Data Encryption: The Whole-Disk Option
For sensitive data sitting on a portable, encryption is no longer an option. It’s a necessity.
- By Chris DeVoney
The company’s data jewels may reside on the big iron within the corporate data center, but subsets of that data either extracted from the repository or kept in parallel systems float on hard disks throughout the entire organization. Some of that shadow data, and the computer on which the data resides, may be heading into the shadowy hands of misfortune or thieves.
If it moves, it can be lost or stolen. It need not be an airport or car or coffee shop or home. When thieves are motivated, access-controlled buildings and locked doors won’t keep notebooks or desktop computers from leaving the house. Some losses can be self-inflicted. An association of taxi drivers reported that over 4,000 notebooks were left in London cabs in a six-month period.
A few familiar names that have suffered such losses include Fidelity Investments, the University of California at Berkeley, Union Pacific, and the Department of Veterans Affairs. In each case the computer contained either consumer information, client information, or protected health information. From these and similar affairs, the number of states adopting disclosure laws for computer data losses or breaches has reached 30, and that number continues to grow. Combine abbreviations such as GLB and HIPAA with greater notebook use and you’ve guaranteed that more companies will perform public acts of contrition over data losses while the IT managers responsible for company policy perform acts of career seppuku.
If you can’t stop the data from leaving the heavy iron, you must protect the data. If it contains any of their confidential information, you have a moral, legal, and more likely, civil obligation to your customers and your clients to shield that data.
Access Control Isn’t Enough
Forget access control. If I have physical access to a computer, I can bypass passwords and fingerprint readers with a bootable Linux CD or remove, copy, and reinsert the disk drive without leaving a digital fingerprint anywhere. If the computer is recovered, the owner is clueless that the data is compromised. Any technically-savvy thief can do the same.
The solution is data encryption, but it imposes inconveniences and compromises. Many third-party solutions and Windows’ own Encrypting File System (EFS) are software-based solutions that absorb some operating performance from the computer, often in the low double-digit range. Many schemes encrypt on a file-by-file or directory basis. Other schemes including Pretty Good Encryption (PGP) establish a logical disk drive and encrypt all information stored to the drive.
Due to the way these schemes shoehorn into the operating system, the schemes depend on user discipline. If a user doesn’t manually encrypt a new file or fails to store the file in the encrypted directory or drive, the protection is lost.
Something as simple as e-mail, often a carrier of protected health or consumer information, may be the downfall. Although e-mail may be protected on the server and encrypted on the way to the end-point, many organizations allow the e-mail messages to sit on the end-user’s computer in plaintext form in unencrypted space.
The most protective scheme is encrypting the entire disk drive. In the past, this scheme was rejected out-of-hand except for the extremely sensitive data since the already-underpowered portable device took a performance hit for too many files (such as operating system and program files) which really didn’t need encryption. Moving the encryption tasks into hardware, such as an add-on card, was an expensive but workable alternative.
The right move was to move the encryption into the computer itself. Lenovo offered the first line of notebooks (formerly carrying the IBM brand) to build an accelerator, called a Trusted Platform Module (TPM), into the computer. When bundled with Utimaco’s SafeGuard Easy software, which has over three million licenses worldwide, end users get a transparent encryption scheme that grabs only two to six percent of the processors’ attention. Enterprises get comprehensive protection for all files on the disk.
Lenovo makes a valid point that the Thinkpad’s fingerprint reader and storing the authentication and encryption keys on the TPM rather than the disk drive itself makes the system more secure. The combo has FIPS certification which answers most regulatory needs, and the Rescue and Restore software handles the intricacy of backup and restoration of encrypted bits that can elude other backup software.
Lenovo is simply the first manufacturer. Other computers with whole-disk encryption are on the way. Even so, the right move may be offloading the encrypting by one more step.
Seagate has announced a product in which the hardware of the disk drive does the encryption. The basics of this DriveTrust Technology makes sense since disk drives now have enough horsepower in their current 300 MHz processors to do the encryption and the ten percent of the disk space normally reserved for internal use is sufficient to hold the encryption code, keys, and more.
When enabled, the drive requests a password from the user before booting the operating system. During operation, the dedicated storage areas can be used by trusted applications to store added information such as stronger encryption methods, biometric authentication data, or forensic information.
These drives, scheduled for initial delivery in Q1 2007, are part of the Trusted Computing Platform imitative that is followed by most major hardware and software vendors. Expect major names such as Dell and HP to be among the first with systems using the drives.
According to Seagate, the premium for systems using these drives should be less than $100. That difference will drop as other manufacturers (such as Hitachi) enter the encrypted drive market. Since these self-encryption drives do need revised computer BIOSs to work, don’t expect them as retrofits for existing computers.
There are still rough spots in any of these schemes. Since passwords can be forgotten and disk drives can fail, there are encryption-key escrow issues. Most schemes lack central administration. For a handful of portables, manually handling and storing encryption-key copies on floppies is a simple filing issue. For fleets of systems, the process is an administration nightmare.
The Lenovo/Utimaco solution has a console that can issue one-time keys so help desks can open disk drives for forgetful or unfortunate users. For any encryption candidate, take a very close look at the central management tools. They vary widely in maturity and integration with central directory schemes.
One of the most obvious mistakes—allowing a computer to return from hibernation without asking for a password—will completely invalidate all encryption protection by leaving the computer wide open.
Why bother with whole-disk encryption? Does a get-out-of-jail-free card interest you? Federal and most state disclosure laws have an exemption if the computer’s entire disk drives were encrypted. Although an enterprise may elect to publicly disclose the loss, the clients and customers can be assured the data is unusable and that there is no obligation for additional expenses, such as extending credit-bureau monitoring services to potential victims.
Additionally, a company can be off the hook for the labor-intensive process of erasing data before surplusing or disposing of the disk drives. Popping the electronic key leaves any data hopelessly scrambled.
Given the consequences, there is no excuse to leave confidential client, consumer, or protected health information in the clear on any portable computer. For the existing fleet, encryption solutions may have lackluster performance with convenience and administration issues. Still, the stakes from just one loss, which can include everything from damage to your corporate brand to your own continued employment, are too high to ignore. A single loss can cost more than the cost of equipping hundreds of systems.
Not every portable or computer needs encryption, of course, but you need a policy for any computer with shadow data and those systems with sensitive information better have that data protected. Future computers will make the process easier and cheaper, but you have a moral, if not legal, obligation to act now. Your clients and customers deserve nothing less.