COLUMN

Federal government pushes full-disk encryption

By Dennis Fisher 10 Jan 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Unless and until the government brings some real pressure to bear with serious fines and/or penalties for corporate officers, we're not likely to see things change anytime soon.

But all of those problems, as messy as they are, have actually led to something good. As a result of a mandate from President Bush, the federal government is in the middle of a massive evaluation of full-disk encryption (FDE) products. At the end of the process, all government-owned laptops and mobile devices will have their entire hard drives encrypted . This is clearly a knee-jerk reaction to all of the recent incidents, but unlike most ideas that come out of such situations, it's actually a good one.

The idea of encrypting all of the data on a laptop may well be the digital equivalent of using a shotgun to kill a fly, but it saves users and managers from having to pick and choose what files need to be encrypted. That process would almost certainly turn into a bureaucratic black hole, from which no logic could escape. But by going the FDE route, the government is taking any of those questions, as well as the inevitable recriminations when something goes wrong, out of the equation.

The government's evaluation is essentially an open casting call to all of the FDE vendors out there, and comes with a lengthy list of requirements. One of the prerequisites is that the product be able to perform key escrow. This idea is anathema to most security and privacy advocates because it requires that a copy of the encryption key be stored with a third party. That's not going to fly with individual users, but the government is a different animal and has a legitimate need to ensure that encrypted data is not unrecoverable at some point down the road.

Behind the firewall with Dennis Fisher: Read previous columns by Dennis Fisher: Security pros glean insight from '06 Microsoft Kernel Patch Protection should be lauded Microsoft Vista could improve Internet security Oracle should heed critical report touting SQL Server security

In a very real sense, that data, be it IRS records, military service histories or home loan data, belongs to the individual citizens and not to the government agencies who have collected it. And that's been part of the problem; the agencies don't see citizens as their customers, so they don't treat the data with the care it deserves. A lost laptop full of IRS records doesn't translate into lost revenue, it just means bad press. That threat clearly hasn't been enough, so the administration stepped in, and for that they should be applauded. The Bush years are not likely to be remembered as the best of times for information security, but this directive certainly is a small step toward making up for some of the blunders and apathy of the last six years.

Now the question is, what will it take for corporate America to get in the game and make the same commitment the government has? The answer, unfortunately, can probably be summed up in one word: money. Some of the biggest names in U.S. business have been hit by data thefts in recent years and have seen their names splashed across the front pages as a result. Customers have raged on message boards and some companies have paid good-sized fines to settle civil claims. But still the incidents continue to pile up.

The problem is that the accumulated bad publicity and fines aren't nearly enough to force companies to infringe on the productivity gains that mobile devices provide. Unless and until the government brings some real pressure to bear with serious fines and/or penalties for corporate officers, we're not likely to see things change anytime soon. Companies can do their part right now by suspending or terminating employees whose laptops are lost or stolen . It sounds harsh, but some companies have already instituted such policies, and we've seen clearly that nothing else seems to be working.

Tags: Disk Encryption and File Encryption,  Data Privacy and Protection,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disk Encryption and File Encryption Database monitoring, encryption vital in tight economy, Forrester says Sophos integrates encryption into endpoint security Cryptography for the rest of us Encryption in data management should never be ignored, expert says The difference between AES encryption and DES encryption Security budget issues to resonate at RSA Conference Portable security storage device could replace OTP devices Mass. officials explain new data protection regulations A simple substitution cipher vs. one-time pad software Are encrypted, self-deleting USB storage drives worth the investment? Data Privacy and Protection How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Kodak CISO on virtualization, compliance Federal efforts to secure cyberinfrastrucure Attackers cash in on fundamental data handling mistakes, Verizon finds RSA panel to discuss surveillance, privacy concerns Mass. officials explain new data protection regulations HIPAA changes force healthcare to improve data flow Data Privacy and Protection Research Enterprise Data Governance Risk management must include physical-logical security convergence Simple information security mistakes can cause data loss, says expert Organizations struggle with data leakage prevention, rights management Encryption in data management should never be ignored, expert says Attackers cash in on fundamental data handling mistakes, Verizon finds Data loss prevention benefits in the real world Mass., Nev. data protection laws wrong, ineffective Cybersecurity hearing highlights inadequacy of PCI DSS Enforcing a vendor risk assessment to avoid outsourcing security risks How to Secure Cloud Computing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) quantum cryptography  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary