This article can also be found in the Premium Editorial Download "Information Security magazine: Finding affordable encryption options for laptop data security."
Download it now to read this article plus other related content.
According to the nonprofit Identity Theft Resource Center, staggering numbers of sensitive data records were breached in 2009, continuing a trend occurring since 2005. Approximately 498 distinct breaches
With vast numbers of records being lost or stolen, particularly from mobile systems, more organizations should be using endpoint security controls such as laptop encryption. In addition to the potential loss of customer confidence, litigation concerns, and general "bad press" that come with a public data breach, many organizations need to adhere to multiple compliance and privacy mandates at state, federal, and industry levels. Although few compliance requirements actually mandate the use of laptop encryption, it is definitely needed if laptops routinely carry sensitive payment card, healthcare, or financial data that fall under PCI DSS, HIPAA, GLBA and Federal Financial Institutions Examination Council security guidelines. In addition, new state privacy laws such as Massachusetts' new data law, 201 CMR 17.00, specifically require the use of laptop encryption..
There are a number of specific types of laptop encryption available, both as free and commercial products. In addition to product capabilities and implementation types, there are numerous deployment considerations that organizations need to evaluate before rolling out laptop encryption. We'll address the major types of laptop encryption available today, ranging from pre-encrypted drives to full disk encryption software, as well as everything in-between. We'll also examine the critical issues of key management and policy management.
BEST LAPTOP ENCRYPTION SOFTWARE OPTIONS
Most laptop encryption software products today support strong encryption using trusted algorithms such as Advanced Encryption Standard (AES), with acceptable 256-bit key lengths. The major types of laptop encryption in use today include full disk encryption, file/folder encryption, volume encryption, and pre-encrypted drives. Several variations of these types are also growing in popularity, including partial drive encryption and centrally managed file/folder encryption (sometimes called distributed encryption). All encryption products will impose varying degrees of performance impact on endpoint systems--a factor that organizations must take into consideration before jumping into a laptop encryption project.
Full Disk Encryption (FDE): FDE software generally encrypts the entire hard drive on a laptop, preventing unauthorized access to the system overall. Although many FDE systems can encrypt bootable disk partitions, quite a few leave the Master Boot Record (MBR) unencrypted to ensure stability and performance. Some technologies, such as hardware-based options that leverage Trusted Platform Module (TPM) chips in the hardware, are capable of encrypting the MBR with significantly less impact to the overall system performance. FDE solutions offer the best protection for mobile systems such as laptops, because the system cannot be decrypted at all without knowledge or possession of a specific cryptographic key. Downsides include potential performance impacts (including significantly longer boot times) and a lack of granular policy definition for protection from specific users and groups accessing the system. In fact, a major criticism of FDE is the availability of all resources when an authorized user is logged in.
FDE can be problematic in other ways as well. Some products have been known to take quite a while to encrypt the entire hard drive, and if the process encounters any errors during the encryption, the hard drive may suffer irreversible damage. In addition, FDE can sometimes interfere with the normal operation of any existing software on the system that requires read/write operations to the hard drive, such as patching agents and antivirus products. partial disk encryption deliberately avoids encrypting specific areas of drives that require frequent access from these products, seeking to alleviate the issues FDE may cause.
File/Folder Encryption: File and folder encryption is most often used when organizations need to encrypt specific resources on systems, leveraging user, group, and role information to create policies for data protection. In many cases, this is most applicable to internal systems or servers with shared drives, but may be used on laptops when they are accessed by multiple parties, or simply for more granular policies that are more content-driven, including policies based on file types such as Microsoft Excel spreadsheets and specific keywords that are recognized by encryption agents or data loss prevention (DLP) products.
File and folder encryption is particularly useful for protecting sensitive data from systems administrators and other privileged users. For example, a CFO may want to encrypt financial spreadsheets to prevent all other users from accessing them, and only she would possess the requisite keys(s) needed to access the data without implementing data or key recovery procedures. However, depending on the product, file and folder encryption software agents may cause some noticeable impact on laptop performance. File/folder encryption can also inadvertently lead to data exposure. If encryption policies are not defined or applied properly, lost or stolen laptops may have sensitive data that can be extracted by an attacker after cracking user credentials or simply duplicating the hard drive and extracting data. In most cases, policies are defined on a central management server by security and IT administrators. These are then pushed down to each system's encryption agent and applied. For systems that don't connect to the network often, these policies may be out of date or missing.
