Laptop security essentials: Protecting device data, even from admins?

ITKE member Black Magic posed this question:
I am a department head, and by the nature of the job, I have plenty of confidential information on my laptop and I want to ensure this information is protected. Therefore, I would like to learn what I can do to ensure that these files cannot be accessed from the LAN or the Internet, keep these files from system admins, and determine who the culprit is, should they bypass my security controls.

ITKE member Shalom C advised:
Here's what I would do to minimize these risks:

• Get disk encryption tools like SafeGuard. Encrypted disks cannot be read by removing the physical disk.
• Install a personal firewall on your laptop that is fully managed by you - ZoneAlarm is a good candidate. Block all shared folders, shared printers and remote management tools.
• Create encrypted volumes where you store your sensitive material. Windows has an Encrypting File System (EFS) which may be sufficient, however there are commercial products available, like PGP disks
.

ITKE member Luis Hernández advised:
While avoiding unauthorized access to an Internet-connected (or network-connected) laptop will require some software, more importantly it will require that rules are followed. Additionally, before you implement the software and/or guidelines to satisfy your needs, an administrator should be consulted.

More information on laptop security Weigh the pros and cons of laptop encryption. SearchSecurity.com's network security expert Mike Chapple weighs in on the laptop security debate.

However, with that said, I believe the most appropriate question to ask is, "What would I have to do if someone else accessed to my laptop to avoid access to critical information?" What's the answer? In my opinion, it would be [to] use encryption software. Since there's always possibility that someone can break into the firewall or steal your laptop, it would be wise to use it at all times.

ITKE member JohnBF advised:
Assuming the files you wish to protect are work files and not private ones, I wouldn't want you to use anything other than the built in Windows Encapsulated PostScript (EPS). Using the built-in EPS will protect your files from casual access, but should a disaster occur, your company will would be able to recover them.

Additionally, any and all security features on your work machine should be created and administered by your system administrators. You should ask them to enable file and object access auditing on your laptop and tell them that the file system should be set to NTFS. If you're using a private or personal laptop -- or you keeping private files on it -- these files should be kept away from the work domain.

Finally, a system administrator must be able to access anything on the domain and be responsible for security, which includes auditing what is stored on your machine. Therefore, the company should hire someone that it trusts.

ITKE member Preytell advised:
While all of the above responses highlight one very important point -- that your administrators must be trusted -- I also believe a company must have a clearly defined data protection policy, to protect these files and perhaps, more importantly, their interest. It's also important to remind you that the files on your laptop are not yours, you are a trustee for the company, and should you leave, the company must have the ability to your files.

ITKE member INeedHelp61 advised:
It sounds like you are more concerned with internal threats than external. This may be valid, but I would not ignore the external threat, such as theft of your laptop. I would recommend that you store confidential data on your network (with appropriate access controls) rather than on the laptop, until you have set up proper encryption protection.

ITKE member ELPUEBLO advised:
Remember if the systems administrator is at all versed, he may be able to get in no matter what you do to the laptop. Therefore, BlackMagic, if you're asking system admins if we think a department head should stop all file access, the answer is most likely going to be no. However, if you want to make a few files inaccessible, it is easy and many of us would love to point you in the right direction.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Enterprise Data Protection,   Disk Encryption and File Encryption,   Application and Platform Security,   Database Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.