SECURITY
Best practices for mobile defense
Several encryption methods are available, but training and planning
are also important.
by Jeff Brownlow, Jonathan Dale and Nick
LoFaso
News reports of laptops lost by U.S. federal
government agencies, medical institutions,
retailers and others have highlighted the
risks of exposing unencrypted data on mobile
devices. Costs include regulatory fines,
massive expenses for notifying customers and
employees that personal information has been
exposed, and lasting damage to the
organization’s reputation.
FDE is considered a best
practice solution in the industry, and
it is simple to configure, since the
only decision is what disks or volumes
to encrypt.
Statistics bear out these concerns: A
survey by the Privacy Rights
Clearinghouse found that 40 percent of
data breaches in the private sector were
due to laptop theft, and that in only 6
percent of these cases was data on the
laptops encrypted. Implementing
data-encryption technologies can be
tricky, however. Deployments are often
undermined by such problems as an
incomplete understanding of the
capabilities and limitations of the
data-encryption solution selected; lack
of the right personnel on the
implementation team; and inadequate
planning and testing during the rollout.
Many organizations run into trouble early
because they do not explicitly analyze the
objectives (and constraints) of their
data-encryption project. A place to start is
to clarify exactly what needs to be
protected:
- customer and employee records, financial information, business plans,
research reports, software code;
- laptops and mobile devices of key executives, the sales force and field
consultants, all employees, contractors, business partners; and
- USB thumb drives and other removable media.
Understanding compliance and corporate
policy requirements from the beginning also
is important, particularly related to HIPAA,
PCI or other regulations. The requirements
and expected best practices that apply to
protected information and data encryption
also need to be understood.
Widely accepted federal standards such as
FIPS 140-2 address topics like the control,
distribution and management of encryption
keys. Data encryption may be one means of
enforcing the policies–for example, rules
about what information employees are allowed
to access and share, and how they are
allowed to use USB thumb drives and other
removable media.
Also important is understanding the
limitations of data-encryption technologies
so that unrealistic objectives are not
established. Data encryption, for example,
does not prevent employees from e-mailing
sensitive data to outside parties, or
protect data if a user signs onto a laptop
and then walks away. It does not prevent a
hacker, virus or file-sharing program from
opening and transferring a sensitive file.
Data encryption is not a panacea for
mobile security threats. It addresses the
critical problem of data leakage from lost
or stolen laptops and mobile devices. For
other threats, look at complementary
technologies like firewalls, zero-day
threat-protection packages, and information
protection or data loss prevention products.
Encryption
technologies
There are three major data-encryption
technologies on the market today. File or
file/folder systems encrypt files selected
by the user, or encrypt all files placed in
folders specified by either the user or an
administrator.
File/folder encryption solutions are
relatively easy to implement, with few
configuration decisions to be made. In
addition, they fit seamlessly into most
environments, because they do not conflict
with patching systems, backup-and-recovery
packages and other system software.
File/folder encryption products, however,
do rely to some extent on user actions like
selecting files to encrypt or saving files
to selected folders. These technologies also
do not encrypt temporary files and swap
space, so copies of sensitive files can be
found on the system in an unencrypted state.
Finally, the IT staff can rarely prove that
all sensitive files on remote systems have
been properly encrypted.
Full disk encryption (FDE) solutions
encrypt the entire contents of a disk or
volume. This includes the operating system
and applications, as well as data files.
Typically, these solutions authenticate the
user at boot time, denying access to
unauthorized users.
FDE is simple to configure, since the
only decision is what disks or volumes to
encrypt. There is no dependency on users
(except to remember their passwords). It
also protects the operating system,
temporary files and swap space, so there is
virtual certainty that sensitive information
is encrypted in all its forms.
There are also some potential
shortcomings to FDE technology:
- Encrypting the hard drive initially can be a lengthy process.
- In some cases, the user will see slower performance.
- Encrypting the master boot record can make coexisting with
backup-and-recovery programs difficult.
- The failure of some sectors on the disk drive can make recovering data more
difficult.
