Don’t Let Your Apples Go Unprotected:
Best Practices for Encrypting Mac Laptops, Desktops, and Removable Storage DevicesBy Shilpi Dey, Product Marketing Manager, PGP Corporation
How can you enforce your security policies on Apple Macintosh clients?
You're in good company asking the question. Mac laptops, desktops, and removable storage media are penetrating a multitude of businesses that had been strict PC shops. Traveling executives sometimes lead the parade.
Your security policies may require full disk encryption for Microsoft Windows PCs, but until recently full disk encryption applications were simply not available for the Mac. As a stopgap, some IT organizations implemented partial solutions. An example is Apple FileVault, which encrypts only the home directory.
Now security vendors such as PGP Corporation provide full disk encryption applications for Mac OS X that protect the data on the entire disk drive, including boot sectors, system files, and swap files. The encryption application protects the data on the internal hard drive of laptops and desktop computers, as well as removable storage devices.
The PGP® Whole Disk Encryption for Mac OS X application also helps IT organizations use fewer resources to secure data. Because the application can be centrally managed and automatically enforce security policies, and is largely transparent to users, it reduces the total costs of ownership. IT groups that use this type of application can reduce the staffing requirements for data protection and decrease the number of help desk calls. These benefits are especially important to companies where spending is getting greater scrutiny and IT budgets are tightening.
When selecting and deploying a full disk encryption application for Mac OS X, you may want to consider best practices such as these:
- Authenticate each time the Mac boots. This differentiates a full disk application (which protects the entire drive) from an encrypted disk image solution (such as Apple FileVault, which protects the home directory but leaves the rest of the system unsecured).
In a full disk encryption environment, users authenticate with their encryption software passphrase before the Mac operating system can boot. The solution does this by replacing the standard Extensible Firmware Interface (EFI) boot loader with one that loads the encryption software.
When the user is authenticated, the application enables on-the-fly decryption and encryption. This allows the operating system to continue with the normal boot process, which will look and behave exactly as before. Unauthorized users will not be able to activate the operating system.
If you use a full disk encryption application and require users to authenticate before the Mac OS boots, the protected drive remains encrypted at all times.
- Protect the contents of external storage media. A full disk encryption application can also protect the contents of removable storage devices. If the storage media is lost or stolen, the data stored on it will not be exposed to anyone outside the company.
You can set up your full disk encryption application by policy to require that inserted USB and FireWire storage devices be encrypted, and to block writing data to unencrypted devices. Only authorized users will be able to copy sensitive or confidential data to unprotected devices.
The encryption runs as a background process that is transparent to the user, automatically protecting valuable data without requiring the user to take additional steps.
You can make policy compliance even easier on users if you choose a Mac OS encryption application that ensures the removable storage media it encrypts will interoperate with Microsoft Windows platforms. For example, a PGP Whole Disk Encryption for Mac OS X user can insert a removable storage device that was encrypted on a Macintosh into a Windows system and simply authenticate via a configured passphrase or public key.
- Manage centrally. To efficiently define and enforce encryption policies related to boot drives and removable media, deploy and manage your Mac OS X disk encryption from a central management console. Centrally managing policy eliminates the need for users to take specific actions to protect sensitive data and ensures compliance with corporate security policy.
Look for a solution that allows an administrator to define and enforce policy based on existing user and group information in an LDAP directory. This option will let your organization define different policies for different organizational groups without requiring the administrator to duplicate group definitions that already exist in the corporate directory.
Is it time for your organization to begin enforcing its security policies on Apple Macintosh clients?
A full disk encryption application can bring you quick, cost-effective protection for data on Mac OS X desktops, laptops, and removable media. PGP Whole Disk Encryption can now bring you comprehensive, nonstop disk encryption for Windows and Mac OS X clients alike.
Key actions
Learn how to protect your data with PGP Whole Disk Encryption for Mac OS X.
Watch a webcast on best practices for protecting data on mobile devices such as laptops and removable media.
Know the latest trends: Read the Ponemon Institute's 2008 studies on U.S. and U.K. Enterprise Encryption Trends.
