While it's hardly trivial, encrypting enterprise laptops has become a common exercise for users who store or interact with sensitive data. Combined with other best practices like strong authentication and standard antimalware defenses, diligent enterprises can effectively safeguard notebook computers like never before.
However, with the emergence of low-cost, highly portable devices, such as tablets and the upcoming iPad, a host of non-traditional notebook-like computing devices will be in use in the enterprise, requiring most to choose a data encryption method.
As these devices proliferated over the past two years, many people asked the same question: Should organizations extend the same encryption practices used on laptops to these devices, or do cost, limited CPU resources and unique platforms mandate a different data protection strategy?
I have a standard answer when people approach me with that inquiry: "You're asking the wrong question!" Encryption is a data-centric security control; it prevents an unauthorized individual from gaining access to information, rather than protecting a physical device. There's nothing encryption will do to prevent someone from hacking into a system with an improperly configured firewall. It will, however, stop someone who gains access to a device from harvesting sensitive data.
With this point of view, the endpoint encryption question should be rephrased from "What devices should I secure?" to "What data should I secure?"
Most organizations should have data classification policies that make identifying the sensitivity of information stored on each device easier. If a device contains sensitive data elements as defined by the data classification policy, it's vital to ensure that data is encrypted.
Mobile device encryption is different
Mobile devices in general (and the aforementioned highly portable devices in particular) present an additional challenge: They're much more likely to be lost or stolen than traditional computers. After all, it's much easier to forget a flash drive in a client's computer than it is to leave a laptop unattended. These highly portable devices deserve extra protection beyond security measures employed on laptops, as outlined below.
Consider available data encryption methods
There are two data encryption methods available for securing data stored on highly portable devices: purchasing devices with built-in security or adding security to the device by using software encryption. Both are effective options, but built-in hardware encryption runs faster and is less prone to user error.
Heightened awareness of portable device security issues has increased the demand for devices with built-in security and, over the past two years, manufacturers have introduced a number of products to help solve the issue. Major flash drive manufacturers, such as Lexar Media Inc. and SanDisk Corp. now offer encrypted devices that meet the government's stringent FIPS encryption standards. There are also high-performance device options, such as the specialized IronKey Inc. devices with fast, efficient hardware encryption or McAfee Inc.'s Encrypted USB Drives that incorporate both hardware encryption and fingerprint scanners to facilitate biometric authentication.
If specialized hardware that supports data encryption isn't an option, consider using software encryption that's either built into the operating system or added on with a third-party product. Here are a few examples:
- Microsoft Windows 7 includes BitLocker and EFS, which may both be used to secure data stored on hard drives.
- The free, open source TrueCrypt package provides a way to encrypt hard drives, flash drives and other storage devices in a transparent manner on Windows, Macintosh and Linux platforms.
- Many third-party compression utilities, such as 7Zip and WinZip, offer built-in AES encryption that allow for easy and secure packaging of files for transport.
- The GNU Privacy Guard (GPG) package uses the OpenPGP standard to provide secure encryption for files.
A plethora of data encryption methods and options exist in the marketplace, so there's really no excuse for allowing sensitive data onto unencrypted portable devices.
Remember the fundamentals
The bottom line is that security controls should primarily be driven by the sensitivity of the information stored on a device, rather than the nature of the device itself. Highly portable devices, such as netbooks and flash drives, do pose an increased risk of theft, so as you would with notebooks, be sure to carefully consider whether you wish to allow sensitive data to be stored on them. Fortunately, there are a number of great data encryption methods and technologies out there to help safely store sensitive information on any device.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in April 2010