Laptop security essentials: Protecting device data, even from admins?

ITKE member Black Magic posed this question:
I am a department head, and by the nature of the job, I have plenty of confidential information on my laptop and I want to ensure this information is protected. Therefore, I would like to learn what I can do to ensure that these files cannot be accessed from the LAN or the Internet, keep these files from system admins, and determine who the culprit is, should they bypass my security controls.

ITKE member Shalom C advised:
Here's what I would do to minimize these risks:

• Get disk encryption tools like SafeGuard. Encrypted disks cannot be read by removing the physical disk.
• Install a personal firewall on your laptop that is fully managed by you - ZoneAlarm is a good candidate. Block all shared folders, shared printers and remote management tools.
• Create encrypted volumes where you store your sensitive material. Windows has an Encrypting File System (EFS) which may be sufficient, however there are commercial products available, like PGP disks
.

ITKE member Luis Hernández advised:
While avoiding unauthorized access to an Internet-connected (or network-connected) laptop will require some software, more importantly it will require that rules are followed. Additionally, before you implement the software and/or guidelines to satisfy your needs, an administrator should be consulted.

More information on laptop security Weigh the pros and cons of laptop encryption. SearchSecurity.com's network security expert Mike Chapple weighs in on the laptop security debate.

However, with that said, I believe the most appropriate question to ask is, "What would I have to do if someone else accessed to my laptop to avoid access to critical information?" What's the answer? In my opinion, it would be [to] use encryption software. Since there's always possibility that someone can break into the firewall or steal your laptop, it would be wise to use it at all times.

ITKE member JohnBF advised:
Assuming the files you wish to protect are work files and not private ones, I wouldn't want you to use anything other than the built in Windows Encapsulated PostScript (EPS). Using the built-in EPS will protect your files from casual access, but should a disaster occur, your company will would be able to recover them.

Additionally, any and all security features on your work machine should be created and administered by your system administrators. You should ask them to enable file and object access auditing on your laptop and tell them that the file system should be set to NTFS. If you're using a private or personal laptop -- or you keeping private files on it -- these files should be kept away from the work domain.

Finally, a system administrator must be able to access anything on the domain and be responsible for security, which includes auditing what is stored on your machine. Therefore, the company should hire someone that it trusts.

ITKE member Preytell advised:
While all of the above responses highlight one very important point -- that your administrators must be trusted -- I also believe a company must have a clearly defined data protection policy, to protect these files and perhaps, more importantly, their interest. It's also important to remind you that the files on your laptop are not yours, you are a trustee for the company, and should you leave, the company must have the ability to your files.

ITKE member INeedHelp61 advised:
It sounds like you are more concerned with internal threats than external. This may be valid, but I would not ignore the external threat, such as theft of your laptop. I would recommend that you store confidential data on your network (with appropriate access controls) rather than on the laptop, until you have set up proper encryption protection.

ITKE member ELPUEBLO advised:
Remember if the systems administrator is at all versed, he may be able to get in no matter what you do to the laptop. Therefore, BlackMagic, if you're asking system admins if we think a department head should stop all file access, the answer is most likely going to be no. However, if you want to make a few files inaccessible, it is easy and many of us would love to point you in the right direction.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: How to use Wikto for Web server assessment How to avoid DLP implementation pitfalls Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? How to patch Kaminsky's DNS vulnerability Directory services and beyond: The future of LDAP Screencast: Catching network traffic with Wireshark Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment Disk Encryption and File Encryption PCI DSS 1.2 clarifies wireless, antivirus use Sophos to acquire mobile data protection company Utimaco How can 'DRAM remanence' compromise encryption keys? Growing Mac use prompts call for better security Websense, Reconnex top Forrester ranking of DLP vendors Embedded Security Safeguards Laptops Should whole disk encryption products be used with data backup software? Does FTPS encrypt data packets at the hardware or software level? Should disks be encrypted at the hardware level? Is Triple DES a more secure encryption scheme than DUKPT? Database Security Critical Oracle flaw to get emergency fix NitroSecurity covers its bases with RippleTech deal Oracle releases 45 database, application fixes Microsoft to issue Windows, SQL Server updates Fortinet acquires database vulnerability scanner from IPLocks Information security book excerpts and reviews Product review: Symantec Database Security 3.1 New SQL injection technique threatens Oracle databases Oracle fixes 41 flaws in April CPU The ins and outs of database encryption Database Security Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) quantum cryptography  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.