After you've crafted your infrastructure plan and policy surrounding encryption, you're ready to look at products. First, you should consider your specific needs and compare them with the features and options of the various products. Here are some factors to consider to ensure a successful implementation:
- How involved do the users need to be in the process? Unless you want users making these decisions (generally a bad idea), the process should be as invisible to the users as possible. In some cases, encryption has to be an individual decision (e.g., government projects with classified ratings), but in those cases, full disk encryption might not be the best choice.
- How will you handle recovery of lost keys? A good, easy-to-use key-recovery scheme is vital for a large organization. However, casual or too permissive use of recovery keys or master keys can be a huge vulnerability in and of itself. Remember, these are little skeleton keys to your kingdom. Compromise will require a rework of your entire encryption infrastructure.
- How does the software support your crypto policies and procedures? Make sure your chosen solution is a good fit. Some products are built more for larger organizations, with multiple roles and responsibilities. Others scale easily from single users up to many thousands. Remember that once you choose, you'll have to live with the choice for a while.
- Does the software support your network's directory services? Integration into your directory-management system will be crucial to making the process seamless for your users. Whether it's Active Directory (AD), NDS, LDAP, or some other system, the tool should be able to use your existing authentication schemes. However, you don’t want it too tightly integrated, as a breach of your domain servers could also open up your encrypted data. It could also affect access if your authentication servers are down. It should be able to stand on its own, as well.