HM Revenue and Customs (HMRC) is implementing disk encryption as part of a laptop refresh programme following a pilot rollout using 300 laptops.
HMRC will use Becrypt Disk protect, which has been certified by the CESG, the UK Government's National Technical Authority for Information Assurance (IA).
According to HMRC, the pilot demonstrated that Becrypt would provide simplified faster deployment and centralised management.
Stewart Weston-Lewis, Head of Service Design at HMRC explained; “We considered a need/use case and believe that CPA [CESG Commercial Product Assurance Scheme] is appropriate for these devices where we would have traditionally defaulted to the CAPS solution (CESG Assisted Products Service). The security is appropriate for the protective marking of these devices.
By using the CPA-approved Becrypt product, HMRC was able to avoid the cost of deploying a bespoke CESG encryption program, saving the department £2.4m.
The department spectacularly lost two disks in 2007 containing 15,000 personal records, leading to a rethink of IT security and the need to use encryption to obscure confidential information.
Weston-Lewis commented; “Being able to deploy Becrypt DISK Protect CPA has not only saved HMRC £2.4m in deployment costs, it has provided a much improved user experience, and will enable us to manage laptops centrally, with all the further savings that that implies. We now have a security solution which is commensurate with the risk posed.”
The HMRC can deploy laptops quicker, because the Becrypt encryption software can be installed in-house. Key material is generated by the Becrypt software which reduces waiting time and simplifies management of the keys
CPA is a less stringent specification compared to CAPS.
The CESG said, “CPA promotes the use of 'commercial off the shelf' products which require no bespoke modification to be used in government. These products are tested against published security characteristics which define what good looks like from a security perspective.” The CAPS specification is for bespoke developments for government requiring special considerations at implementation.
CPA products are for use in lower threat environments, when confidence in good commercial practice is required, the CESG explained. High Threat situations would normally merit the use of CAPS-approved products.. However, the CESG added: “It is our expectation that most of government and UK public sector needs will be met by appropriate assured commercial products.”
The Becrypt product encrypts files in the background while the user is still using the machine. It provides centralised key management for encryption keys.