Deploying Laptop Encryption - Part II

Cost and policy among the key points to consider when planning a company-wide encryption project: See Part I for other important areas, including technical, to keep in mind for deployment.

Without a doubt, the first question asked by your boss regarding the deployment of an encryption program will be about budget and cost.

Your supervisor will ask for a cost estimate of completing the encryption project and on-going operations. Some estimate the overall cost of encrypting existing systems is north of $200 each. That includes all the staff time in planning, evaluation, training, software, hardware, maintenance, etc. New laptop systems will have a much lower cost per system because they require less labor.  

There are numerous initial cost drivers for encryption. Major factors include the  number of laptops, diversity of operating systems, diversity in hardware models , method of deployment (i.e. manual or software push), number of physical locations, software cost (per license, level of support, maintenance), hardware costs (management appliances, multi-factor tokens, etc.) and services. 

Miscellaneous expenses might include physical disk recovery, disk-imaging costs and storage for backup prior to encryption, automated client backup costs to prevent data-loss, and transport costs to and from satellite offices and remote employees.

Other considerations include adequate time for a pilot, training (for desktop support and helpdesk), process redesign (e.g.  new laptop image builds), and software compatibility testing. Another painful point: what to do when a hardware platform is no supported or doesn’t meet the minimum technical specifications for an install (such as Apple’s PowerPC)?

In general, the failed install rate could be between 2%-8% depending on the vendor and hardware platforms.  How will you design the policy, process and train the customer service staff to handle those issues?

Include adequate time for vendor evaluation. Review reports from analysts such as Gartner to gain an understanding of the options that exist. Speak to your peers regarding maintenance and support experiences with existing vendors, and use that as part of the rubric for vendor evaluation. Execute a Proof-Of-Concept (POC) and run a Pilotwith a diverse set of organizational users.

Vendors will want to limit the time for the Pilot and close the sale, but, if needed, insist on an extension so you are confident that the encryption software meets your organization’s needs.  Consider what vendors you currently use to make the right decision between single-vendor integration and best-of-breed solutions.

One area that needs special attention is procurement. If you work in a large organization, you know the procurement process could take several weeks or months. In some cases, if you’re under government rules for source selection over a certain budget amount (i.e., $100K) it could take longer. Make sure to engage with contacting personnel early and often to determine the rules for your project.  In some cases the professional services or software vendor will need to be vetted (i.e.approved) by the procurement office.