As any field executive will admit, laptops get left in some weird places. They also get stolen, and these problems all have one nasty result – data exposure. Mitigating this means encryption, says Jon Tullett.
The risk to local data in the modern computing environment is high, and growing all the time. Mobile computing carries the implicit risk that devices will simply be stolen, and users accessing (authorized or not) other desktop systems can easily cause data to be compromised. Laptop or PDA theft is annoying, but the exposure of secret data can be many times worse.
Preventing access to devices is a topic in itself, but assuming that the risk will one day become reality brings us to the task of locking down the data itself, and encryption is the fundamental tool for that. Encrypted files are much lower risk, so long as the key to unlock the data remains secret.
There are several ways to encrypt information. The products in this test fall into two broad categories: those that encrypt files and folders, and those that encrypt the whole hard disk. Each approach has pros and cons. We will leave the various data encryption algorithms out of the discussion, since all the products we looked at are now supporting strong, standard encryption such as AES, triple DES (3DES), Blowfish, and so on.
File encryption is excellent for granular security, and particularly useful when a file must be sent keeping its encryption intact. Encrypting files is usually as easy as printing or compressing them. Folder encryption is similar, but applies to an entire directory and usually (but not always) has the benefit of automatically encrypting files placed in the folder.
There are a couple of downsides to file encryption. Just like mail encryption, some will forget it, some will purposefully avoid it and, while there are steps you can take to lock down the working environment to enforce file encryption, this requires work, and risks hampering productivity.
Another downside is that operating systems keep sensitive data in all sorts of weird places, and your encrypted files might be no security at all to a determined attacker. That encrypted Word document has an unencrypted version written out in the Windows temporary folder. And desktop search tools create indexes of file contents which, if the document is then locked, may stay vulnerable.
Disk encryption is very different. In this scenario an entire disk or partition is encrypted, and access must be granted before the OS even boots up. This is typically accomplished by installing an agent into the Master Boot Record (MBR) of the drive, which runs the risk of clashing with other MBR-resident agents such as multiple-boot software, some backup tools, and others. The key benefit here is that the entire OS can be encrypted, leaving no trace of temporary files or caches around, and keeping potentially sensitive configuration data secure, too.
Apart from MBR difficulties, disk encryption also has the problem that it is too easy.
Because it is usually fully transparent (once opened and the OS allowed to boot, the user needs not be aware that the disk is encrypted), files transferred by email or removable media or over the network are typically sent unencrypted.
Because of the pros and cons, we do not see file and disk encryption as competing, but complementary technologies.
Whole-disk encryption is vital for locking down disks which risk being stolen, but more granular file-based encryption is required for sharing data securely. This means that you are looking at either two different products, or one more comprehensive suite, to really tackle mobile data security.
Corporate environments have an additional worry – controlling the access mechanisms, whether that be passwords, identities or hardware tokens.
If a user forgets a password or maliciously encrypts documents before leaving the company, vital corporate data might be irrecoverable. It is also important to be able to share encrypted data – a secure document may be important to an entire group of users – so granular access control is important.
We looked at encryption products from this point of view, testing how well they managed the encryption process from the user's perspective, and how the end result was managed from the administrator's side. Integration with other products, such as password/key management with identity management solutions, was considered a plus.
The FBI reckons laptop theft is the second most-reported computer crime. Only two percent are ever recovered, although recovery is little help if valuable data has been exposed.
Assuming that mobile devices cannot be absolutely physically secured, data encryption should be a requirement in your organization's computing strategy.