Encryption for all

Protecting your hard drives will help keep your company from getting snakebit by security breaches

It’s hard to review a newspaper or security mail list these days without reading yet another story about some slack company losing other people’s financial and identity information. Either the information was compromised from poorly protected servers, stolen laptops, or misplaced portable media.

The latter two issues are easy to prevent: All confidential information should be encrypted when stored on portable computers and media, including backup media. Actually, all confidential data should be protected, but I’m assuming your nonportable assets and media have other offsetting controls.

Although no federal laws or guidelines require encryption to protect confidential information, disk or data encryption is the easiest way to prevent unauthorized access. If your company stores confidential data on said equipment or media, follow these rules:

1. Create a data encryption information policy and educate employees.

2. Select and use a proven and secure encryption software product.

3. Enable automatic encryption of data or the media it resides on.

4. Ensure that the password, passphrase, or secret key used to protect the data is nontrivial and stored securely.

5. Create and maintain a key escrow program so that encrypted data can be recovered if the main user loses the key.

That’s it. Following this advice will go a long toward protecting confidential information if the portable computer or media gets lost or stolen. How nice it would be for your company to not have to report lost information to its customers, government, and the media.

The hardest choices will be what to encrypt and what product to use. You can encrypt the entire media or just the data. Encrypting the entire media is a better choice because application software often leaves plain-text remnants of crypto-text in unprotected areas. An attacker using a bit-level analysis tool could extract the plain-text remnants.

As for encryption products, there are dozens and dozens to choose from. My advice is to select a vendor that has stood the test of time and has undergone third-party and expert review.

Here are my suggestions for some good products to review. (To figure out which products to avoid, you can’t go wrong by querying any Internet search engine with the words "Bruce Schneier dog house." Bruce, CTO of Counterpane Internet Security, routinely points out questionable crypto products in his Crypto-Gram newsletter.)

Phil Zimmerman’s PGP (Pretty Good Privacy) product is still around in both free and commercial forms. GnuPG is an excellent product that supports Linux, Unix, Windows, Mac, and Risc platforms. Make sure you get latest Version, patched to close the vulnerability reported in early March.

The International PGP Home Page has free versions of PGP for more than 12 different OSes, including Atari, Palm, and EPOC. If you need commercial support, PGP Corp. provides products for Windows, Mac, and BlackBerrys. The OpenPGP Alliance is another good resource for other PGP products and links.

Apple’s OS X comes with FileVault, which uses 128-bit AES symmetric encryption. It protects files in user’s home directories, and it allows a master key to be set computerwide in case the original user cannot log on to recover the files.

Microsoft’s EFS (Encryption File System) has been available since Windows 2000. Although it has lots of critics, EFS really is good encryption. Unfortunately, you can’t use it to encrypt the entire disk-only files and folders -- and even then, not system files.

However, the two upper-level enterprise versions of Windows Vista will include a disk-encryption program called BitLocker. BitLocker will encrypt the entire system volume, including system and hibernation files. Users can then tap EFS to protect other volumes or files.

Configurable through group policy, EFS uses 128- and 256-bit AES keys, which can be stored offline or on a motherboard chip called the TPM (Trusted Platform Module). TPM requires a Trusted Computing Group-compliant motherboard, chip set, and BIOS. The recovery password can be saved to a folder, saved to one or several USB keys, or just sent to printer. A domain administrator can also configure group policy to automatically generate recovery passwords and transparently escrow them to Active Directory.

As with EFS and FileVault, the security of the OS still relies on using and securing a strong log-on password. BitLocker can be used in conjunction with a PIN, USB, or smart card multifactor authentication to increase security even more -- no more booting around Windows with a Linux boot disk to steal passwords or data.

Another commercial product I like is GuardianEdge Technologies’ Encryption Plus. It does what BitLocker does, including key escrow and group policy management -- although it doesn’t use a TPM chip. It can also encrypt data on CD-ROMs, DVDs, and PDAs, all of which should be included in any comprehensive enterprise encryption plan.

No matter what the solution, your company should require that all confidential data on portable computers and media be encrypted by default, before you find yourself ending up on the 6 o’clock news.

Copyright © 2006 IDG Communications, Inc.

How to choose a low-code development platform