Published: 01 Mar 2008
One billion-dollar company isn't taking chances with data stored on its laptops. It deployed full disk encryption on every machine, an increasingly popular security strategy.
Name your target: the laptop storing your company's trade secrets or the laptop containing proprietary partner and customer data, and your company's financial information. Timken Company can afford neither to be left behind in a cab or hotel room, nor be stolen by a determined thief working for a competitor, or one looking to sell hardware on eBay.
Timken isn't unlike most public companies its size. Of its 25,000 employees, more are doing business on the road every day, and the risk to the enterprise's intellectual property and financial posture associated with a lost or stolen laptop is too great not to address. And also like most public companies its size --Timken has 62 plants and 114 offices in 27 countries -- full disk encryption is an increasingly popular security measure.
"Protecting our intellectual property has been the prime concern of upper management," says Roger Herbst, senior IT technical specialist at Timken.
Herbst had to do very little arm-twisting for the funding for a rollout of full disk encryption on every Timken laptop. Executives understand the consequences of losing a laptop loaded with the specs for the steel bearings, alloys and lubricants Timken produces for the automotive, industrial, aerospace and super precision industries. Nor do they want to see booming bold-faced headlines on page one of The Wall Street Journal blaming the company for losing partner or customer data, or payment processing information.
With disclosure costs booming and state data breach notification laws unforgiving, full disk encryption makes sense on many fronts, not the least of which is that it often relieves companies of the burden of having to publicly disclose a breach.
"Data loss can be crippling both financially and legally, and protecting data with a well-implemented full disk encryption policy will prevent many of these problems," says expert Michael Cobb, founder and managing director of security consultancy Cobweb Applications Ltd.
5,000 DEVICES, ONE APPROACH
Though not every Timken laptop houses sensitive data, the company decided to encrypt every hard drive, deeming it the best insurance policy.
"I don't want to have to manage each laptop based on what it may or may not contain. That's what drove the decision to encrypt all laptops," Herbst says. Doing so allows the company to have one approach for managing all the devices, and full disk encryption makes the potential disappearance of a laptop a non-issue, since data cannot be harvested when it's encrypted.
Not for Everyone
All-or-nothing approach isn't ideal in every case.
While Timken Company decided its best bet was to put full disk encryption on every laptop, some find it either unnecessary or unrealistic in their environment. Ken Pfeil (left), head of information security for the Amer-icas region at financial services company WestLB AG in New York, says that he values full disk encryption as much as the next guy, but not for all of the several hundred laptops used by employees for the Germany-based bank, which had total assets of $285.3 billion as of January 2007.
"I don't subscribe to the all-or-nothing approach," Pfeil says.
His approach is to focus full disk encryption efforts on high-risk users based on their jobs and how much they travel, and then determine how to get the best management out of whatever product he settles on. Right now, he's looking at vendors such as PGP, Seagate Technology and SafeBoot.
Though cost has a lot to do with his decision not to do full disk encryption across the board, Pfeil also had to be careful not to do anything that might conflict with the IT infrastructure management his company has outsourced to HP. "With partners and a finite budget, a one-size-fits-all encryption approach doesn't work for us," he says.
With that in mind, he plans to choose a vendor by the end of the year and launch a pilot program.
"Don't rush into an encryption product out of fear of what's in the headline," he says. "If you move too fast and it turns out to be the wrong vendor, you're stuck with them."
Michael Cobb, founder and managing director of security consultancy Cobweb Applications Ltd., says there are other reasons some enterprises are leery of across-the-board full disk encryption. The technique can slow system performance, and encryption key and password management can be a problem, he says.
"With full disk encryption, only one key is used to encrypt the entire disk," he says. "Usually keys are stored on the local system, and their sole protection is typically the user's password or pass phrase. And we all know how weak they can be."
Eric Maiwald, vice president and service director for security and risk management strategies at the Burton Group, points out a reason to encrypt every laptop.
"If you allow sensitive information to be stored on mobile computers of any type, full disk encryption is a good idea because it can get you out of having to disclose that the computer was stolen," he says, noting that disclosure laws apply only when the data on a missing device is not encrypted.
With more than 217 million personal records lost or stolen in the U.S. over the last three years--many in laptop-related incidents--the fixation on laptop protection has been prominent for almost the same time. Timken's efforts, however, are nearly a decade old. Herbst says its first attempt at full hard drive encryption began early in 1999 as the company grew more concerned with protecting intellectual property. A year later, however, it became clear hard drive hardware compatibility problems would limit the potential audience for full disk encryption and the initial project was shelved by early 2001. In the interim, the company made do with more limited file and folder protection from PGP Corp.
The project was resurrected in early 2004, this time focusing on high-profile users. A year later the company decided to take another stab at putting full disk encryption on every laptop. Since authentication is such a critical factor in an encryption project, Timken had to first resolve its authentication policy issues and decide whether to use strong authentication, passwords, single sign-on or biometrics. Herbst would not disclose which form the company chose, but stressed that selection is the vital first step. He then corralled help from upper management, client services and global IT support departments as product evaluations began.
It took Timken about one quarter to review several vendors--including Pointsec (since acquired by Check Point), PGP, SafeBoot, Credant and PC Guardian--and eventually settle on Utimaco's SafeGuard Easy.
