It's 10 p.m. Do You Know Where Your Laptop Is?

There's one unfortunate but unavoidable reality of owning a laptop: It could easily be stolen. The very characteristics that make laptops most useful--size, weight and portability--render them easy targets.

By some estimates, as many as 90 percent of businesses have had at least one laptop stolen in the past year. And not even the most security-conscious organizations are immune. In a February 2007 audit, the U.S. Department of Justice reported that 44 laptops were stolen from the Federal Bureau of Investigation over the past 4 years, up nearly 40 percent from an audit in 2002.

The most obvious costs of laptop theft--hardware replacement and data recovery--can prove almost insignificant in comparison to the security breach that theft may cause.

Slide Show: 6 Full-Disk Encryption ProductsThat Have Your Laptop's Back

Enter full-disk encryption software, which encrypts all data stored on the hard drive, including the boot partition and system files. Without a working password, a thief will find the drive both indecipherable and unbootable.

Full-disk encryption has a number of advantages over more traditional encryption that focuses on specific files or directories. It requires minimal user interaction or interface changes; once the OS has launched, the encryption software typically remains transparent to the user, thus minimizing user frustration and workflow disruption. Similarly, full-disk encryption provides a higher level of security by denying the user the option of saving unencrypted data. Full-disk encryption also encrypts sensitive data in system files that other encryption methods can't touch without interfering with the host operating system.

The mechanics of full-disk encryption are fairly straightforward, if not simple. Initial deployment includes sector-by-sector encryption of the hard drive and installation of a stripped-down custom OS known as the "preboot environment." Once operational, the preboot environment can use any authorized authentication credential to decrypt a master key created for that specific drive, and then use that key to decrypt the drive itself. Once decrypted, the OS boots, and the user proceeds as usual.

A Boom Market
Demand for full-disk encryption has skyrocketed over the past 18 months. According to Rob Eggebrecht, senior partner at BEW Global, a Pointsec reseller, "It's been a land grab out there lately. People don't need to be sold on this; they're out there looking. A lot of them go with the first company to offer a solution."

"This year's been big," adds Brent Smith, president of ANIDirect, a PGP solution provider. "Whole-disk encryption projects have doubled in the last 12 months, and more than half of those didn't have existing PGP installs. At this point, [full-disk encryption] accounts for maybe 10 percent of my business."

Not surprisingly, most of the recent demand has come from the high end of the security market: government agencies and large enterprises in verticals with heightened security concerns.

"Our first adopters were aerospace and defense manufacturers, followed by financial services and health care," says Joseph Hoban, vice president of global channel sales at encryption vendor GuardianEdge Technologies. "State and federal government offices are starting to pick up now."

Adds Smith: "There's a need in every organization, but we're seeing the fastest growth in financial services, health care and manufacturers with intellectual property issues."

Others, too, are reporting that the demand for full-disk encryption is fanning out, especially among small and midsize organizations. "Some are just doing research, some are acting on a directive to deploy this year, but everyone's looking at [the technology]," says Brian Vermillion, director of security at Plan B Technologies. "Even when we're talking about something else, ears definitely perk up when we mention it."

NEXT: What's driving the market for full-disk encryption.

And things are expected to heat up even more for full-disk encryption in the near future. "Most of the current market is still at the high end, but things will get a lot hotter among smaller clients in the coming months," says Andy Solterbeck, vice president and general manager of SafeNet's Commercial Enterprise business unit.

A Perfect Storm
Several different factors appear to be driving the market for full-disk encryption, the most important of which has been a rash of high-profile laptop thefts. In May 2005, a theft at University of California Berkeley exposed 98,000 student and alumni records. A March 2006 theft at Fidelity Investments exposed 196,000 retirement plan records, and a May 2006 ErnstYoung theft exposed 243,000 customer audit records.

Those incidents make for very dramatic media coverage; they also sensitize corporate decision-makers to potential risk, clearly illustrating the threat in concrete, specific terms.

"The lost VA records triggered a big epiphany in the enterprise space," Hoban says. "Suddenly everyone was asking, 'What if this happened to me?'"

New legal reporting requirements are another factor. As of January 1, 34 states had statutes requiring public disclosure of a security breach that exposes customers' personal information. Viewed in light of press coverage about the wave of laptop thefts, these laws effectively guarantee major PR costs for any such incident, but most have "safe harbor" provisions that allow companies to withhold disclosure if the data in question is encrypted.

"Negative PR and regulatory requirements are always the biggest motivator," says Bob Egner, vice president of product management and global marketing at Pointsec.

Eggebrecht notes that "[encryption] technology has matured a lot over the past 12 to 24 months. A lot of the technical hurdles have been cleared, so the vendors are now focusing on deployment, management and user experience as differentiators."

Historically, full-disk encryption has been hamstrung by significant performance lags resulting from the processing overhead necessary to run constant encryption and decryption operations. Streamlined software implementation and faster hardware have made impressive inroads on this front, such that vendors today regularly report performance degradation of less than 3 percent, at least on their own benchmark tests.

Similarly, vendors have mitigated problems with data corruption by implementing "interruptible encryption" processes that allow the full-disk encryption system to resume after a system crash or hardware failure.

The Microsoft Factor Microsoft recently moved into the space by integrating its Trusted Platform Module-based BitLocker disk-encryption product into the Enterprise and Ultimate Windows Vista editions. Though not a full-disk encryption package, strictly speaking, BitLocker does employ a preboot environment to enable encryption of the drive partition that contains the OS; on a multipartition drive, other partitions would remain unencrypted.

While Microsoft is certainly in a position to alter the full-disk encryption market dramatically, it's unclear whether the software vendor is positioning BitLocker to compete head-to-head with current standalone products.

BitLocker may represent an experimental 1.0 product, but Microsoft may also be interested in providing tools for other full-disk encryption developers to work with.

"We encourage third parties to build solutions on BitLocker," a Microsoft spokesperson says. "We exposed the BitLocker functionality through the Windows Management Instrumentation interface, and several partners are integrating BitLocker support into their own solutions."

NEXT: Four things to know about encryption. before you deploy

Four things to know about encryption before you deploy:

1 PUT ENCRYPTION IN CONTEXT

Full-disk encryption is a solid point solution, but it's still just that. The best full-disk encryption in the world will do nothing about viruses, spyware or rootkits. It's up to you to educate the client about how full-disk encryption fits into their broader security infrastructure and strategy. Even if the customer is interested only in full-disk encryption, you must make sure that they understand what they're being protected against and what they're not.

2 DON'T OVERPROMISE

Full-disk encryption vendors focus a lot of energy on highlighting their painless deployments, seamless management and overall ease of use. When full-disk encryption goes wrong, you get downtime and lost data. Make sure the client expects these, and they'll be that much more grateful when you deliver a flawless deployment.

3 PREPARE FOR THE WORST

Just as you should prepare your clients for deployment problems, so should you prepare yourself. Before you touch any machines, make sure the client has a functional backup solution and that any vital information has been backed up. Build response and recovery times into your schedule. When ready, deploy the full-disk encryption in stages.

4 DO YOUR HOMEWORK

Full-disk encryption software requires modifications to the boot process and a customized OS, so it can be sensitive to various hardware and software configurations. Take an inventory of and familiarize yourself with every machine in the deployment plan. The client's network environment, too, can have a significant impact on installation. Active Directory structure and configuration, in particular, can play a big role, so take the time to learn the lay of the land.