Volume Encryption: Volume encryption, also commonly referred to as "home directory encryption," is essentially a hybrid of FDE and file/folder encryption, where large data stores in specific directories or volumes on a specific system are encrypted for one or more users and/or groups. In general, this equates to a much more simplistic policy-based approach, where less focus is placed on file types, content, or other policy rule matching capabilities; the entire focus, instead, relates to which user or group is accessing a protected resource or volume/directory. This type of solution can be a good tradeoff in terms of system performance impact and management overhead when compared with file/folder encryption, while still offering more granularity than full disk solutions.
Pre-Encrypted Drives: Many laptop manufacturers are shipping systems with pre-encrypted drives. A number of hard drive manufacturers also are creating standalone encrypted laptop drives that can be purchased and added to preexisting systems. The major drawback to this approach is cost, because pre-encrypted drives can cost two times as much as traditional mobile system drives, although prices are quickly coming down. One other potential issue is enterprise-wide management, as these drives typically need some additional management and monitoring software employed in order to configure them and ensure encryption is in place remotely.
However, in addition to the benefits of full-disk encryption, this disk encryption technique provides several additional benefits. First, the drive architecture is built specifically to support encryption, and many vendors are following a standards-based approach espoused by the Trusted Computing Group (TCG) in its Storage Architecture Core Specification. This results in enhanced performance in most cases, with reduced likelihood of hardware compatibility issues or drive errors related to encryption. A recent study by consulting and market intelligence firm Trusted Strategies suggests that read/write operations may actually be twice as fast on pre-encrypted drives versus encryption software. Another advantage concerns the protection of encryption keys. Most software-based encryption products store encryption keys in system memory (dynamic RAM), and this potentially exposes the key to attackers using techniques like the Cold Boot attack discovered by Princeton University researchers in 2008. Pre-encrypted hard drives typically store the key on a Trusted Platform Module (TPM) chip, so it's never stored in memory.
|Affordable laptop encryption options abound|
Free and open source products do the job, but there are limits around management and support.
Obviously, cost is a major consideration for any laptop encryption project. Pricing for commercial solutions vary widely, ranging from $20 to $60 per laptop, depending on the overall feature set selected.
There are also free, or open source options available. The most popular free solution is TrueCrypt, which provides FDE and pre-boot authentication for Windows, Mac, and Linux platforms, but does not provide true policy-based file/folder encryption. It also lacks enterprise-wide management capabilities. Other popular free solutions include FreeOTFE (Free On-The-Fly Encryption) for Windows and PocketPC systems, DiskCryptor for Windows, FileVault for Mac OS X, and a variety of Linux distribution packages. In general, free solutions are only applicable for smaller organizations that can manage each laptop's encryption individually, since management consoles with key recovery and other features aren't available.
Organizations running recent versions of Microsoft Windows (Vista and later) can take advantage of built-in BitLocker Drive Encryption. With Windows 7, BitLocker is much simpler to manage via Active Directory, includes more robust and automated key backup and recovery capabilities, and can also be easily extended from laptops to USB drives and other portable media via policies. BitLocker encryption policies can be created and managed entirely through Group Policy settings, which may simplify management significantly for Windows administration teams. BitLocker is available in the Enterprise and Ultimate editions of Windows 7.
For some organizations, the best option might be a combination of encryption methods. For most laptops, FDE or pre-encrypted drives are likely the best and simplest approaches, because laptops will usually be protected from the majority of loss or theft scenarios. However, there may be laptops shared by multiple team members or situations that call for more direct and specific policies around files or content to be encrypted instead of the entire drive. In these cases, file/folder encryption could be installed instead of FDE.
Numerous commercial products today offer both types, and they're generally managed from the same central console. Free and built-in solutions usually don't offer this flexibility.