New hybrid encryption or intelligent
encryption products combine some of the
characteristics of file/folder and FDE
systems. Hybrid solutions resemble
file/folder products in that they encrypt
files selectively and do not encrypt the
operating system or application software.
This reduces the time required for the
initial encryption and avoids performance
issues.
In addition, they permit administrators
to specify encryption for files of a certain
type (e.g., spreadsheets and database files)
and files produced by certain applications
(e.g., financial and HR applications). This
approach ensures that all files of these
types are encrypted without relying on the
user to save them to specific folders.
Finally, hybrid solutions typically do not
interfere with backup and recovery, patch
management or strong authentication
products.
Benefits of FDE software
To ensure all sensitive information is
protected, however, staff needs to know what
it is and where it resides. If which files
or file types contain confidential
information is not clear, encrypting
everything using a FDE product may be safer.
Also, in some situations there are benefits
to having the extra level of authentication
provided with FDE software.
Identifying the scope and the constraints
of the project will be necessary, including
the time window available, the budget and
the availability of staff resources. Limits
in the budget or staff resources could
provide a reason to select a particular
data-encryption product or to call in the
help of a consultant or a managed security
services provider.
A typical data encryption involves
multiple teams across the IT organization.
Select a project team that includes members
from the security group, the desktop group
(or whoever is responsible for laptop
hardware and software), the network
administration group and subject matter
experts in networking and firewalls.
Allocate time and resources to integrating
the data-encryption solution into the rest
of the IT infrastructure. Changes to the
infrastructure might include: changes in
firewall and proxy server settings;
adjustments to endpoint backup and recovery
processes; and integration with Active
Directory and other enterprise directories.
Many planners neglect to define success
criteria for their projects. This task is
necessary to limit scope creep during the
course of the project and to justify the
effort to management at the end.
Deciding what to encrypt is a critical
step. For example, one hybrid product allows
selectively encrypting data (e.g.,
spreadsheets, databases or temporary files),
specific applications that handle sensitive
data (e.g., an accounting application),
files written to specific disk drives or
removable media, and files associated with a
specific user. This decision is affected
both by the objectives of the project and by
the capabilities of the product that is
being implemented.
Also critical is verification that the
data-encryption software is operating
correctly at all times. Then, if a laptop is
lost or stolen, there will be proof that
sensitive data has been encrypted. Regular
“health checks” should be performed to make
sure the software is operational and no one
has tried to tamper with it. When laptops
were updated should be verified.
Mandatory requirements
In many environments, these capabilities
are mandatory. The FIPS 140-2 standard
specifically requires user-independent
verification that the software is
operational. The Federal Trade Commission’s
safeguards document states that companies
must “check with software vendors regularly
to get and install patches that resolve
software vulnerabilities.” In many cases,
the data-encryption software that is
selected provides these verification
capabilities.
Little or no action from end-users should
be required to implement or update the
solution, and users should not be able to
change any encryption parameters or the way
in which data encryption is applied to
attached devices. Users should not be able
to uninstall the software or delete program
files, or to prevent the encryption software
from executing.
Strongly recommended is running an “alpha
test” at this stage of the process,
deploying the solution on a limited number
of laptops belonging to the IT staff. This
often uncovers critical issues like
incompatibilities between the
data-encryption package and other software
being used in the organization.
Start the rollout itself with a “beta
test” of 10 to 30 non-IT employees using
standard corporate images. This testing will
uncover any remaining technical problems, as
well as issues related to user understanding
and acceptance.
Next, roll out the solution to the rest
of the organization in phases. If deploying
a file/folder encryption or hybrid
encryption solution, another approach would
be to encrypt only a few critical files or
types of files, and then ramp up to
encrypting all of the targeted files.
Finally, provide a written report to
management that describes the results of the
process and compares them with the success
criteria determined at the beginning of the
process.
Jeff Brownlow is director of customer
engineering, Jonathan Dale is product
manager and Nick LoFaso is customer engineer
for Fiberlink Communications, Blue Bell, Pa.
For more information on Fiberlink
Communications:
(click here)