Historically, computer users have been able to operate their computers without great concern of compromise; if in the past the computer was subjected to a virus, worm, or even malware, it was pretty clear, and the user could take measures, however painful, to eradicate the threat. This permitted businesses and individuals the freedom to focus on securing sensitive data transmission, with limited concern for local storage.
Recent dynamics have greatly changed. It is no longer fair to assume a host computer is operating free of malicious or unwanted applications, and data indicates this can go on for months without anyone's knowledge. Existing data protection mechanisms were not designed to operate in this situation, thus stored data is at great risk to compromise.
For example, full disk encryption does not protect against remote network attacks; credentials are provided during system boot or through other means, unlocking the system such that the operating system presents decrypted data to the user—and also to an attacker. File encryption provides a common measure of protection, though on compromised systems user input is subjected to undetected key logging malware, which gives up valid and useful credentials to unauthorized users, and thus decryption keys. At the same time, encrypted data must be decrypted and utilized in unprotected plaintext, exposing content to attackers lying in wait. Token-based authentication provides a measure of insulation from local attacks, though often active tokens are left connected to host computers for extended periods of time, diminishing their value. Even still, many token implementations utilize local keyboard input to enable their behavior, which is also susceptible to malware key loggers.
Offloading cryptographic keys and operations for Encryption, Access Control, and Policy Management, helps, so long as the keys are remotely generated though this is not always the case. Even still, most systems utilize local credential input which defeats the additional protections provided by such an approach. Furthermore, most cryptographic operations are performed locally, which provides visibility, if even momentarily, to keying material and credentials that can be compromised. Phones used as second-factor authenticators provide a reasonable amount of extra protection, though are typically connected to the same subnet as the host computer with sensitive data, and are fairly easily compromised with targeted remote network attacks.
Most of these solutions have been suitable in the past, but not today. Though proper measures exist to protect against these threats, they are often disruptive to user workflows and not suitable for frequent operations.