A recent poll by vendor Credant Technologies Inc. found that 88% of employee laptops carry sensitive information; everything from patient, customer and employee records to intellectual property, financial data and passwords. Between business risks, security breach headlines and regulatory compliance, companies have plenty of motivation to use encryption as a last line of defense against data leaks that result from laptop theft or loss. But which laptop encryption approach would work best for your company's workforce?
Encrypted password databases
Programs that selectively encrypt usernames, passwords, account numbers and related tidbits have been available for years. Consumers who do not already encrypt their personal data should seriously consider free programs like Password Safe and KeePass. But this ad hoc approach is of little utility to employers because it depends on inherently unreliable users to decide what should be encrypted and when. It cannot ensure that sensitive data always gets protected, and thus cannot prove that private data was never exposed.
File and folder encryption
To meet those needs, most businesses will choose IT-administered stored data protection, based on file/folder encryption, full-disk encryption or some combination thereof. File/folder encryption is also selective, but encrypts files automatically, based on defined attributes like file location (e.g., folder), file type (e.g., spreadsheets) or source application (e.g., everything Excel touches).
For example, the Windows Encrypting File System (EFS) is Microsoft's basic file/folder encryption tool. It can be centrally activated by using Active Directory Group Policy Objects to encrypt specified files or folders. However, EFS still relies on sensitive data being written into protected locations, and cannot stop users from copying encrypted files to unencrypted locations (e.g., thumb drives).
More sophisticated file/folder encryption products do more. For example, some offer stronger policies that make data leakage less likely, provide reports that document compliance after a laptop goes missing and can apply a consistent encryption platform and policy to heterogeneous devices, e.g. PCs, PDAs and removable storage.
For general purpose computers, the other popular approach is to simply encrypt everything stored on a physical disk or a logical volume. The goal is to ensure that nothing is ever written to storage without being encrypted. That includes not only sensitive user data, but also application and operating system files.
An example of volume encryption is the BitLocker feature in Windows Vista. It divides a PC's boot drive into an unencrypted boot volume and an encrypted operating system volume, which is unlocked and verified at boot time using a Trusted Platform Module (TPM) chip, USB key or recovery passphrase. But data written to non-OS volumes is still unprotected, although it can optionally be encrypted using EFS.
More comprehensive full-disk encryption (FDE) scrambles the entire hard drive's contents, including boot sectors, swap files, OS files and user data. Authentication, encryption, provisioning and reporting capabilities vary, but enterprise FDE products offer features like Windows single sign-on and central logging for security audit and compliance reporting.
The main weakness of file/folder encryption is the possibility of data leakage. So why doesn't everyone use full-disk encryption? For starters, encrypting an entire disk can take hours -- not including the time required to make a full system backup first. Thereafter, all data will be encrypted "on the fly," slowing overall system performance to some (not necessarily noticeable) degree.
Some FDE pre-boot authentication methods interfere with other programs that may also be used on the protected system, from asset-tracking products to sign-on processes that modify the Windows graphical identification and authentication library (GINA). Moreover, desktop administration, patching and auditing tools and practices may be affected, since they cannot unlock encrypted system files without the user's credentials. If a protected system is corrupted or damaged, data recovery can be similarly affected. Finally, when routine backups are created, it's wise to encrypt those too.
Combining methods can enable an organization to obtain the best of both worlds. For example, use file/folder encryption on less capable devices like PDAs, while applying FDE to laptops. Applying both methods to the same device might seem like overkill, but it is a viable option, particularly for mobile users who carry regulated data. FDE offers foolproof protection against device loss or theft, while file/folder encryption can protect sensitive user data without obscuring files that IT requires to perform maintenance and recovery tasks.
Of course, the decision will also be influenced by workforce size and budget, privacy needs, risk tolerance and company politics. For more about deployment considerations, best practices, and enterprise experiences with laptop encryption, I recommend the following:
- "Emerging Technologies," Information Security Magazine, July/August 2007
- "Implementation Advice for Mobile Data Protection," Gartner, March 2007
- "Securing Laptops with Full Disk Encryption," IDC, January 2007
About the author:
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.