Organizations must purposefully dedicate attention and resources to securing sensitive data. Industry regulations and legislative rules frequently require Mac enterprises and others to protect specific information from unauthorized access. Losing a single laptop or flash drive can spell disaster. To help protect against data loss and unauthorized access to proprietary or protected information, Mac organizations can leverage OS X FileVault 2.
Disk encryption comes standard
Whereas Windows upgrades are sometimes required to access integrated OS encryption features, Apple includes encryption technology within OS X. Accessed from Mountain Lion’s Security & Privacy System Preferences console, FileVault 2 provides Mac users with XTS-AES-128 encryption that locks data down while providing additional protections against accidental loss.
Full disk encryption
FileVault 2 users need not worry about omitting critical files from encryption protection. Using Apple’s integrated encryption, all data on a volume is encrypted. Users are therefore relieved of the burden of remembering which directories and files are encrypted and which are not. All data stored on a FileVault 2-encrypted volume are protected.
Simple deployment and operation
Some encryption technologies prove intimidating to end users. Not so with FileVault 2, which benefits from Apple’s approach to simplifying software/hardware interoperability and user interaction. End users can reasonably be expected to encrypt Mac volumes themselves without requiring assistance from information technology staff.
Encrypting a volume is simple using FileVault 2. A user must possess administrator permissions to configure encryption. The process involves opening System Preferences, selecting the Security & Privacy preference, and clicking FileVault. Selecting Turn On FileVault enables encryption.
One common issue with disk encryption occurs when a user leaves an organization, proves unavailable, or simply forgets a disk encryption password. The subsequent misplaced credential typically renders an encrypted system unusable. Fortunately, Apple provides recovery options that don’t overly compromise data protection security principles.
A recovery key is displayed when the disk is first encrypted. The recovery key can also be stored with Apple for safekeeping. An organization must make its own decision as to whether trusting a third party with such sensitive information is appropriate. In cases where a firm determines a third party should not be involved, keys can be stored according to other secure procedures.
Apple also advocates use of an Institutional Recovery Key (IRK). The IRK can be used to enable authorized users to perform account resets, thereby enabling enterprise IT departments to continue controlling encrypted volumes even when the end user is unavailable or forgets the encryption key. Enterprise deployments can even be implemented in which only the IT department is capable of enabling FileVault 2 and only authorized IT staff possess the requisite encryption credentials.
Flash and external drive support
Occasionally users need only to encrypt an external or flash drive. With the introduction of FileVault 2, Apple includes support for disk other than just the principle Mac volume. The same password and recovery requirements (as described above) apply, meaning organizations continue to control data depending upon its own specific requirements.
To encrypt an external or flash drive, users can simply right-click the drive’s Desktop icon and choose Encrypt “Disk Name” from the resulting menu. Just as is true for encrypting a Mac’s entire disk, encrypting an external hard disk requires time. Users (and enterprise IT departments) should plan accordingly, allotting more time the larger the volume.