Federal government pushes full-disk encryption

Businesses need to follow the federal government's lead in reducing data breaches by holding employees responsible and examining full-disk encryption (FDE) products.


Behind the firewall with Dennis Fisher: It's not often that anyone points to the federal government as a role model for security. Government employees in the last 18 months have shown an alarming talent for finding new and creative ways to disclose personal information about active-duty military personnel, veterans and everyday citizens. They leave laptops and desktops lying around for thieves to pilfer, they take home massive amounts of sensitive data in order to work on side projects and they fail to fix software flaws that make easy targets for attackers.

Unless and until the government brings some real pressure to bear with serious fines and/or penalties for corporate officers, we're not likely to see things change anytime soon.
,

But all of those problems, as messy as they are, have actually led to something good. As a result of a mandate from President Bush, the federal government is in the middle of a massive evaluation of full-disk encryption (FDE) products. At the end of the process, all government-owned laptops and mobile devices will have their entire hard drives encrypted . This is clearly a knee-jerk reaction to all of the recent incidents, but unlike most ideas that come out of such situations, it's actually a good one.

The idea of encrypting all of the data on a laptop may well be the digital equivalent of using a shotgun to kill a fly, but it saves users and managers from having to pick and choose what files need to be encrypted. That process would almost certainly turn into a bureaucratic black hole, from which no logic could escape. But by going the FDE route, the government is taking any of those questions, as well as the inevitable recriminations when something goes wrong, out of the equation.

The government's evaluation is essentially an open casting call to all of the FDE vendors out there, and comes with a lengthy list of requirements. One of the prerequisites is that the product be able to perform key escrow. This idea is anathema to most security and privacy advocates because it requires that a copy of the encryption key be stored with a third party. That's not going to fly with individual users, but the government is a different animal and has a legitimate need to ensure that encrypted data is not unrecoverable at some point down the road.

Behind the firewall with Dennis Fisher:
Read previous columns by Dennis Fisher:

Security pros glean insight from '06

Microsoft Kernel Patch Protection should be lauded

Microsoft Vista could improve Internet security

Oracle should heed critical report touting SQL Server security

In a very real sense, that data, be it IRS records, military service histories or home loan data, belongs to the individual citizens and not to the government agencies who have collected it. And that's been part of the problem; the agencies don't see citizens as their customers, so they don't treat the data with the care it deserves. A lost laptop full of IRS records doesn't translate into lost revenue, it just means bad press. That threat clearly hasn't been enough, so the administration stepped in, and for that they should be applauded. The Bush years are not likely to be remembered as the best of times for information security, but this directive certainly is a small step toward making up for some of the blunders and apathy of the last six years.

Now the question is, what will it take for corporate America to get in the game and make the same commitment the government has? The answer, unfortunately, can probably be summed up in one word: money. Some of the biggest names in U.S. business have been hit by data thefts in recent years and have seen their names splashed across the front pages as a result. Customers have raged on message boards and some companies have paid good-sized fines to settle civil claims. But still the incidents continue to pile up.

The problem is that the accumulated bad publicity and fines aren't nearly enough to force companies to infringe on the productivity gains that mobile devices provide. Unless and until the government brings some real pressure to bear with serious fines and/or penalties for corporate officers, we're not likely to see things change anytime soon. Companies can do their part right now by suspending or terminating employees whose laptops are lost or stolen . It sounds harsh, but some companies have already instituted such policies, and we've seen clearly that nothing else seems to be working.

Read more on Privacy and data protection