Login, change your address, subscribe to new or manage current magazines or e-newsletter subscriptions
IT World Events
Site Map - Affiliates
ComputerWorldNetwork WorldCIO CanadaCIO Canada Governments' ReviewJobUniverse Canada
Enter your  QUICKLINK number to go directly to that article.
Advanced Search
Knowledge Centres
Content Types
Featured White Papers
Unlock the potential of data with the right data warehouse solutionUnlock the potential of data with the right data warehouse solution
Provided by: IBM
read more
IBM Multiform Master Data Management: The evolution of MDM applicationsIBM Multiform Master Data Management: The evolution of MDM applications
Provided by: IBM
read more
Closing the data privacy gap: Protecting sensitive data in non-production environmentsClosing the data privacy gap: Protecting sensitive data in non-production environments
Provided by: IBM
read more
Yuk it Up
Act to Amend the Copyright Act
Want a copyright law that protects spyware and virus writers? If not, sign our petition to amend Bill C-61
Featured IT Quiz
IT Quiz: Test yourself to see if you have the knowledge to fit into the open source world, and compare yourself with the rest of the respondents
Featured White Papers
This white paper details Intel's current and future energy-saving initiatives to reduce costs and support business goals. Learn how Intel IT is extending its efforts to be a role model enterprise IT organization by supporting the Climate Savers Computing Initiative, which aims to drive a 50 percent reduction in computer-related CO2 emissions worldwide. No registration required.
Sign-Up for
Communications Infrastructure
eNewsletter Delivered Weekly
Click here
Page 1 of 3

How to protect your mobile data

By: Galen Gruman - CSO (U.S.)  (20 Nov 2006)

It was two close calls that changed how Rob Israel thought about encrypting the data on his users' laptops.

A few years ago, a laptop at the John C. Lincoln Health System, a Phoenix-area hospital group where Israel is CIO, was stolen from an employee's office. It could have contained financial or (worse) patient information but, fortunately for Israel, "The laptop was brand-new and had no data on it yet," he says. Still, this pilfery and an earlier PC theft from a common work area (which resulted in a loss of noncritical data) pushed him to revisit his company's security strategy.

The result: Lincoln Health avoids storing data locally on users' computers -- PCs and laptops.

In today's workplace, it's impossible to eliminate mobile computing devices -- laptops, thumb drives, mobile phones, PDAs and iPods. If you follow the news, you know that dozens of organizations have had mobile devices lost or stolen, and many of them were not as lucky as Lincoln Health. Since California enacted a data breach notification law in 2002 (followed by 32 other states), there have been a host of embarrassing disclosures about missing computers, most recently at the U.S. Department of Veterans Affairs, the Federal Trade Commission, the Transportation Department, accounting firms Deloitte & Touche and Ernst & Young (three separate occasions this year), Wells Fargo and ING banks, Fidelity Investments, the YMCA and Chevron.

About half of the states' breach-reporting laws give companies a way to avoid disclosing such breaches: the use of encryption on the mobile devices. The other states' breach laws encourage the use of encryption, as do other privacy protection laws such as the federal Gramm-Leach-Bliley Act covering financial information, and the Health Insurance Portability and Accountability Act (HIPAA) covering medical information. Avoiding both the breach penalties and the other costs of losing critical data makes an encryption strategy well worth the effort, says Tim Mc­Knight, vice president and CISO at aerospace contractor Northrop Grumman. "We paid for our program with the savings from the first three laptops that were lost," he notes.

But encrypting data on mobile systems isn't a simple task. CIOs and CISOs have found that while the technology to encrypt laptop hard drives is pretty straightforward and simple to deploy, there are several aspects of mobile security for which technology is not yet solid, particularly for protecting data on removable media and handheld devices. That's why security leaders who have adopted encryption make sure to use other techniques -- both technological and managerial -- to protect their mobile data.

Encryption for laptops: full-disk or file-based?

The first decision when implementing an encryption strategy is whether to use full-disk encryption or file-based encryption. Because Windows XP comes with file-based encryption built in (as do Linux and Mac OS X), it's tempting to use that "free" technology. Anything stored in specific PC folders, like My Documents, is encrypted automatically. But this approach has a significant security flaw: It relies on users putting files in the encrypted folders.

