The loss and theft of data has become such an impactful reality in today's computing world that many nations have or are enacting laws requiring sensitive information to be secured. For example, organizations handling sensitive information, such as medical or financial records are required to implement encryption processes to prevent the accidental disclosure or intentional misappropriation of sensitive information.
To that end, several “Enterprise Data Encryption” solutions, also known as “Data At Rest” or “Data In Motion,” solutions have been implemented. Some of these known solutions and their known shortcomings are as follows:
Full Disk Encryption. These solutions implement a mechanism that encrypts an entire file system as it is stored on a storage medium. Only a system provided with a proper startup password successfully starts up and the storage devices, which are fully encrypted. Once the machine is started, anyone has access to the encrypted data—either now in plain text form or now accessible via a known decryption process or key. Moreover, full disk encryption solutions are very demanding of a computer's CPU and of a portable computer's batteries since all file access operations continually encrypt/decrypt data.
Volume Based Encryption. These solutions represent an improvement over the full disk encryption solutions insofar as only a portion of a file system, in this case a single volume, is encrypted. These solutions continue to suffer from the fact that once access is granted, all of the information within the volume becomes available without restriction. That said, locking of the computer can access to the secure data via the computer until it is unlocked. It has been recently shown that this type of security often poses a problem when the computer is accessible via an external port, wherein the security data once populated is accessible by the computer and secure data is therefore retrievable via the external port even when the computer is locked.
Folder Based Encryption. This solution only encrypts selected folders within a storage medium. It often suffers from the same drawbacks as were previously mentioned but is usually more CPU and battery efficient.
Each of the solutions listed above were designed to protect sensitive information from being stolen when a computing device went missing or was stolen. None of these solutions protect against a malicious employee who has access to the information. They are in a position to misappropriate the information by copying it to a portable storage device, by sending it over the Internet using email or FTP, etc.
It would be advantageous to provide a solution that not only protects sensitive data when a computing device is lost or stolen, but also protects sensitive information from some malicious users and malicious software that have access to the computing device.