There is only one thing worse than realising that you
have left your laptop in the back of a taxi. That is the
recollection that you have not encrypted any of the data on it -
including all of your contact information, your sensitive e-mails,
all of your online passwords, and that spreadsheet full of customer
names and addresses. That sort of situation spells trouble for your
customers, your company and, ultimately, for you.
Unfortunately, this kind of thing happens more often than you
would think, in both the public and private sectors. In January,
the government faced a storm of criticism after a
navy officer's
laptop containing the details of 600,000 people was stolen. The
data, including passport numbers, bank details and national
insurance numbers, was unencrypted. In December, the
DVLA lost discs en route to its headquarters in Swansea that
contained unencrypted information on 6,000 drivers. Of course,
the most serious event of all last year was the
loss of 25 million personal data records by Her Majesty's Revenue
& Customs - again, the data was stored unencrypted on CDs
that were lost in the post.
For governments, such transgressions can be politically
devastating, for private companies, they can be financially
disastrous. Last February, the
Nationwide Building Society was fined almost a million pounds by
the Financial Services Authority following the theft of a
laptop from an employee. The unencrypted data included details
of almost 11 million customers.
Why, after 50-odd years of enterprise computing and with the PC
nearing its 30th birthday, are we still not encrypting our storage
media systematically? One reason could be that high-profile data
breaches stemming from inadequate encryption have not traditionally
come to light. Whatever the reason, we are still very poor at
routine encryption of sensitive data. A 2007 study of UK encryption
policies from the Ponemon Institute showed that 55% of companies
had some type of encryption plan. That is a promising number, but
only 9% adopted encryption at a strategic level and enforced it on
an enterprise-wide basis. And yet in another Ponemon study,
examining the cost of UK data breaches in 2007, it was found that
36% of all breaches were caused by lost or stolen laptops or other
mobile storage devices. The average cost of data breaches in the UK
last year was £47 per compromised record, the report said.
Much of the discussion around encryption in the press of late
has concerned laptops and other mobile devices because of the
high-profile nature of those data breaches. "You used to have to
provide a financial argument for why you needed to do it," says
Miles Clement, senior research consultant at the
Information
Security Forum, who argues that the awareness and practice of
laptop encryption is growing. "But you do not need that financial
argument any more, because the fines of the regulators are so large
that the cost of implementation pales into insignificance."
Now, suppliers are starting to build encryption right into the
operating system. Apple has included its
FileVault
system since version 10.3 of Mac OSX, which encrypts the users'
home directory. Microsoft built
BitLocker
into certain editions of
Vista, enabling Windows
users to encrypt their hard drives, but competitors complain that
it does not encrypt the whole of the disc, but only encrypts the
primary volume. Lots of drives are partitioned into multiple
volumes, and users will inevitably store their data on the
unencrypted ones, warns Guy Bunker, who is responsible for
technical strategies in the security and data management group at
Symantec.
The other criticism of BitLocker, levelled by both Bunker and by
McAfee's group product marketing manager for data protection, Chris
Parkerson, is that Microsoft's technology is not manageable at an
enterprise level. However, this can be mitigated using third-party
products. For example, Ultimaco offers enterprise-level
policy-based Bitlocker protection using its SafeGuard security
management suite.
Symantec recently launched its own full disc encryption product
called Symantec Endpoint Encryption. The product is available in
two editions. One carries out full disc encryption on a
Windows-based machine. The other is a removable storage edition,
which encrypts data on everything from USB keys to CDs and
DVDs.
A cacophony of disc encryption products now exist for laptops.
In addition to Symantec's, McAfee offers its own Endpoint
Encryption software (formerly called SafeBoot), and Check Point has
one too. But the worry is that many of these products could be
compromised should an underlying flaw be found in the design
implementation.
Enter Ed Felten, renowned security researcher and anti-DRM
advocate at Princeton University. Felten, in conjunction with the
Electronic Frontier Foundation (EFF), says he has discovered a flaw
in disc encryption technologies including BitLocker, FileVault and
other systems such as TrueCrypt. The flaw lies in the fact that
encryption keys are held in memory, and memory does not lose the
data that it contains straight away when power is turned off.
