News reports of laptops lost by U.S. federal government agencies, medical institutions, retailers and others have highlighted the risks of exposing unencrypted data on mobile devices. Costs include regulatory fines, massive expenses for notifying customers and employees that personal information has been exposed, and lasting damage to the organization’s reputation.

FDE is considered a best practice solution in the industry, and it is simple to configure, since the only decision is what disks or volumes to encrypt.

Statistics bear out these concerns: A survey by the Privacy Rights Clearinghouse found that 40 percent of data breaches in the private sector were due to laptop theft, and that in only 6 percent of these cases was data on the laptops encrypted. Implementing data-encryption technologies can be tricky, however. Deployments are often undermined by such problems as an incomplete understanding of the capabilities and limitations of the data-encryption solution selected; lack of the right personnel on the implementation team; and inadequate planning and testing during the rollout.

Many organizations run into trouble early because they do not explicitly analyze the objectives (and constraints) of their data-encryption project. A place to start is to clarify exactly what needs to be protected:

customer and employee records, financial information, business plans, research reports, software code;
laptops and mobile devices of key executives, the sales force and field consultants, all employees, contractors, business partners; and
USB thumb drives and other removable media.

Understanding compliance and corporate policy requirements from the beginning also is important, particularly related to HIPAA, PCI or other regulations. The requirements and expected best practices that apply to protected information and data encryption also need to be understood.

Widely accepted federal standards such as FIPS 140-2 address topics like the control, distribution and management of encryption keys. Data encryption may be one means of enforcing the policies–for example, rules about what information employees are allowed to access and share, and how they are allowed to use USB thumb drives and other removable media.

Also important is understanding the limitations of data-encryption technologies so that unrealistic objectives are not established. Data encryption, for example, does not prevent employees from e-mailing sensitive data to outside parties, or protect data if a user signs onto a laptop and then walks away. It does not prevent a hacker, virus or file-sharing program from opening and transferring a sensitive file.

Data encryption is not a panacea for mobile security threats. It addresses the critical problem of data leakage from lost or stolen laptops and mobile devices. For other threats, look at complementary technologies like firewalls, zero-day threat-protection packages, and information protection or data loss prevention products.

Encryption technologies

There are three major data-encryption technologies on the market today. File or file/folder systems encrypt files selected by the user, or encrypt all files placed in folders specified by either the user or an administrator.

File/folder encryption solutions are relatively easy to implement, with few configuration decisions to be made. In addition, they fit seamlessly into most environments, because they do not conflict with patching systems, backup-and-recovery packages and other system software.

File/folder encryption products, however, do rely to some extent on user actions like selecting files to encrypt or saving files to selected folders. These technologies also do not encrypt temporary files and swap space, so copies of sensitive files can be found on the system in an unencrypted state. Finally, the IT staff can rarely prove that all sensitive files on remote systems have been properly encrypted.

Full disk encryption (FDE) solutions encrypt the entire contents of a disk or volume. This includes the operating system and applications, as well as data files. Typically, these solutions authenticate the user at boot time, denying access to unauthorized users.

FDE is simple to configure, since the only decision is what disks or volumes to encrypt. There is no dependency on users (except to remember their passwords). It also protects the operating system, temporary files and swap space, so there is virtual certainty that sensitive information is encrypted in all its forms.

There are also some potential shortcomings to FDE technology:

Encrypting the hard drive initially can be a lengthy process.
In some cases, the user will see slower performance.
Encrypting the master boot record can make coexisting with backup-and-recovery programs difficult.
The failure of some sectors on the disk drive can make recovering data more difficult.

New hybrid encryption or intelligent encryption products combine some of the characteristics of file/folder and FDE systems. Hybrid solutions resemble file/folder products in that they encrypt files selectively and do not encrypt the operating system or application software. This reduces the time required for the initial encryption and avoids performance issues.

In addition, they permit administrators to specify encryption for files of a certain type (e.g., spreadsheets and database files) and files produced by certain applications (e.g., financial and HR applications). This approach ensures that all files of these types are encrypted without relying on the user to save them to specific folders. Finally, hybrid solutions typically do not interfere with backup and recovery, patch management or strong authentication products.

Benefits of FDE software

To ensure all sensitive information is protected, however, staff needs to know what it is and where it resides. If which files or file types contain confidential information is not clear, encrypting everything using a FDE product may be safer. Also, in some situations there are benefits to having the extra level of authentication provided with FDE software.

Identifying the scope and the constraints of the project will be necessary, including the time window available, the budget and the availability of staff resources. Limits in the budget or staff resources could provide a reason to select a particular data-encryption product or to call in the help of a consultant or a managed security services provider.

A typical data encryption involves multiple teams across the IT organization. Select a project team that includes members from the security group, the desktop group (or whoever is responsible for laptop hardware and software), the network administration group and subject matter experts in networking and firewalls.

Allocate time and resources to integrating the data-encryption solution into the rest of the IT infrastructure. Changes to the infrastructure might include: changes in firewall and proxy server settings; adjustments to endpoint backup and recovery processes; and integration with Active Directory and other enterprise directories.

Many planners neglect to define success criteria for their projects. This task is necessary to limit scope creep during the course of the project and to justify the effort to management at the end.

Deciding what to encrypt is a critical step. For example, one hybrid product allows selectively encrypting data (e.g., spreadsheets, databases or temporary files), specific applications that handle sensitive data (e.g., an accounting application), files written to specific disk drives or removable media, and files associated with a specific user. This decision is affected both by the objectives of the project and by the capabilities of the product that is being implemented.

Also critical is verification that the data-encryption software is operating correctly at all times. Then, if a laptop is lost or stolen, there will be proof that sensitive data has been encrypted. Regular “health checks” should be performed to make sure the software is operational and no one has tried to tamper with it. When laptops were updated should be verified.

Mandatory requirements

In many environments, these capabilities are mandatory. The FIPS 140-2 standard specifically requires user-independent verification that the software is operational. The Federal Trade Commission’s safeguards document states that companies must “check with software vendors regularly to get and install patches that resolve software vulnerabilities.” In many cases, the data-encryption software that is selected provides these verification capabilities.

Little or no action from end-users should be required to implement or update the solution, and users should not be able to change any encryption parameters or the way in which data encryption is applied to attached devices. Users should not be able to uninstall the software or delete program files, or to prevent the encryption software from executing.

Strongly recommended is running an “alpha test” at this stage of the process, deploying the solution on a limited number of laptops belonging to the IT staff. This often uncovers critical issues like incompatibilities between the data-encryption package and other software being used in the organization.

Start the rollout itself with a “beta test” of 10 to 30 non-IT employees using standard corporate images. This testing will uncover any remaining technical problems, as well as issues related to user understanding and acceptance.

Next, roll out the solution to the rest of the organization in phases. If deploying a file/folder encryption or hybrid encryption solution, another approach would be to encrypt only a few critical files or types of files, and then ramp up to encrypting all of the targeted files.

Finally, provide a written report to management that describes the results of the process and compares them with the success criteria determined at the beginning of the process.

Jeff Brownlow is director of customer engineering, Jonathan Dale is product manager and Nick LoFaso is customer engineer for Fiberlink Communications, Blue Bell, Pa.

For more information on Fiberlink Communications: (click here)