COLUMN

Federal government pushes full disk encryption

By Dennis Fisher 10 Jan 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Unless and until the government brings some real pressure to bear with serious fines and/or penalties for corporate officers, we're not likely to see things change anytime soon.

But all of those problems, as messy as they are, have actually led to something good. As a result of a mandate from President Bush, the federal government is in the middle of a massive evaluation of full disk encryption (FDE) products. At the end of the process, all government-owned laptops and mobile devices will have their entire hard drives encrypted . This is clearly a knee-jerk reaction to all of the recent incidents, but unlike most ideas that come out of such situations, it's actually a good one.

The idea of encrypting all of the data on a laptop may well be the digital equivalent of using a shotgun to kill a fly, but it saves users and managers from having to pick and choose what files need to be encrypted. That process would almost certainly turn into a bureaucratic black hole, from which no logic could escape. But by going the FDE route, the government is taking any of those questions, as well as the inevitable recriminations when something goes wrong, out of the equation.

The government's evaluation is essentially an open casting call to all of the FDE vendors out there, and comes with a lengthy list of requirements. One of the prerequisites is that the product be able to perform key escrow. This idea is anathema to most security and privacy advocates because it requires that a copy of the encryption key be stored with a third party. That's not going to fly with individual users, but the government is a different animal and has a legitimate need to ensure that encrypted data is not unrecoverable at some point down the road.

Behind the firewall with Dennis Fisher: Read previous columns by Dennis Fisher: Security pros glean insight from '06 Microsoft Kernel Patch Protection should be lauded Microsoft Vista could improve Internet security Oracle should heed critical report touting SQL Server security

In a very real sense, that data, be it IRS records, military service histories or home loan data, belongs to the individual citizens and not to the government agencies who have collected it. And that's been part of the problem; the agencies don't see citizens as their customers, so they don't treat the data with the care it deserves. A lost laptop full of IRS records doesn't translate into lost revenue, it just means bad press. That threat clearly hasn't been enough, so the administration stepped in, and for that they should be applauded. The Bush years are not likely to be remembered as the best of times for information security, but this directive certainly is a small step toward making up for some of the blunders and apathy of the last six years.

Now the question is, what will it take for corporate America to get in the game and make the same commitment the government has? The answer, unfortunately, can probably be summed up in one word: money. Some of the biggest names in U.S. business have been hit by data thefts in recent years and have seen their names splashed across the front pages as a result. Customers have raged on message boards and some companies have paid good-sized fines to settle civil claims. But still the incidents continue to pile up.

The problem is that the accumulated bad publicity and fines aren't nearly enough to force companies to infringe on the productivity gains that mobile devices provide. Unless and until the government brings some real pressure to bear with serious fines and/or penalties for corporate officers, we're not likely to see things change anytime soon. Companies can do their part right now by suspending or terminating employees whose laptops are lost or stolen . It sounds harsh, but some companies have already instituted such policies, and we've seen clearly that nothing else seems to be working.

Tags: Disk Encryption and File Encryption,  Data Privacy and Protection,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? Data Privacy and Protection Quiz: Compliance-driven role management Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Data Privacy and Protection Research Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary