Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 10/22/07 issue

Portable security

Main story | Full-disk encryption can take a lot of risk out of mobile computing

By David Cassel , Special to GCN

People like to stay off of the front page,” said Dan Roddy, security administrator at the Oregon State Treasury. He’s read too many news stories about government agencies scrambling after the theft of a laptop PC that held unencrypted data, which led to his determination not to fall into the same trap.

More than 165 million records containing sensitive personal information have been breached in recent years, according to the Privacy Rights ClearingHouse, a nonprofit consumer watchdog organization.

In 2006, the Office of Management and Budget mandated that all data on mobile devices be encrypted. Starting with California, more than half of all states have augmented federal privacy laws with their own statewide privacy regulations. Many require disclosure to the public of all data thefts — unless that data is encrypted.

With the mounting pressure for ongoing data protection, many systems administrators have discovered they can buy security for their data drives — along with some peace of mind — by implementing full-disk encryption. The idea of full-disk encryption — also called whole-disk encryption — is simple: Instead of just encrypting sensitive files or selected directories, encrypt everything on the disk. Selective encryption can be an administrative headache, figuring out which files should be scrambled. With full-disk encryption, you scramble everything and just make sure the user or administrator doesn’t loss the password.

“It’s pure logic,” Roddy said. “If everything on the disk is encrypted, you don’t have to worry about what was on it!”

“There have been products that provided this for at least 10 years,” said John Girard, a vice president and analyst at Gartner. “People only bought them if they absolutely had to, because they didn’t like the extra complexity of managing the systems. It wasn’t really until the press started covering it on a regular basis that people realized how bad it was.”

“We’ve had laptops that have been stolen out of cars,” said Chris Rushkin, a systems security analyst at the California Franchise Tax Board, “but they were encrypted. At that point, it’s a paperweight for the thief. We lose that asset, but the data is secure, and that’s probably our most important asset.”

The California experience
California has been practicing what it preaches when it comes to data security. The California Department of Insurance is using full-disk encryption for its laptops, said Tadesse Chekol at their Information Security Office.

California’s Board of Equalization is a longstanding user of the GuardianEdge Data Protection Platform. “I can tell you that we use encryption technology and have since about 2000 on some hard drives for auditors,” said Anita Grandrath Gore, chief communications officer at the board. “They’re on the road, and they take laptops with them, so full-disk encryption is necessary for securing confidential taxpayer information.”

Gore said the board is moving to encryption for desktop PCs, too. “We have a million taxpayers registered with us, and we have lots and lots of information relevant to their accounts that would be considered confidential. We don’t want to risk [that] any of that information might become public,” she said, noting that many of the board’s desktop computers are near windows, where they are at risk for smash-and-grab robberies.

Hardware or software?
Before taking the plunge into full-disk encryption, you have to answer one question: Do you want a hardware- or software-based method of encrypting your content? Each has its advantages.

“There are certain levels of security certification that can’t be achieved without hardware,” Girard said. “But even so, the software vendors have made an excellent showing of meeting some rigorous government certification [requirements] for protection.”

Girard points out that the vast majority of full-disk encryption installations are software-based. Setting a policy requiring a specific hardware component can limit your flexibility, he said, and enforcing a specific hardware specification is even trickier with contractors.

“When you’re dealing with a contractor, it’s very hard to say we expect you to use this exact hardware configuration,” Girard said. “And what if they’re not maintaining it to your specifications? At a certain point you have to get involved, but getting involved at the hardware level is very complicated — whereas getting involved at the software level is achievable.”

But hardware encryption has its advantages. Seagate is one vendor offering a full-disk encryption product built directly into the hard drive.

“It’s data security at the core of where your data lives,” said Joni Clark, Seagate’s notebook marketing manager. “Once you write, you’re encrypting.” Clark points to one of the big advantages in performing the encryption in the hardware. “It’s not something that people are known for hacking into,” she said, referring to hard drives. “It’s done within a closed environment. You’re not going to the operating system; all the security is done natively.”

Use it, don’t lose it
One thing to keep in mind about full-disk encryption is that good management is vital. After all, if every one of your disks is being locked up, or encrypted, with a key, you want to make sure you — or your users — don’t lose that key.

“If you don’t handle it properly, encryption is a great way to lose your information forever,” said Trent Henry, a senior analyst at the Burton Group. He offers some simple advice: “If you go forward with it, have a good key management strategy in place. Create the keys so they’re secure, change them periodically so they’re not subverted by bad guys and make sure they’re properly backed up — in case the IT guy gets hit by a bus.”

Key management is a big concern for systems managers. The California Franchise Tax Board, for instance, is managing more than 6,000 encrypted desktop computers. “It’s a lot of PCs,” Rushkin said.

The GuardianEdge software the board uses seems to work well enough at this scale, however. “Since it’s an enterprise solution, it’s easy to manage, Rushkin said. “The product we have has a master console that our help desk uses. It verifies the user and then lets them know what code they need to get back into their PC. With the way we implemented it, we haven’t had any problems with recovering data.”

Roddy thought of this when examining the native encryption on a new Sony Vaio laptop. “It’s great, absolutely, but when you get it into an organization’s environment, you need a way to manage that, and you can’t do it without software. You need a network program to administer the settings to make sure they’re all the same on every laptop.”

Oregon has been running a management console provided by Voltage Security, called SecureDisk. “I tested it — it’s been in production for about a year now,” Roddy said. “I can’t think of a single problem we’ve had with it. It’s been really solid.”

The management gets trickier if an organization has already applied a patchwork approach to encryption using a variety of products, possibly managed at different security levels.

Here, Henry advised managers to “centralize the policy guidelines for the use of encryption and, wherever possible, create some kind of centralized key management.” But most vendors seem aware of the need for an easy key management solution. “The Pointsec PC Enterprise Workplace is a turnkey encryption solution,” David Vergara, marketing director at CheckPoint, said of his company’s product. “The key management is baked into the product. There’s no third-party key management or any additional steps that the business needs to do.”

And their recovery procedure is automatic. “Before any machine is encrypted with the Pointsec PC product, we actually create a recovery file that can be stored on a remote server,” he said. “It does that automatically, just to ensure that every system can be recovered. There’s been no case in history where we’ve not been able to recover a machine.”

One way to mitigate the risk is to disable the preboot challenge, or the authentication step that users go through to access their encrypted files. This challenge requires users to log in twice — once before the computer starts and then again when Microsoft Windows asks for a password.

Despite the extra work on the part of users to log in twice, everyone interviewed for this story felt that disabling the preboot challenge was a bad idea. “If there’s no challenge when they start the machine, then where’s the security? It’s like leaving your front door unlocked so you don’t have to be interrupted by the key,” Girard said.

Clark said there’s no way to disable the preboot authentication with Seagate’s hardware-based system. “If you don’t have a strong front door, you might as well not have a safe. Don’t provide encryption if you’re not going to give a preboot authentication that keeps thieves out.”

Rushkin agreed. “I think that’s more of a security risk,” he said, adding that his systems require both the preboot authentication and then a separate Windows authentication. “I can’t say that we have a perfect solution, but I think it’s definitely a secure solution.” It may add one small additional inconvenience to users, but “when people get used to it, the inconvenience is gone.”

Girard points out that different systems offer different levels of difficulty for recovering passwords, though the point is to not make password recovery too easy. With powerful tools come powerful responsibilities. But powerful tools such as full-disk encryption lets managers sleep better at night — and not end up on the front page of a newspaper.

1 2 3 4 5 6 7 >> Next

More news on related topics: IT Security, Content / Record Management, Data Management, Hardware



GCN Popup