Tip

Encryption strategies for preventing laptop data leaks

A recent poll by vendor Credant Technologies Inc. found that 88% of employee laptops carry sensitive information; everything from patient, customer and employee records to intellectual property, financial data and passwords. Between business risks, security breach headlines and regulatory compliance, companies have plenty of motivation to use encryption as a last line of defense against data leaks that result from laptop theft or loss. But which laptop encryption approach would work best for your company's workforce?

Encrypted password databases
Programs that selectively encrypt usernames, passwords, account numbers and related tidbits have been available for years. Consumers who do not already encrypt their personal data should seriously consider free programs like

    Requires Free Membership to View

Password Safe and KeePass. But this ad hoc approach is of little utility to employers because it depends on inherently unreliable users to decide what should be encrypted and when. It cannot ensure that sensitive data always gets protected, and thus cannot prove that private data was never exposed.

File and folder encryption
To meet those needs, most businesses will choose IT-administered stored data protection, based on file/folder encryption, full-disk encryption or some combination thereof. File/folder encryption is also selective, but encrypts files automatically, based on defined attributes like file location (e.g., folder), file type (e.g., spreadsheets) or source application (e.g., everything Excel touches).

For example, the Windows Encrypting File System (EFS) is Microsoft's basic file/folder encryption tool. It can be centrally activated by using Active Directory Group Policy Objects to encrypt specified files or folders. However, EFS still relies on sensitive data being written into protected locations, and cannot stop users from copying encrypted files to unencrypted locations (e.g., thumb drives).

More sophisticated file/folder encryption products do more. For example, some offer stronger policies that make data leakage less likely, provide reports that document compliance after a laptop goes missing and can apply a consistent encryption platform and policy to heterogeneous devices, e.g. PCs, PDAs and removable storage.

Full-disk encryption
For general purpose computers, the other popular approach is to simply encrypt everything stored on a physical disk or a logical volume. The goal is to ensure that nothing is ever written to storage without being encrypted. That includes not only sensitive user data, but also application and operating system files.

An example of volume encryption is the BitLocker feature in Windows Vista. It divides a PC's boot drive into an unencrypted boot volume and an encrypted operating system volume, which is unlocked and verified at boot time using a Trusted Platform Module (TPM) chip, USB key or recovery passphrase. But data written to non-OS volumes is still unprotected, although it can optionally be encrypted using EFS.

More comprehensive full-disk encryption (FDE) scrambles the entire hard drive's contents, including boot sectors, swap files, OS files and user data. Authentication, encryption, provisioning and reporting capabilities vary, but enterprise FDE products offer features like Windows single sign-on and central logging for security audit and compliance reporting.

For more information:
Lisa Phifer will be our special guest on a live webcast Wednesday, August 29 at 12:00 noon ET. Lisa will answer your questions about laptop encryption strategy and mitigating mobile device threats.
 
Learn about the many aspects of wireless device security in Lisa Phifer's Wireless Lunchtime Learning series.

Expert Joel Dubin has advice on the best laptop authentication tools.

Comparing alternatives
The main weakness of file/folder encryption is the possibility of data leakage. So why doesn't everyone use full-disk encryption? For starters, encrypting an entire disk can take hours -- not including the time required to make a full system backup first. Thereafter, all data will be encrypted "on the fly," slowing overall system performance to some (not necessarily noticeable) degree.

Some FDE pre-boot authentication methods interfere with other programs that may also be used on the protected system, from asset-tracking products to sign-on processes that modify the Windows graphical identification and authentication library (GINA). Moreover, desktop administration, patching and auditing tools and practices may be affected, since they cannot unlock encrypted system files without the user's credentials. If a protected system is corrupted or damaged, data recovery can be similarly affected. Finally, when routine backups are created, it's wise to encrypt those too.

Combining methods can enable an organization to obtain the best of both worlds. For example, use file/folder encryption on less capable devices like PDAs, while applying FDE to laptops. Applying both methods to the same device might seem like overkill, but it is a viable option, particularly for mobile users who carry regulated data. FDE offers foolproof protection against device loss or theft, while file/folder encryption can protect sensitive user data without obscuring files that IT requires to perform maintenance and recovery tasks.

Of course, the decision will also be influenced by workforce size and budget, privacy needs, risk tolerance and company politics. For more about deployment considerations, best practices, and enterprise experiences with laptop encryption, I recommend the following:

About the author:
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.

This was first published in August 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.