What Is Endpoint Encryption?

Encryption is the process of encoding or scrambling data so that it is unreadable and unusable unless a user has the correct decryption key. Endpoint encryption essentially protects the operating system from installation of “Evil Maid” attacks that can install a keylogger or corrupt boot files and locks files stored on laptops, servers, tablets, and other endpoints to prevent unauthorized users from accessing the data.

Organizations use endpoint encryption software to protect sensitive information where it is stored and when it is transmitted to another endpoint. Healthcare files, bank account information, social security numbers, and home addresses are examples of information that is often encrypted.

Two commonly used encryption standards are Rivest, Shamir, Adleman (RSA) and Advanced Encryption Standard-256 (AES-256).

  • RSA is often used for transmitting data from one endpoint to another. It uses asymmetric encryption, meaning it uses one key to encrypt the data, and uses another key at the recipient’s endpoint to decrypt it.
  • AES-256 is a symmetric encryption standard that is frequently used to encrypt data in storage, such as on hard drives or USB sticks. Government agencies and organizations in regulated industries that require strong encryption often use AES-256. This standard replaces the older Data Encryption Standard (DES) that is more vulnerable to brute force attacks.

Certification criteria for encryption software include the following:

  • The National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2, a U.S. government computer security standard.
  • The Common Criteria for Information Technology Security Evaluation, an internationally supported certification standard and program.

Employees at organizations store and share volumes of valuable data on USB sticks, cloud storage services, network drives, browsers, email, and in other media—all of which are vulnerable to security breaches. This data may include sensitive information, such as financial data, customer names and addresses, and confidential business plans. Encrypting the data provides significant protection against theft.

Why organizations need endpoint encryption

An organization may want to encrypt its data for many reasons. For instance, businesses in high-tech industries such as pharmaceuticals or software development need to protect their research from competitors. Organizations in regulated industries, such as healthcare and financial services, need to encrypt patient and consumer data to comply with government regulations. The Payment Card Industry Data Security Standard (PCI-DSS) requires retailers to encrypt consumer credit card data to prevent unauthorized use.

Unregulated organizations are concerned about data security as well. A data breach can result in negative publicity, loss of business, and partner or customer lawsuits.

Cyberattacks and data breaches are increasingly common occurrences—and they're expensive. According to the Ponemon Institute's report  Cost of a Data Breach Study, the average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% year over year to $148. By this measure, a mid-sized breach of 100,000 records could cost an organization $15 million and counting.

Encryption is an essential component of a layered data security strategy. Organizations typically incorporate multiple layers of protection, including firewalls, intrusion prevention, antimalware, and data loss prevention. Encryption acts as the final layer to protect data in case it falls into the wrong hands.

Types of endpoint encryption

There are two basic types of endpoint encryption:

  • Whole drive encryption renders a laptop, server, or other device unusable except for holders of the correct PIN.
  • File, folder, and removable media (FFRM) encryption locks only designated files or folders.

Whole drive encryption protects the operating system and data on laptops and desktops by encrypting the entire drive except for the master boot record. This is left unencrypted so the machine can boot and locate the encryption driver to unlock the system. When a computer with an encrypted drive is lost, it's unlikely that anyone will be able to access the data on it. Whole drive encryption is automatic, so any content stored on the drive is automatically encrypted.

There are two methods of authorizing a user on an encrypted drive:

  • With the first method, the drive boots into the operating system, and the user signs in before accessing applications or data.
  • The other method is pre-boot authentication, which requires a user to enter a PIN or password before the operating system boots. Pre-boot authentication is more secure, as the data remains encrypted until authentication is complete. Pre-boot authentication defeats exploits like Windows password crackers, which require a reboot.

File, folder, and removable media (FFRM) encryption encrypts selected content on local drives, network shares, or removable media devices. The encryption software deploys agents that encrypt files based on an organization's policies. File-based encryption supports both structured and unstructured data, so it can be applied to a database as well as documents and images.

File-based encryption keeps the data encrypted until an authorized user opens it. This is different from whole drive encryption, which decrypts all the data after the user is authenticated and the system has booted. Therefore, file-based endpoint encryption continues to protect the data even after it leaves the organization. For example, when an encrypted file is sent as an email attachment, the recipient must be authenticated to decrypt the file. Recipients who don't have the appropriate encryption/decryption software may instead receive a link to a portal that can authenticate them and decrypt the file or receive a container attachment file (like a password protected zip file), in which the recipient must enter a password communicated by the sender.

File-based encryption relies on an organization's encryption policy to define the types of content to encrypt and the circumstances that require encryption. Once configured, encryption solutions can automatically enforce policies and encrypt content.

Endpoint encryption management

A comprehensive endpoint encryption solution can enable IT departments to centrally manage all encrypted endpoints, including encryption that different vendors provide. This is more efficient than constantly moving between multiple consoles. Endpoint security solutions that support multiple vendors' encryption products help reduce administrative overhead and costs.

In addition, a central console provides better visibility into the status of all endpoints, and audits use of encryption on each endpoint. An organization can use this to demonstrate compliance if a laptop or USB drive is lost or stolen.

Endpoint encryption software may include a variety of management capabilities, such as:

  • A central dashboard with status reports.
  • Support for mixed encryption environments.
  • Key management capabilities, including creating, distributing, destroying, and storing keys.
  • Centralized encryption policy creation and management.
  • Automatic deployment of software agents to endpoints, to enforce encryption policies.
  • Identification of any devices that lack encryption software.
  • The ability to lock endpoints that fail to automatically check in.

The importance of endpoint encryption

Encryption is an important layer in an organization's security infrastructure. Security products such as firewalls, intrusion prevention, and role-based access control applications all help protect data within the organization. However, breaches have become increasingly common, and data encryption can protect data even after it leaves an organization. Encryption is a key defense against data theft and exposure.

Explore more Security Awareness topics