In-Depth

Regulations Drive Whole-Disk Encryption

With the average public data breach costing $7.5 million to clean up, security managers seek automated hard disk encryption.

• By Mathew Schwartz
• 10/11/2005

If your laptop was stolen today, could the thief access what’s on the laptop’s hard drive? For most business users the answer is yes, because the majority of laptops owned by businesses don’t have software to keep the whole hard drive encrypted.

Speaking after having two laptops stolen just in European train stations, “don’t assume it can’t happen to you,” says security expert Phil Zimmermann, who created Pretty Good Privacy (PGP) in 1991. In the most recent incident, “as one guy distracted me, his accomplice grabbed my computer from atop my suitcase. When I went to the police station, the local authorities pointed at piles of similar complaints.”

Stolen laptops can mean compromised intellectual property, lost customers if the theft becomes public, and regulatory trouble. That’s why more organizations are investigating full-disk encryption software to keep everything on a hard drive encrypted and password-protected, so if a laptop is stolen, an attacker can’t access anything on it.

Researchers say the majority of stolen laptops, desktops, and PCs aren’t nicked for the information on them, but just to be sold. Comforting as that might be, many organizations can no longer take any chances. “With workforces becoming increasingly mobile, the need for secure laptops and mobile devices has moved beyond a convenience issue to one that is critical for regulatory compliance and the preservation of intellectual property,” notes Steve Winandy, director of advanced technologies at CDW Corp.

On the regulatory front, health-care and insurance organizations must secure sensitive information per HIPAA. Any merchants or service providers that store, process, or transmit MasterCard or Visa cardholder data must comply with the Payment Card Industry (PCI) data security standard. California’s SB 1386 mandates organizations doing business in the state notify any state residents when their information may have been compromised. In the wake of numerous data-loss scandals, including the CardSystems Solutions breach, at least 15 more states now have similar laws, and more may follow.

$13 Million Per Breach

Beyond regulations, there’s another cost/benefit driver for encrypting sensitive information, according to new research from the Ponemon Institute, which surveyed 14 organizations that lost customer information. “We conducted in-depth conversations to determine the direct and indirect costs of these incidents and found companies averaged a direct cash outlay of $5 million for detection, legal fees, notification, and increased customer service,” says Larry Ponemon, chairman of the institute. “Adding indirect expenses of $8 million for employee-time consumed and lost customers, the cost to recover from a lost data incident was more than $13 million.”

Among the 14 companies, the actual cost of a data breach ranged from $475,000 to $52 million, he says. In general, “companies in financial services, insurance, telecommunications, and technology experienced much higher costs, primarily due to brand damage and lost customer confidence.”

Encrypting Entire Hard Drives

To help, organizations can implement software that keeps all contents on a hard drive encrypted. Indeed, many security managers are now shopping for “secure, reliable, and manageable encryption,” says Henry Nissenbaum, managing director of information security research at TheInfoPro.

One incentive for using hard-drive encryption is that in general, data-breach laws (including California SB 1386) specifically state that no notification is necessary if the lost or stolen information was stored encrypted on the hard drive.

Whole-disk encryption software is available from multiple companies; perhaps the most well-known is Pointsec Mobile Technologies. Apple’s OS X operating system also includes built-in, whole-disk encryption, dubbed FileVault, though it’s not active by default. Other companies offer software specifically to encrypt directories containing sensitive information.

Software encryption vendor PGP Corp. also announced its foray into the laptop, desktop, and server whole-disk encryption market with PGP Whole Disk Encryption, due out next month. The product “offers a pre-boot encryption of everything on your laptop,” says Andrew Krcik, vice president of marketing at PGP. “If you cannot provide the proper credentials to get onto the laptop, then you won’t.” The product will offer four features: whole-disk encryption when a system is “sleeping” or powered off; individual file and folder encryption; data encryption for backup devices; and secure data deletion. As with the company’s other products, PGP Whole Disk Encryption can also be used with PGP Universal, a server which centralizes management, encryption administration, LDAP integration, recovery, and key management.

From a security policy standpoint, whole-disk encryption software also allows organizations to automate security policies. Using automation, for example, means “it’s no longer incumbent upon a user to encrypt this file or that one,” says John Dasher, director of product management at PGP. Organizations can just ensure everything stays encrypted.

Note that after installation, such products will initially take time to encrypt all hard drive contents. “That time will vary depending upon the size of your hard disk and the processor speed of the computer itself,” he says. “We’ve implemented this such that once the initial drive encryption begins, we can do this in the background, and we actually pay attention to processor utilization, so if the user starts doing something that requires the processor, PGP Whole Disk will back off.” USB drives and external hard drives can also be encrypted using the product.

Early adopters of PGP’s product hail especially from the financial services, health and medical, pharmaceuticals, and government sectors, “and recently, anyone who saves customer data,” says Dasher.

“There are two kinds of companies—those who lost laptops and those who will,” notes Krcik. “So the question is, what are the ramification when it happens, and what are you going to do to protect yourself?”

Related Articles:

CSI Study Reveals Shifts in Security Threats
http://www.esj.com/Security/article.aspx?EditorialsID=1461

Used Laptops Offer Secrets for Sale—Cheap
http://esj.com/security/article.aspx?EditorialsID=1009