This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
One billion-dollar company isn't taking chances with data stored on its laptops. It deployed full disk encryption on every machine, an increasingly popular security strategy.|
Timken isn't unlike most public companies its size. Of its 25,000 employees, more are doing business on the road every day, and the risk to the enterprise's intellectual property and financial posture associated with a lost or stolen laptop is too great not to address. And also like most public companies its size --Timken has 62 plants and 114 offices in 27 countries -- full disk encryption is an increasingly popular security measure.
"Protecting our intellectual property has been the prime concern of upper management," says Roger Herbst, senior IT technical specialist at Timken.
Herbst had to do very little arm-twisting for the funding for a rollout of full disk encryption on every Timken laptop. Executives understand the consequences of losing a laptop loaded with the specs for the steel bearings, alloys
| and lubricants Timken produces for the automotive, industrial, aerospace and super precision industries. Nor do they want to see booming bold-faced headlines on page one of The Wall Street Journal blaming the company for losing partner or customer data, or payment processing information.
With disclosure costs booming and state data breach notification laws unforgiving, full disk encryption makes sense on many fronts, not the least of which is that it often relieves companies of the burden of having to publicly disclose a breach.
"Data loss can be crippling both financially and legally, and protecting data with a well-implemented full disk encryption policy will prevent many of these problems," says expert Michael Cobb, founder and managing director of security consultancy Cobweb Applications Ltd.
5,000 DEVICES, ONE APPROACH
Though not every Timken laptop houses sensitive data, the company decided to encrypt every hard drive, deeming it the best insurance policy.
"I don't want to have to manage each laptop based on what it may or may not contain. That's what drove the decision to encrypt all laptops," Herbst says. Doing so allows the company to have one approach for managing all the devices, and full disk encryption makes the potential disappearance of a laptop a non-issue, since data cannot be harvested when it's encrypted.
With more than 217 million personal records lost or stolen in the U.S. over the last three years--many in laptop-related incidents--the fixation on laptop protection has been prominent for almost the same time. Timken's efforts, however, are nearly a decade old. Herbst says its first attempt at full hard drive encryption began early in 1999 as the company grew more concerned with protecting intellectual property. A year later, however, it became clear hard drive hardware compatibility problems would limit the potential audience for full disk encryption and the initial project was shelved by early 2001. In the interim, the company made do with more limited file and folder protection from PGP Corp.
The project was resurrected in early 2004, this time focusing on high-profile users. A year later the company decided to take another stab at putting full disk encryption on every laptop. Since authentication is such a critical factor in an encryption project, Timken had to first resolve its authentication policy issues and decide whether to use strong authentication, passwords, single sign-on or biometrics. Herbst would not disclose which form the company chose, but stressed that selection is the vital first step. He then corralled help from upper management, client services and global IT support departments as product evaluations began.
It took Timken about one quarter to review several vendors--including Pointsec (since acquired by Check Point), PGP, SafeBoot, Credant and PC Guardian--and eventually settle on Utimaco's SafeGuard Easy.
Utimaco SafeGuard Easy provides fully automated encryption, transparent to the user, using the AES 256- and 128-bit algorithms among others. It dynamically generates keys from the pre-boot password relieving the burden of having to store keys on the disk. Encryption also kicks in during hibernation modes and authentication is required to regain access to the laptop. Herbst says deployment was straightforward and the product is centrally managed.
"You have to be flexible and be willing to adjust the criteria as you learn the capabilities of the solutions available," he says. "We talked to many different vendors and found you can learn from them and that may lead you to change your criteria."
One big selling point for Herbst was whether a product had sufficient data and disk backup and recovery capabilities; another was compatibility with the company's IBM-Lenovo laptops. Lenovo is a Utimaco partner.
"Any special compatibility with that platform was a plus," he says.
Full deployment took 11 months and was completed in November 2006.
"I crashed my test system several times when first working with the product, which I consider part of the learning curve with new, complex products," he says. Utimaco support was critical to overcoming these issues.
One problem with the test computers turned out to be a corrupt Windows Installer that was not obvious until the IT department started installing the Utimaco encryption.
Another discovery was that when running Microsoft Outlook in cached mode, as Timken does, Outlook would hang up the initial installation setup. Herbst learned that keeping Outlook off during installation cured that compatibility issue.
"I believe the lack of [major] compatibility problems was partly due to the nature of the product, which should be application transparent, and partly due to the extensive testing I performed before deployment to work out any implementation kinks like the Outlook conflict," Herbst says.
Herbst says he also created deployment packages for different user requirements and provided training for IT support personnel worldwide prior to deployment. From there, the client services department managed the deployment process.
Herbst hammered out a detailed 11-month deployment schedule in conjunction with the local IT shops in plants and offices throughout the world. High-profile personnel such as senior executives got the product first.
The encryption software was pushed to most machines via Microsoft's Systems Management Server (SMS). SMS installed the software, and via an icon, users could initiate the initial encryption process when most convenient for them. In most cases, the best time was shortly before leaving work.
"The user would double-click the icon to start the process," Herbst says. "The user was then able to shut down their laptop, take it home, power back up and let the encryption take place while they were eating dinner or sleeping." Deployment on each laptop took about two hours.
Herbst's staff tracked which users had performed the encryption and forced the issue if they had not completed it on a timely basis, he says. With the exception of the Outlook issue, users were able to continue working on their laptops while the initial encryption was taking place.
For some users and sites, local IT personnel preferred to manage the process instead of relying on Microsoft SMS and the end user to complete it, Herbst says, adding, "This was their choice as long as the process was completed according to schedule."
Post-deployment, the software is transparent to the end user, consuming less than 2 percent of the laptop's CPU to perform its on-the-fly decrypt/encrypt functions; there has been no performance impact on the users since deployment was completed. New machines, meanwhile, are delivered encrypted, so users are unaware the encryption is there, other than the authentication screen that appears when booting up the laptop.
Utimaco deploys pre-boot authentication with SafeGuard Easy. Essentially, users are asked to log on and provide their authentication credentials before the laptop operating system is loaded. This secures the environment before Windows boots up. Pre-boot authentication supports passwords and tokens, Utimaco says.
"The only complaints we have received is when a hard drive hardware failure occurs and the data cannot be recovered because of the encryption," Herbst says. "Before we used hard-drive disk encryption, tools could easily extract most or all of the user files on a machine with a drive failure. When the hard-drive disk is encrypted, if the SafeGuard Easy tools cannot get access to the drive, the data is lost."
This painful situation can easily be avoided if the user performs regular backups, though not all critical data is always backed up before a drive failure occurs, Herbst admits.
Otherwise, users are unaware of the degree to which their data is protected and the company's lifeblood intellectual property and customer data kept safe.
This was first published in March 2008