Benefits of Pre-Boot Network Authentication Technology
What's at risk for your organization?
Every company, regardless of size, has confidential information that needs to be protected. With data breach incidents happening on an almost weekly basis, organizations must take the necessary precautions o ensure their data is secure. But how many organizations are truly making efforts to keep their data safe? Imagine two employees have their laptops stolen out of the back of their cars. These lptops contain the personal information of over 800,000 end customers. Now the company has to ask itself; Is the data on that laptop secure? Is it password protected? More importantly, is it encrypted?
Since 2013, more than 660 million records have been compromised in data breaches
If the answer was no to any of those questions, as a business, can they afford what will come next? Is it a mass customer exodus? A class action lawsuit? A criminal investigation for violation of local data protection laws and regulations?
This list goes on. The scary part about the previous scenario is that it was real and it was what some consider a small data breach. What if it was the information of 2 million customers? Can your business afford that?
Since 2013, more than 660 million records have been compromised in data breaches according to The Privacy Rights Clearinghouse Chronology of Data Breaches (www. privacyrights.org, December 2013). It’s a staggering number; more than a half a billion records and those are only the breaches that have been made public.
Now, more than ever, securing information has become part of the cost of doing business. While passwords, biometrics, smart cards and other tokens have added a huge level of security, the fact is they can be ‘cracked’ and once they are, the data is exposed.
Is your business secure?
Often, IT departments are faced with a number of challenges as it relates to security – how do we keep costs low, while ensuring IT administrators are efficient and end user experienc- es are unaffected – all while keeping corporate data secure?
The fact that governments around the world have or are implement- ing specific data privacy legislation only adds to the impetus for business data security measures to fall in line. Whether it’s the European Union’s Data Protection Directive, the United States’ Health Insurance Portability and Accountability Act (HIPAA), Health Information Technol- ogy for Economic and Clinical Health Act (HITECH), Payment Card Industry (PCI) Data Security Standard, the U.K.’s Data Protection Act or Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), there’s very little flexibility for busi- nesses not to adhere to these policies.
For businesses that are determining the best way to deploy a solution that will secure all access points for infor- mation, there are a number of things they have to consider:
Can they fully encrypt every device that connects to the network regardless of the operating system?
Can the solution be centrally managed by an IT administrative team?
Can removable media such as USB Drives, SD cards etc. be encrypted?
Can sensitive files and folders on endpoints or servers be protected with an additional layer of security?
Can policies be enforced on devices to ensure the right user is getting access to the right information and nothing more than what they need?
Can pre-boot authentication be enabled to add an extra layer of security?
Can IT easily manage the system and are there effective and efficient ways to support end users for things such as password recovery?
Can you separate system from security administration in order to reduce the risk in case of malicious administrators?
While this is a small list, it’s critical and by no means complete. It’s why full disk encryption (FDE) is so important these days. Many businesses may already use encryption in their organization but data security can be enhanced by adding a new layer to their FDE solution, pre-boot network authentication (PBNA).
What is PBNA? Pre-boot networking provides a means for authenticating encrypted devices to the network before the operating system ever loads. Simply put, it means that before any data on a device is decrypted and a user granted access, the user must input credentials (a password) that are verified by a network connected server and then allow the user to log-on to a device and start the operating system (OS) log-in process. It means data is never exposed until the user credentials are verified before the standard OS log-in process.
An administrator could remotely lock out an employee that just left the company without having direct access to his/her device
Cranking security up a notch
Why is PBNA important? As good as standard device encryption is, it’s fallible; there’s always a risk regardless of the solution deployed. Instead of relying solely on user credentials stored locally on a given device which can be out of date, the authentication process leverages the most current policies available from the severs managing user access. So if necessary, an administrator could remotely lock out an employee that just left the company without having direct access to his/her device.
That said, PBNA offers much more than just end point security. It enables businesses to manage groups and really control how, what, when and where users access information via policy controls.
For example, in a hospital, a typical work terminal has more than one person logging onto a system on any given day.
PBNA enables the IT administrators to take advantage of Active Directory server settings that set different access policies for different users. Nurses would need access to limited views of all patient data in a particular ward. Doctors would need detailed patient data on only their patients.
If a pediatric nurse moves to the obstetrics ward, a simple Active Directory change by the administrators would mean the nurse could seamlessly log into the right part of the IT network at the hospital without any interruptions. How would this be controlled? Using PBNA would mean that when the user turns on the terminal and tries to log-on, their credentials would be vetted against existing Active Directory policies which will then grant the user appropriate access to the system.
Benefits of PBNA
The aforementioned example is a very simplified version of how this would work, but the benefits of PBNA are significant and can be summed up into three categories:
- Total cost of ownership is reduced
- IT admin and end-user experience is seamless and non-invasive
- Enhanced security for the organization
Lower total cost of ownership
Organizations spend an average of $70 to stage and provision a single device for employee usage (Ponemon Study - The TCO for Full Disk Encryption, July 2012). In the hospital example mentioned, IT administrators using PBNA no longer have to go from terminal to terminal in the obstetrics ward to grant access to the nurse, thereby greatly reducing time and costs. With a simple change in Active Directory from the IT administrator’s desk, the nurse is granted access to all the new terminals seamlessly and quickly.
Efforts on password resets are also greatly minimized as PBNA allows administrators to conduct these activities at their desk through the use of Active Directory. End users are able to call their administrators at their desks and within a few minutes, have their passwords reset through remote prompts from their IT administrators and gain access to their laptops/desktops. A typical process that would’ve taken 20 minutes can now be reduced to 5 minutes. (Ponemon Study - The TCO for Full Disk Encryption, July 2012).
Not only is the complexity of provisioning users and policies and solving support issues greatly reduced; there is also a huge cost saving as IT administrators become more efficient and spend less time provisioning systems individually and solving everyday issues such as password resets.
Seamless end-user experience
IT admins are not the only ones that can benefit from PBNA. With auto boot activated, end users can access any approved systems using only one password. Once they are in, they will be able to utilize all authorized programs with virtually no impact to the speed and performance to their work station.
One of the most notable benefits of PBNA is the increased security it offers. When using the standard boot process for a PC, protection is reduced to what is provided by basic Windows security. If that’s all the system relies on, it means the data encryption key has already been exposed in the computer’s memory and is therefore vulnerable to attack. PBNA avoids this type of issue by authenticating the computer before the operating system is booted and before the encryption key is vulnerable.
Additionally, PBNA also offers policy protection. It gives IT Admins the ability to set up management guidelines surrounding device data protection in the pre-boot environment. System updates and policies can be installed without risking security due to requirements to skip authentication on reboots.
How WinMagic can help
WinMagic’s SecureDoc is a highly secure, yet flexible data security solution that enables businesses to comply with privacy and security regulations by protecting sensitive data residing in laptops, desktops, servers and on removable media.
Easily deployed, SecureDoc maintains end user productivity and ensures maximum security and transparency in regular work flow while allowing businesses to deal with the heterogeneous nature of their IT environment. SecureDoc places all security-related management under one centralized enterprise server including policies, password rules, and the manageability of encryption across PC, Mac and Linux platforms alike.
SecureDoc is the only data encryption and management solution that allows for pre-boot network authentication through its PBConnex feature. PBConnex utilizes network based resources to authenticate users, enforce access controls, and manage end point devices before the operating system loads. This unique and ground-breaking approach to Full Disk Encryption (FDE) management results in significant cost savings for organizations by streamlining both IT management and end user functionality.
PBConnex enables users the convenience of auto-boot with the security of pre-boot authentication. WinMagic is the first FDE vendor to integrate secure network support into the pre-boot environment.