It was two close calls that changed how Rob Israel thought about encrypting the data on his users' laptops.
A few years ago, a laptop at the John C. Lincoln Health System, a Phoenix-area hospital group where Israel is CIO, was stolen from an employee's office. It could have contained financial or (worse) patient information but, fortunately for Israel, "The laptop was brand-new and had no data on it yet," he says. Still, this pilfery and an earlier PC theft from a common work area (which resulted in a loss of noncritical data) pushed him to revisit his company's security strategy.
The result: Lincoln Health avoids storing data locally on users' computers -- PCs and laptops.
In today's workplace, it's impossible to eliminate mobile computing devices -- laptops, thumb drives, mobile phones, PDAs and iPods. If you follow the news, you know that dozens of organizations have had mobile devices lost or stolen, and many of them were not as lucky as Lincoln Health. Since California enacted a data breach notification law in 2002 (followed by 32 other states), there have been a host of embarrassing disclosures about missing computers, most recently at the U.S. Department of Veterans Affairs, the Federal Trade Commission, the Transportation Department, accounting firms Deloitte & Touche and Ernst & Young (three separate occasions this year), Wells Fargo and ING banks, Fidelity Investments, the YMCA and Chevron.
About half of the states' breach-reporting laws give companies a way to avoid disclosing such breaches: the use of encryption on the mobile devices. The other states' breach laws encourage the use of encryption, as do other privacy protection laws such as the federal Gramm-Leach-Bliley Act covering financial information, and the Health Insurance Portability and Accountability Act (HIPAA) covering medical information. Avoiding both the breach penalties and the other costs of losing critical data makes an encryption strategy well worth the effort, says Tim McKnight, vice president and CISO at aerospace contractor Northrop Grumman. "We paid for our program with the savings from the first three laptops that were lost," he notes.
But encrypting data on mobile systems isn't a simple task. CIOs and CISOs have found that while the technology to encrypt laptop hard drives is pretty straightforward and simple to deploy, there are several aspects of mobile security for which technology is not yet solid, particularly for protecting data on removable media and handheld devices. That's why security leaders who have adopted encryption make sure to use other techniques -- both technological and managerial -- to protect their mobile data.
Encryption for laptops: full-disk or file-based?
The first decision when implementing an encryption strategy is whether to use full-disk encryption or file-based encryption. Because Windows XP comes with file-based encryption built in (as do Linux and Mac OS X), it's tempting to use that "free" technology. Anything stored in specific PC folders, like My Documents, is encrypted automatically. But this approach has a significant security flaw: It relies on users putting files in the encrypted folders.
Furthermore, Microsoft's encryption "is not strong, and there is no good management option for the enterprise," says Northrop's McKnight. "It's hard to manage and hard to make work with backup software," warns Paul Kocher, chief scientist for cryptography at technology consultancy Cryptography Research. Although Microsoft promises better encryption in the forthcoming Windows Vista, Kocher suggests taking that promise with a grain of salt, given Microsoft's long history of security vulnerabilities.
The other option is full-disk encryption, which protects everything on the hard drive. With this approach, there's no uncertainty as to what data is actually encrypted. "It takes human judgment out of the equation, so I can tell the regulators that the entire disk is encrypted," says Kim Jones, director of security at eFunds, an electronic transaction provider to financial institutions.
The fear, widespread among users, is that full-disk encryption will slow laptop performance. Fortunately, laptops built in the past three years or so have the horsepower to run full-disk encryption so "the performance hit is nonexistent from the user's perspective," says Jones. McKnight says a slowdown is noticeable, but just slightly. Where it's most noticeable is at system boot-up and when the laptop hibernates, he says.
Several companies -- including PGP, Pointsec and GuardianEdge Technologies -- provide enterprise-class full-disk encryption software that can be installed and managed using standard tools, and that works with backup software and password management systems.
Still, enterprises should test any encryption software to make sure it is compatible with their management tools, advises Eric Maiwald, a senior analyst at the Burton Group research firm. They should have a tool to synchronize user passwords with a secure repository in case IT has to access the laptop (say when an employee forgets system passwords, is injured or leaves the company).
McKnight suggests another precaution: Test hard drives before applying encryption, since the initial encryption can stress problematic hard drives to the point of failure. Although the problem was rare for the 35,000 laptops that Northrop encrypted, it does occur.
Hurry up, please, it's time
If full-disk encryption has an Achilles' heel, it's the password used to enable access to the hard drive. When users work on files, the full-disk encryption software decrypts files as they are opened, then reencrypts them when they're stored. If the password is easy to guess -- or if it's taped to the laptop -- a thief has full access to the drive's data, defeating the encryption. "Allowing a weak PIN means it doesn't matter if you use encryption," says Maiwald.
If data is especially sensitive, a password requirement can be paired with a hardware token for two-factor authentication, says Jerry Johnson, CIO of the Pacific Northwest National Laboratory, a U.S. Department of Energy research facility.
Similarly, laptops should be set to time out after inactivity, so data is not accessible until the password is reentered, says Cryptography Research's Kocher. The trick is setting the time-out period, he notes. The more frequently it must be reentered, the easier a would-be thief can "shoulder-surf" the password in a public space (such as a hotel lobby), while the less frequently it must be reentered, the more time the bad guy has to access the data when the laptop is left unattended. A time-out of a few minutes works in most cases, says Johnson.
Diabolical devices
Although data stored on laptops is fairly easy to secure, three common conduits can confound the strongest encryption: USB drives (including iPods and thumb drives), recordable CD and DVD drives, and e-mail.
In all three cases, data is decrypted when moved to these media, since the usual goal of copying data to external devices is to make it available to systems that may not have the same encryption tools. Over-the-network encryption and policy-based management tools that screen e-mail contents can handle e-mail security. But removable media are more difficult to safeguard.