Felten's proposed attack exploits this idosyncracy, using a program
to collect the contents of a computer's memory after it has been
rebooted. Machines in sleep or hibernation mode are particularly
susceptible to an attack based on this vulnerability, suggests the
EFF.
"There are a couple of ways around this. Firstly, if you have a
hard token containing the key, then the key is held in that token,"
says Bunker, arguing that if the key is never held in the laptop's
Ram, it cannot be recovered later. "But if you are worried about an
attack, then do not put the computer into sleep mode." Microsoft
representatives have also pointed out that BitLocker can be married
with a USB key, and that sleep mode can be prohibited on Vista
clients. But perhaps the best solution would be for encryption
product suppliers to write zeros to the parts of memory where the
keys were stored when the machine goes to sleep, or use a hard
token.
Using policy settings to avoid sleep mode (or to require a
password to recover from it) could also solve some other problems
with full disc encryption. A machine with its data fully encrypted
sounds fine in theory, but if the machine is in sleep mode when it
is stolen, and does not require a password for recovery, then the
thief can act as a legitimate user and pilfer all the data he
wants. This is why encryption firm Steganos advocates file and
folder-level encryption. "We believe that file and folder-level
encryption is a more competent solution because it takes that extra
step," says CEO Aston Fallen. Files encrypted using the Steaganos
product are not visible using the standard Explorer program, and
must be decrypted using the Steganos interface to be accessed.
So, you have found an appropriate full disc encryption tool for
your user base, are managing it properly across the company. Now,
what about your datacentre? Do not think unencrypted information on
your disc arrays is not a risk - thefts of equipment from
datacentres are rife. In 2006, Easynet had equipment stolen from
its London facility, and telecommunications carrier Verizon
experienced a similar theft last December, according to reports. If
unencrypted hard drives go missing from the server room, and they
contain sensitive information, it could constitute a major security
breach.
Encryption at the disc level has traditionally been a tough sell
in the datacentre, says Parkerson. "It is a space management
issue," he says, arguing that encryption algorithms will generally
increase data sizes. "The algorithms are turning the text into
ciphertext, and ciphertext by nature is larger in physical size
than the original data. On average, depending on the type of data
you are doing, it can be anything from 10% to 25% larger."
With the increasing amount of low-latency data being stored on
server hard drives (audio and video need to be played back without
any time lag), performance at the server level may also be an
issue, unlike at the desktop and laptop end, where dual-core
processors have largely solved that problem. With multiple users
accessing drives, the problem calls for hardware-based rather than
software-based encryption, Parkerson says.
Intel is preparing a technology called Danbury, reportedly due
in the second half of this year, which will add hardware-based
protection to the vPro platform targeted at desktop and laptop
machines. Hardware encryption at the server level, however, is
likely to happen within the disc drive itself. In October, Seagate
joined with other enterprise storage players including IBM and LSI
to develop an initiative for full disc encryption using ASICs
embedded in disc drives. Key management is being standardised for
interoperability purposes via the IEEE's 1619.3 specification.
That just leaves tape drives, and suppliers have been busy
working in that area too. Given the common practice of transporting
back-up tapes between physical locations using couriers, this is
particularly important. The LTO Consortium - a group developed by
IBM, HP and Quantum - developed an interoperability standard called
LTO4, which includes encryption technology directly in compliant
drives. However, legacy tape drives have a habit of sticking
around. For users of older equipment, a bolt-on device may be
necessary. nCipher, which makes its main revenue from
hardware-based encryption key management systems, also sells
CryptoStor, an appliance to encrypt data as it is written to tape,
which it acquired along with the original developer, NeoScale. "We
support the trend towards LTO4, but a lot of our customers still
have legacy environments," says Richard Moulds, vice-president of
marketing at nCipher.
With encryption becoming increasingly prevalent on the corporate
radar, the suppliers that sell this equipment stand to make some
healthy profits. As for the customers, they have little choice but
to implement these systems if they want to protect their own data,
and that of their customers. Done properly, encryption can choke
off many data criminals' activities at the neck. What is the point
of stealing data if you cannot read it?