LAPTOP ENCRYPTION DEPLOYMENT CONSIDERATIONS
There are numerous deployment considerations for a laptop encryption project. Organizations should take the following into account:
Platform support: Regardless of the type of encryption chosen, platform support is a factor in installation and provisioning if software is involved. More organizations are managing diverse laptop platforms and operating systems, and many products provide multiplatform support and are now capable of encrypting Windows, Linux, and Mac laptops.
Installer size and deployment options: As many organizations will need to install the encryption software across remote links when laptops connect over VPN, or push out software to remote office locations, the size of the package is important to consider. Size of packages can range from several megabytes to more than 100 MB. The size of the package will vary depending on type of encryption (for example, FDE tends to be somewhat larger), additional security tools included with the agent, etc. Most FDE and file/folder encryption products have built-in deployment capabilities, but organizations using Microsoft's Systems Management Server (SMS) and other provisioning tools can often use those instead, as they tend to be more flexible and integrated into the environment. For large environments, scalability is key as well, where multiple packages can be deployed in groups, on a schedule, etc.
Overall transparency to users: The more transparent encryption solutions are to laptop users, the more successful the deployment will likely be. If encryption leads to significant system slowdown, numerous authentication prompts, or popups and other policy notifications from file/folder encryption agents, users will look for ways to disable or circumvent the encryption solution.
ENCRYPTION KEY MANAGEMENT PRIMARY SECURITY ISSUE
Once the software has been deployed, management becomes the primary issue for security and IT teams. The following are important management considerations:
Key management and recovery: Encryption keys are generated upon deployment of software (or stored in hardware for pre-encrypted drives), and will need to be stored and managed for safekeeping as well as recovery of data in the event a user forgets or loses his/her password or other authentication mechanism used to gain access (smart cards or USB tokens with certificates, two-factor methods, etc.). In most cases, laptop encryption products will automatically store a local copy of the key for encrypting and decrypting, and this key will be accessed once a password or other credentials are entered. For recovery, a copy of this key may be stored in a central management repository, or a "master key" may be generated to allow administrators to access the system and data, and allow creation of a new user or system key. Key storage is important too, because the key repository needs stringent protection. Products should encrypt the centralized keys or the database storing the keys.
Policy creation and management: Most FDE products are straightforward in terms of policy--encrypt the drive on a specific laptop, allowing access based on some authentication scheme (usually a password). For file/folder encryption products, however, policy tends to be much more granular. For example, policies can be created that permit or deny access to encrypted resources based on a user's identity or role, and this often ties back to identity repositories such as Active Directory and others. Most file/folder encryption can also generate policies based solely on file types, such as Microsoft Excel spreadsheets, or particular content in file names or inside the file itself. For example, all Excel spreadsheets may be encrypted by default with a policy that only allows access to the owner of the file and the user's accounting team. Some encryption products are going a step farther in this regard, working in conjunction with DLP systems and enabling encryption policies to integrate with the granular content analysis capabilities DLP policies provide.
Audit and reporting: Depending on compliance requirements or internal policies, the ability to easily report on the state of encryption for laptops that store sensitive data may be a critical management feature. Audit trails and logs are important for key changes and revocation as well as any significant changes to the encryption infrastructure.
With data breaches from lost or stolen laptops increasing every year, organizations need to ensure that endpoint security is in place, and laptop encryption is one of the most capable and simple ways to accomplish this. With most laptop encryption products providing widespread platform support and a variety of features, enterprises are focusing more on performance, ease of deployment, and management capabilities as priorities in selecting a solution, especially larger organizations with numerous laptops to protect. In addition, compliance and privacy regulations may require laptop encryption, so reporting and audit trails are becoming more important as well. As laptop encryption becomes more cost-effective and simple to manage, especially with solutions such as pre-encrypted drives, it's highly likely that adoption rates will increase.
Dave Shackleford is director of risk, compliance and security assessments at Sword and Shield Enterprise Security and is a certified SANS instructor. Send comments on this article to email@example.com.
This was first published in June 2010