Recently published in CIO Leadership
Stories about lost data and privacy breaches are all over the news: laptops are lost or stolen, data tapes and CDs go missing, and sensitive data is found on USB keys. While it is difficult to protect IT equipment from loss and theft, it is not difficult to protect the data stored on the equipment. Encryption is a key component in a data loss prevention strategy. When data is properly encrypted there can be no privacy or security breaches because the data will be unreadable without the proper keys to unlock it. And with the wide variety of encryption solutions available today, there can be no excuse for not encrypting your business data.
Protecting business data is becoming more and more important because organizations are collecting larger amounts of data and finding it valuable for a range of business functions. And it is not just customer data that is sensitive, but also business plans, customer lists, product information, pricing sheets, etc. Organizations with an online presence are also exposing themselves to greater risks from security vulnerabilities and hackers, not to mention inadvertent leakage from well-meaning employees. Strong data protection is also being mandated in certain business areas, such as healthcare, payment processing, and government services. The state of Nevada even requires encryption during the transmission of any personal data. Also, the costs of adopting an encryption solution are usually much less than the costs of recovering from a data breach.
7 out of 10 businesses have lost a laptop
There are a number of points of data vulnerability in a business, including desktop computers, servers and databases, online systems, backup media and services, and, more recently, online “cloud” services. Anywhere where sensitive data is processed and stored represents a potential source of loss. Perhaps the most serious vulnerabilities, and the most difficult to control, come from portable devices, such as laptop computers, PDAs, USB keys, and portable hard drives. These devices can be easily lost or stolen and yet, given the distributed nature of most businesses, they often contain large amounts of valuable data. Recent IDC research showed that 7 out of 10 businesses have experienced a laptop theft, and many could not determine the impact of the loss for their organization.
The process of encryption involves using some type of secret (such as a password) to form a key. The key is used in a transformation algorithm to make the information to be protected unreadable. Only when the key is used again (with the right password) in a process of decryption can the original information be read and used. There are a variety of key types and the length of a key is one factor that determines its protection strength. Key lengths of 128 bits are common and considered strong enough for most applications, but attack technologies are always improving and longer keys are sometimes recommended.
Focusing on portable devices, there are now a wide variety of encryption methods available to businesses. A recent Ponemon Institute study found that encryption in mobile devices is the top priority in a majority of organizations. Encryption solutions can be categorized in five main categories: (1) file encryption, (2) encrypted disk partitions, (3) encrypted containers, (4) whole-disk encryption, and (5) self-encrypting hard drives. For file encryption the transformation is done to individual files located on some storage device. This method is appropriate when there are only a few files to be protected (such as on USB keys). Encrypted disk partitions use a portion of a disk drive to create an encrypted store, protected by a secret. Any files placed into the partition are automatically encrypted and can only be read if the proper key is used again. Encrypted partitions are useful when there are large collections of files that need to be protected. Encrypted containers are similar to encrypted partitions, but a special container file is created on an existing partition and then mounted as a new drive. Once the proper key is provided, all files stored on the container drive are automatically encrypted. Encrypted containers are popular for applications where a large number of files need to be encrypted but the user does not want to repartition a hard drive.
In whole-disk encryption an entire disk is protected so none of the information can be read without the proper key. This is suitable for applications where all the data on a disk needs to be protected, even temporary files stored by the OS and applications, or in cases where users are not able to determine what information needs to be protected and what does not. Whole-disk encryption is an easy-to-use, automatic solution suitable for many business laptops. Self-encrypting hard-drives contain special encryption hardware that protects all of the information on the drive all of the time. The Trusted Computing Group has recently completed technical standards for these devices and manufactures such as Seagate are now offering drives with this capability. Self-encrypting USB keys with special encryption hardware are also available from companies such as IronKey and Sandisk.
Most operating systems support encryption
Most computer operating systems offer some form of encryption. Microsoft Windows (including XP, Vista, and Windows 7) offers the Encrypted File System (EFS) in its premium editions (not the Home or Basic editions), and this can be used to protect individual files and folders. The secret used to create the encryption key is usually the user’s computer password, although other key methods are available. Microsoft also offers (in its premium editions of Vista and Windows 7) a form of whole-disk encryption called BitLocker. For Apple computers, OS X supports FileVault, which can be used to encrypt a user’s home folder. In addition the Disk Utility application can be used to create an encrypted container. Most of the popular Linux distributions also support whole-disk encryption, encrypted partitions, and encrypted containers.
There are also third party providers that offer powerful encryptions solutions. PGP Corporation offers a full range of enterprise products for desktop computers, servers, and mobile devices (such as Windows Mobile smart phones). TrueCrypt is another popular, free, open-source encryption solution that supports whole-disk encryption, encrypted partitions, and containers. TrueCrypt containers can also be used across different platforms, making it popular for businesses using multiple operating systems.
Even with all of these encryption methods, adoption of encryption technologies remains slow. Businesses may have a number of concerns when it comes to encryption. One unfounded concern is that encryption will slow down the performance of disks or applications. Although the initial encryption operations can be slow if there is a large amount of information to encrypt, once the files or partition are encrypted there is usually negligible impact on day-to-day operations. According to Tim Matthews, Senior Director of Product Marketing at PGP, the overhead caused by encryption is usually 1-3%.
Another concern is lost keys or forgotten passwords. Normally, encrypted data cannot be decrypted without supplying the proper key, and that key is usually protected with a secret password. If the key is lost or the password is forgotten (or an employee leaves the company), it will not be possible to decrypt the data. For laptop systems this may not be a serious concern since most data on a laptop should also be stored elsewhere in an organization. When data recovery is important, enterprise encryption solutions such as the PGP products provide a variety of ways to recover encrypted data. For example, PGP supports having multiple whole-disk encryption passwords, so an administrator could have a password in addition to the end user.
PGP also offers a comprehensive key management system where keys are produced and administered at a central server. This allows help desk staff to provide one-time recovery keys in the case of emergencies or managed key recovery procedures if an employee leaves a company. Tim Matthews states that one of the powerful features of PGP’s integrated solutions is that the organization can set policies about where encryption is to be used, and then it can become automatic and transparent. When a smart phone or a USB drive is introduced to the organization, for example, the policies and encryption technologies can ensure that any data copied to those devices are automatically encrypted.
Laptops will be lost and stolen. Storage media will go missing. Internet vulnerabilities will continue to happen. Businesses need to examine the variety of encryption technologies available to them. They have the option of deploying encryption in an ad-hoc fashion using one of the OS methods or perhaps the free TrueCrypt utility, or they can opt for a complete enterprise solution such as the ones offered by PGP. With all of the solutions available, there is really no excuse for businesses to be vulnerable to these events.