Which is a pretty good idea. Page files, application-level caches, all this stuff muddles the water of where our sensitive data might be. And trusting employees to keep everything where it should be is just stupid. Even if they're smart guys, people make mistakes.
I agree with you and full disk encryption CAN be a solution to the problems that confront some organizations. However the fact that it can be a solution doesn't mean that it is applicable universally, or is even the most appropriate solution. For example, would you mandate full disk encryption for the disks residing on a server? Why bother, if the server is in a secured area and is never "at rest".
In any case, the shotgun approach is never the appropriate solution to not putting appropriate thought into the process which is what I most object to.
it doesn't make sense to go from there to, "encrypting everything doesn't make sense because it doesn't make you definitely safe." That argument leads to the inevitable conclusion that any security feature is unnecessary because, as you've said, nothing fits the bill.
I would never suggest that, because as you've pointed out it's a slippery slope type fallacy. What I wil say to clarify is that it is not an appropriate replacement for the risk analysis process, as it is often used.
Not really. Being able to access the data, and being able to carry the data out are two entirely different things. If your data is really important, and the computer holding the data isn't connected to the 'net, the insider doesn't have admin rights, and the usb ports are disabled to people without admin access...he could still break in and steal the hard drive. There's a reason to keep it encrypted.
Well, when I say "if you have the key" I really mean, having the encryption key. Malicious insiders generally carry out data they've been given access to. Certainly espionage-wise, rival companies or governments are likely to target someone who already has access to the data they want, and get that person to be the leak. If a malicious insider is your threat, disk-at-rest encryption is not going to do much to mitigate that.
Yes, that's the type of question that he most definitely needs to deal with. But again, as long as they are looking into issues of that sort, and not just buying into what they think is instant security, there's absolutely no downside to encrypting everything.
I wouldn't go so far as to say there's absolutely no downside to encrypting everything. All encryption has overhead - some products, significant overhead. Then there's either the extra expense of a key management strategy and team plus sysadmin overhead and labor OR the cost of losing data once something bad occurs and the data cannot be recovered.
If his company does an accurate study into their risks and adopts mitigations for them, it might be the case that they only have a relatively minor pool of sensitive information that can be managed server-side through use of things like VMWare ACE, or Citrix, or ... insert appropriate technology here. If they're most worried about laptop/usb key loss then they can adopt things like safeboot or buy Ironkeys/Cruzers/etc.
My main point is that encrypting everything has downsides and he needs to be sure they're worth the gain - the only way that can be done is through risk analysis.