Furthermore, Microsoft's encryption "is not strong, and there is no good management option for the enterprise," says Northrop's McKnight. "It's hard to manage and hard to make work with backup software," warns Paul Kocher, chief scientist for cryptography at technology consultancy Cryptography Research. Although Microsoft promises better encryption in the forthcoming Windows Vista, Kocher suggests taking that promise with a grain of salt, given Microsoft's long history of security vulnerabilities.

The other option is full-disk encryption, which protects everything on the hard drive. With this approach, there's no uncertainty as to what data is actually encrypted. "It takes human judgment out of the equation, so I can tell the regulators that the entire disk is encrypted," says Kim Jones, director of security at eFunds, an electronic transaction provider to financial institutions.

The fear, widespread among users, is that full-disk encryption will slow laptop performance. Fortunately, laptops built in the past three years or so have the horsepower to run full-disk encryption so "the performance hit is nonexistent from the user's perspective," says Jones. McKnight says a slowdown is noticeable, but just slightly. Where it's most noticeable is at system boot-up and when the laptop hibernates, he says.

Several companies -- including PGP, Pointsec and GuardianEdge Technologies -- provide enterprise-class full-disk encryption software that can be installed and managed using standard tools, and that works with backup software and password management systems.

Still, enterprises should test any encryption software to make sure it is compatible with their management tools, advises Eric Maiwald, a senior analyst at the Burton Group research firm. They should have a tool to synchronize user passwords with a secure repository in case IT has to access the laptop (say when an employee forgets system passwords, is injured or leaves the company).

McKnight suggests another precaution: Test hard drives before applying encryption, since the initial encryption can stress problematic hard drives to the point of failure. Although the problem was rare for the 35,000 laptops that Northrop encrypted, it does occur.

Hurry up, please, it's time

Page 1 of 3
Send to a Friend  Rate This Page  Print This PageAdd a new comment
Bookmark this article on:
del.icio.us| Digg it| Furl| Google| Technorati| StumbleIt| Yahoo!

Have something to say about this article? Add a new comment

If you find a comment inappropriate, You can notify the moderator by clicking the Report an innapropriate comment icon.
ADD A COMMENT
Name:*Your email address will not appear online and will be used only in the event that the editor wishes to contact you personally for additional comment.
City:
Email:
Title:*
Comment:*
* required fields



Related Content
Articles

Events

Book Reviews

Special Advertising Partners
IDC Case Study: Identity And Access Management Buying Criteria.
IDC analyses IAM buying criteria and deployment at Coppin State University. Coppin State replaces "first generation" IAM solution to obtain benefits needed for today's agile enterprise: ease of integration, rapid deployment, simplified compliance, flexibility.
White Papers
Closing the data privacy gap: Protecting sensitive data in non-production environments
How can IT organizations protect sensitive data, including employee and customer information, as well as corporate confidential data and intellectual property? Industry analysts recommend "de-identifying" or masking data as a best practice for protecting privacy. This white paper explains the importance of closing the data privacy gap in non-production environments, and provides guidance on effective data masking. Complimentary with registration. Sponsored by IBM.
Unlock the potential of data with the right data warehouse solution
Once you've made the decision to implement a new data warehouse, you want to make sure you choose the one that's right for your organization. This buyer's guide provides checklists for starting points that you can use when evaluating vendors and their products. Complimentary with registration. Sponsored by IBM.
Prepare for a more efficient SAP implementation: Take data issues off the critical path
This white paper outlines how the Preliminary Data Assessment Appliance (PDAA) from IBM can help address the challenges of integrating data from different operational applications across the enterprise to an SAP platform. Complimentary with registration. Sponsored by IBM.
Copyright InformationPrivacy Policy Site MapAbout UsMedia CentreReprint ServicesMobileFeedbackContact Us
PC World CanadaIntergovworld.comIT Vendors DirectoryBio-IT WorldCIO TitlesCMOComputerWorld TitlesCSO
GlossaryDarwinGameProInfoworldGames.netITJobUniverseJavaWorldMacCentral
MacWorldNetwork World TitlesPCWorldPlaylistIDG WorldWide Network
©2008 ITworldcanada.com All rights reserved.