords to log on to computers! Can you imagine?! We just won't be able to get any work done around here any more!

Clearly this is all just a giant conspiracy to drain valuable IT resources.

You have to count all that kind of thing in cost calculations.

Additional electricity due to use of AD Policy Driven Bitlocker encryption: $57.35
One hour support call to fix non-compliant user's locked out system: $197.50
Incompetent IT team: $457,350.00
Potential lawsuit due to leaking user data: Priceless.

Yes, you do have to factor that kind of thing in, you're right.

Re:Depends on the data, doesn't it?

[Antarius]

Why do we need to encrypt an 18 year old game that has had the source code released? ;-p

Re:Truecrypt FTW

[smash]

So, how well do you stand up to beatings/torture, tough guy?

Re:Truecrypt FTW

[Rogerborg]

I love giving police the finger when they demand to see what's on my laptop

And in your fantasy, does the Lady Cop say "Oh, Mr Neckbeard, your fingering is so... virile," then bow-chicka-wow?

There's nothing so sad as preparing for an apocalyptic showdown with The Man, when The Man could not possibly care less about you or your data. Encrypt, don't encrypt, you've got more chance of being eaten by badgers than subjected to a search-and-seizure.

Re:Truecrypt FTW

[cpghost]

If you live in a fucked up police state where this is considered possible, you have more problems to care for than merely encrypting data.