Defence in depth??
I have to agree with Anonymous Coward @ 19/04/2010 14:27. It is all well and good talking about whole drive encryption, but wouldn’t any self-respecting systems engineer/architect/administrator be looking at from a Defence In Depth point of view? Do they encrypt the whole HDD, enforce policies to prevent copying of unencrypted data to an external source (USB Pen/HDD, CD, DVD or Blu-Ray [if you’re lucky enough to have a machine with it, and what to pay a fortune for the media]). Do they also then install tooling or configure policies to prevent the use of USB pens or other media that you don't wish to allow, or block access to CD and DVD drive for writing (and possible reading to prevent someone bring in virus etc etc).
What is also forgotten here is how do they ensure that all the users are compliant? Do they have a tool that can check every laptop and workstation to ensure it meets our company’s’ standards?
Also going back to points made fairly early on by Anonymous Coward @ 19/04/2010 13:27 and Daniel 1 @ 19/04/2010 13:47, support. By adding the above requirements on our systems we have to ensure that our user base are supported, that the tooling is available from a central location (or as required for the domain or maybe legal issues) so that if the NTLDR file becomes corrupt that the end user is able to get their machine back up and running as quick as possible (I have felt this pain... and it’s not fun).
Also something people probably don't think of here, backups. If you are going to encrypt a whole drive, and data is stored on its local drives, that data needs to be backed up (especially if you disabled USB and other external media). So there will be a requirement for some centralised backup of user data (There should be one already... but are the users using it? and does it meet the legal requirements). More staff required for supporting the new servers, SANS and the software.
Do they then install roles like Windows Rights Management, so that the owner of a document can prevent someone for sending an email with a confidential document attached, or at least if they do or try it is either denied or the person receiving the email is prevented from opening the attachment. What about Data Protection Manager…….
Then of course training as mentioned by quite a few. If the user doesn’t know it’s wrong how do they know not to do it… people are still getting caught by phishing emails or accidentally installing malware and viruses.
All the above costs, some as a one off and others as continuing expense. Like everything in business it comes down to the impact the release of the "sensitive information" will have on your company, its brand and the cost (penalties and loss of customers/contracts) and ROI. If something will have a high impact on your company... they will implement some, most or all of the above (plus other bits and bobs), if it has a low impact.... don't worry they probably won't bother until it becomes too high of a risk.
As for home users, it may be easy to do whole drive encryption, but how many users would know how to install it, uninstall it, fix an issue the their machine doesn’t boot (granted the last point is probably true even if it wasn’t encrypted). With education more people probably would, but as for other measure were other servers are required no.
I find this stuff really interesting (yes I need to get out more!), but the issue should never be addressed on its own, and could easily of taken up 20 to 100 pages to cover all the bases... granted not as snappy.