The important thing to understand is that once the device is unlocked and booted, it is vulnerable. Locking the system re-instills a modicum of protection, as does sleep mode or total shutdown / hibernation, but while open and running, the system can be compromised. This makes it doubly important for the user to be mindful of the system while it's running, and not to think of system-disk encryption as a security panacea.
As you can imagine, full-system encryption is most useful when you're dealing with a machine that's being taken on the road. It's far less valuable for a computer that's in a fixed location, where physical access can be controlled. In such cases full-disk encryption adds overhead, but not much security.
There are two basic ways to perform full-system encryption. You can get it as part of your operating system, or you can add it after the fact.
Windows, Linux, and BSD all sport some variety of full-disk system-level encryption. In Windows, it's BitLocker, tightly integrated into Vista and 7, although only available in the higher-end SKUs of that product. Many Linux distributions natively support full-disk encryption: Red Hat / Fedora allows you to create new system installations with encryption. Various BSD flavors also sport it: GBDE and GELI on FreeBSD, for instance.
Having the encryption subsystem as part of the OS itself is two-edged. On the one hand, it means you don't have to install anything to get started; everything you need is right there. On the other hand, it also means you're limited by whatever features the OS maker deigned to include, and expanding on their functionality may be difficult.
Linux's dm-crypt subsystem, for instance, is open source (like Linux itself) and can be expanded upon as long as you have some understanding of the code. Likewise, BitLocker has an API with some exposed functionality, but for the most part it's intended to be used in the manner directed by Microsoft.
The breadth of commercial solutions out there means you can add full-system encryption to pretty much any system after the fact. Keep in mind that most third-party solutions require that you dedicate to them some degree of server resources, for the sake of central management/.
PGP Whole Disk Encryption was originally developed as a free product, but has since been rolled into a for-pay offering, and is generally one of the first products mentioned when discussion turns to commercial-grade encryption. It supports a full gamut of professional features, including support for any smartcard that uses the PKCS-11 library, and allows for automated rollouts of encrypted systems -- something that's valuable if you're adding encryption after the fact to a whole fleet of existing notebooks. A server is mandatory, though. According to the Whole Disk Encryption product sheet, "PGP Whole Disk Encryption is centrally managed by PGP Universal Server which requires a dedicated hardware server."
Google in the Enterprise SurveyThere's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity products, and 69 percent cite Google Apps' good or excellent mobility. But progress could still stall: 59 percent of nonusers distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of September 18, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."