The disappearance or theft of company laptops with sensitive data has reached epidemic levels. Here are five recent examples:
Home Depot admits the names, home addresses and Social Security numbers of 10,000 employees were stored on a laptop stolen from the car of a company manager in Massachusetts. The computer was password protected, Home Depot says.
West Penn Allegheny Health System
West Penn Allegheny Health System says that 42,000 home care and hospice patients are at risk for identity theft after a laptop is stolen from the home of a home care nurse the month before.
U.S. Air Force
An Air Force band member reports a laptop missing from his home containing Social Security numbers, birth dates, addresses and telephone numbers of active and retired Air Force members. More than 10,000 members are affected by the loss.
Britain's Royal Navy
Britain's Defense Ministry admits a laptop housing personal information on about 600,000 people was stolen from an officer in the Royal Navy. The laptop contains information on new and potential recruits to the Royal Marines, Navy and Air Force such as doctors' addresses for applicants to the branches of the military, national insurance numbers, family and passport details, and bank details on at least 3,500 people.
HORIZON BLUE CROSS/BLUE SHIELD
Horizon Blue Cross/Blue Shield of Newark, N.J., reports a stolen laptop containing Social Security numbers and other personal information of more than 300,000 members. An employee who regularly works with member data had taken the laptop home.
--compiled by Bill Brenne
Utimaco SafeGuard Easy provides fully automated encryption, transparent to the user, using the AES 256- and 128-bit algorithms among others. It dynamically generates keys from the pre-boot password relieving the burden of having to store keys on the disk. Encryption also kicks in during hibernation modes and authentication is required to regain access to the laptop. Herbst says deployment was straightforward and the product is centrally managed.
"You have to be flexible and be willing to adjust the criteria as you learn the capabilities of the solutions available," he says. "We talked to many different vendors and found you can learn from them and that may lead you to change your criteria."
One big selling point for Herbst was whether a product had sufficient data and disk backup and recovery capabilities; another was compatibility with the company's IBM-Lenovo laptops. Lenovo is a Utimaco partner.
"Any special compatibility with that platform was a plus," he says.
Full deployment took 11 months and was completed in November 2006.
DEPLOYMENT AND DELIVERY
Herbst and his staff had to overcome some hiccups along the way--most notably, some compatibility issues.
"I crashed my test system several times when first working with the product, which I consider part of the learning curve with new, complex products," he says. Utimaco support was critical to overcoming these issues.
One problem with the test computers turned out to be a corrupt Windows Installer that was not obvious until the IT department started installing the Utimaco encryption.
Another discovery was that when running Microsoft Outlook in cached mode, as Timken does, Outlook would hang up the initial installation setup. Herbst learned that keeping Outlook off during installation cured that compatibility issue.
"I believe the lack of [major] compatibility problems was partly due to the nature of the product, which should be application transparent, and partly due to the extensive testing I performed before deployment to work out any implementation kinks like the Outlook conflict," Herbst says.
Herbst says he also created deployment packages for different user requirements and provided training for IT support personnel worldwide prior to deployment. From there, the client services department managed the deployment process.
Herbst hammered out a detailed 11-month deployment schedule in conjunction with the local IT shops in plants and offices throughout the world. High-profile personnel such as senior executives got the product first.
The encryption software was pushed to most machines via Microsoft's Systems Management Server (SMS). SMS installed the software, and via an icon, users could initiate the initial encryption process when most convenient for them. In most cases, the best time was shortly before leaving work.
"The user would double-click the icon to start the process," Herbst says. "The user was then able to shut down their laptop, take it home, power back up and let the encryption take place while they were eating dinner or sleeping." Deployment on each laptop took about two hours.
Herbst's staff tracked which users had performed the encryption and forced the issue if they had not completed it on a timely basis, he says. With the exception of the Outlook issue, users were able to continue working on their laptops while the initial encryption was taking place.
For some users and sites, local IT personnel preferred to manage the process instead of relying on Microsoft SMS and the end user to complete it, Herbst says, adding, "This was their choice as long as the process was completed according to schedule."
Post-deployment, the software is transparent to the end user, consuming less than 2 percent of the laptop's CPU to perform its on-the-fly decrypt/encrypt functions; there has been no performance impact on the users since deployment was completed. New machines, meanwhile, are delivered encrypted, so users are unaware the encryption is there, other than the authentication screen that appears when booting up the laptop.
Utimaco deploys pre-boot authentication with SafeGuard Easy. Essentially, users are asked to log on and provide their authentication credentials before the laptop operating system is loaded. This secures the environment before Windows boots up. Pre-boot authentication supports passwords and tokens, Utimaco says.
"The only complaints we have received is when a hard drive hardware failure occurs and the data cannot be recovered because of the encryption," Herbst says. "Before we used hard-drive disk encryption, tools could easily extract most or all of the user files on a machine with a drive failure. When the hard-drive disk is encrypted, if the SafeGuard Easy tools cannot get access to the drive, the data is lost." This painful situation can easily be avoided if the user performs regular backups, though not all critical data is always backed up before a drive failure occurs, Herbst admits.
Otherwise, users are unaware of the degree to which their data is protected and the company's lifeblood intellectual property and customer data kept safe.
CLICK HERE for a PDF of "Encryption Vendors".