Historically, businesses and organizations have stored sensitive computer data on back office network file servers that were typically accessible only from workstation computers attached to the same local area network as the file server. Preventing loss and theft of sensitive corporate data in these environments was relatively easy because the sensitive data almost never left the bounds of corporate servers and networks.
Today, with the wide-availability of wireless Internet connectivity, virtual private networks (VPNs), and relatively inexpensive mobile and portable personal computing devices such as smart phones, tablet computers, and laptop computers, more and more sensitive corporate data is being stored outside the relatively secure confines of corporate servers and networks. For example, a sales manager may store personal identifying information of customers on his laptop computer or an engineer may store a design specification document for planned product on her mobile phone.
At the same time more and more sensitive data is being stored on portable personal computing devices, accidental loss and theft of such devices is on the rise. By some estimates, as much as a ⅓ of all corporate data breaches are the result of lost or stolen portable computing devices—such as laptops.
One possible solution to prevent breaches of lost or stolen corporate data is to use the disk encryption feature supported by some personal computing devices. Disk encryption, sometimes referred to as full disk encryption (FDE) or whole disk encryption, typically protects sensitive data by encrypting—except for perhaps one or more boot portions—the device's entire hard drive including the device's operating system and applications and data stored on the hard drive. Typically, when the device is booted, the user is prompted for an encryption key, which enables the operating system to boot and run normally. For example, the encryption key may be a password or a pin code. As data is read from the hard disk, it is decrypted and stored in main memory (e.g., random access memory (RAM)). Data written to the hard disk is also encrypted on the fly as it is stored. Without access to the encryption key, data stored on the hard drive is inaccessible to thieves.
Unfortunately, the disk encryption feature of many personal computing devices is optional, often requiring manual activation by a user. Corporations and organizations can adopt a policy requiring employees to turn on the disk encryption feature of the devices that store corporate data. However, compliance with the policy may be limited. For example, some employees may not know how to configure their devices for disk encryption or simply do not want to take the time to configure their devices. A corporate IT administrator can manually configure an employee's device to use disk encryption. However, a savvy employee or an unwitting employee may subsequently turn off disk encryption. Moreover, for a large organization or business, it may impractical to burden the IT department with manually configuring all employee devices with disk encryption. As a result of all this, use of disk encryption to secure sensitive corporate data stored on employee devices is currently limited or scattered.
Accordingly, there is a need for more efficient and more reliable devices and methods for coercing users to encrypt sensitive data stored on their personal computing devices. Such devices and methods may complement or replace conventional devices and methods for coercing users to encrypt sensitive data stored on their personal computing devices.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.