The simplest solution is to not provide CD or DVD burners on corporate laptops, says Jacob Mays, assistant vice president for IS at Stillwater National Bank. But handling USB drives is trickier. There are two basic approaches to securing external storage devices: disallow their use or use software that applies encryption to them as if they were an internal hard drive.
"You could put glue in the ports. We considered that," Johnson says, half seriously. Although some vendors offer encrypted thumb drives, the encryption works only with their hardware, so users simply can buy their own thumb drives to bypass the security. Windows XP lets IT set policies to enable or disable whole classes of devices, including thumb drives, but there's no way to tell it to distinguish between approved and unapproved devices, says Nate Lawson, a senior engineering director at Cryptography Research. CISOs will need to consider third-party products such as those from Safend, SecureWave and Trigeo.
Baptist Memorial Health Care, a hospital group in Tennessee and Mississippi, uses software from Safend to prevent the use of unauthorized external drives. The company also has its USB drive vendor, Kingston Technology, create software to encrypt the drives' contents. The hospital group also logs all files transferred to these devices in order to identify who is copying data from the secured laptops, says Lenny Goodman, director of desktop management.
A simpler solution is to extend disk-based encryption to laptops' external drives, notes Burton Group analyst Maiwald. He expects that capability to become widely available as vendors upgrade their products. Pacific Northwest, for example, is looking at encryption software that would extend its protection to USB drives, says Kevin Piatt, the lab's manager of office automation and collaboration services.
Handheld horrors
Perhaps the hardest devices to secure through encryption are handhelds. Most don't have the horsepower to run full-disk encryption, says Kocher. He says that when encryption software is available for these devices, it usually lacks appropriate strength or interferes with communication functions, such as making calls -- which is not good when you're talking about phones. "There are so many implementations of PDAs that there's no way for a security vendor to do a whole PDA solution," Kocher says. So IT must install and manage a variety of software if it wants to support a variety of devices.
That's why eFunds, Lincoln Health, Pacific Northwest National Laboratory, and Stillwater Bank all ban the use of handhelds for e-mail and the storage of corporate data. Northrop Grumman disallows their use at all divisions but one (where handhelds were allowed before Northrop bought it). To ensure the security of these devices, most Northrop business divisions forbid their access to e-mail and use a management tool that applies encryption to their files whenever they're connected to a Northrop PC or network. "It's expensive to allow PDAs using such policy-based tools," McKnight says.
For all these organizations, there is one exception to handheld insecurity: the BlackBerry, which comes with sufficiently strong full-disk encryption, as well as e-mail encryption, not to mention remote management features such as the ability for IT to wipe out the contents of a stolen or lost device.
Love that data center
The simplest way to protect data on mobile devices is to not store it there in the first place. "People should really get a handle on where their data is and who has access to it," advises Kocher. "Why are people putting this information on their laptop in the first place?" he asks. Burton Group's Maiwald suggests that enterprises adopt remote access tools where possible so that the information never leaves the confines of the data center.
That lesson is not lost on many CIOs and CSOs. Although laptops have become cheaper and at many companies are the standard PC, Northrop's McKnight says that's a mistake.
He's not alone. At eFunds, only 10 percent of users -- typically executives, salespeople and IT staff -- get laptops, reducing what needs to be managed, says director of security Jones. To reduce its risk, Baptist Memorial has just a few hundred laptops out of more than 6,000 PCs, notes Goodman. "We've dramatically cut down on the number of laptops and portable devices," says Lincoln Health's Israel.
For those users who really do need laptops, full-disk encryption and management of removable media is an effective way to secure data. Says Israel, "The technology is out there, and it's not that expensive. You just have to use it."
Sidebar
Legal incentive
Avoiding the public embarrassment and high costs of breaches -- in terms of notification expenses and lost customers -- is a big motivator for many companies to encrypt data on their mobile devices.
For example, M&T Bank calculates that it costs US$137 per affected customer just to fulfill the notification requirements, says CISO Matt Speare. And transaction management firm eFunds calculates that each missing record can cost $50. “One spreadsheet can cost $1 million,” says Director of Security Kim Jones.
California started the trend of public disclosures for lost data in 2003 with its SB 1386 law, which requires organizations that keep databases containing sensitive information on California residents to notify them if their data is exposed. (Because so many companies have California customers, some consider the law to have an impact beyond that one state.) Today, 32 other states have similar laws, and seven states and the U.S. Congress are considering similar measures (see the map on Page 47).
Encryption is a defensive move in this legal landscape. All states exempt a company from reporting a potential breach if the data was encrypted, says Tom Smedinghoff, a partner at the Chicago law firm Wildman Harrold. Otherwise, 16 states require notification if the data is missing, whether or not it is actually compromised, while the other states require a risk assessment each time.
None of the laws specifies what type of encryption must be used. Some organizations may therefore simply use the operating systems’ built-in file encryption, but that’s not a smart move because doing the minimum won’t be an effective defense in the court of public opinion, argues Carlos Perez-Albuerne, a partner at the Boston law firm of Choate, Hall & Stewart. Instead, “where you can encrypt things, encrypt them. Use what people consider to be the best practices at the time. Limit access. Monitor access,” he advises.
Outside of breach disclosure laws, encryption can also help minimize the damage if customer financial or medical records are compromised, notes Smedinghoff. The Gramm-Leach-Bliley Act for financial information and the Health Insurance Portability and Accountability Act for medical information don’t require encryption, but they cite it as a recommended security practice that can help reduce liability.
-- Galen Gruman is a San Francisco–based technology writer. Send comments to csoletters@cxo.com.