If your company is contemplating a migration to the new Windows Vista operating system, you might want to consider the Business, Ultimate or Enterprise editions. Each includes a new hard drive feature called BitLocker Drive Encryption. By default, the technology requires a Trusted Platform Module (TPM) chip usually found only in higher-end systems. However, you can set group policy so that a USB storage device can store the encryption keys. This setting prevents the computer from booting up until the USB device is plugged in. Great two-factor authentication!
WinMagic's disk encryption software, SecureDoc, offers another way to add pre-boot authentication. If you are having problems with the time it takes to decrypt data, I would consider creating a volume that automatically encrypts all files stored on it; then I would move the My Documents folder to reside there. As long as software programs are not stored on this encrypted drive, there should only be a negligible impact on performance.
If you wish to use encryption abroad, you will have to ensure that the product you choose can be used in the countries that your staff may need to visit. The Bureau of Industry and Security assigns a license exception to most commercial encryption products, allowing them to be exported to only specified destinations. PGP, for example, falls within three types of license exception: mass market, ENC restricted and ENC unrestricted. None of these categories, however, allow encryption products to be exported to the following embargoed countries: Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria.
Other steps you can take to protect on-the-road laptops include locking down the operating system and providing users with a physical lock. Better still, insist that users remove hard drives and lock them in a safe whenever they leave their laptops unattended. Some organizations now provide spare drives that have to be installed when working in a hostile environment; anywhere outside the confines of the office. These drives only contain company data that is classified as public. Any other data has to be stored on encrypted USB keys carried separately from the laptop. Proximity alarms can also be attached to a laptop, which will go off if the computer gets too far away from its owner. Finally, I would ensure that all of the laptop-using staff receive security awareness training. The training should be aimed at the particular threats that laptop users face, such as unsecured public Wi-Fi and opportunist thieves.
This was first published in September 2007