Regular remote backups, data encryption and a two-stage authentication sign-on process are the best ways to secure...
In June 23, 2006, the White House's Office of Management and Budget (OMB) ordered government agencies to get their laptop security act together and encrypt their data within 45 days. Although the OMB order applied only to the federal government, analysts consider it a wake-up call to private-sector enterprises, which face the same risks when it comes to data on laptops.
"I've been recommending that companies encrypt their laptops for 10 years," says Jeff Moss, director at Black Hat, a Seattle-based security consulting firm that uses WinMagic SecureDoc to encrypt its own laptops. "Back then, it was way too esoteric," he says, but now he believes companies will take laptop data security seriously.
If the OMB memo wasn't enough to grab the attention of IT, regulations emanating from California and rippling through dozens of states across the country are spurring companies to protect laptop data. California SB 1386 requires any organization that conducts business in the state and owns or licenses computerized personal information to notify anyone whose information might be at risk because of a breach in security. However, if the information is fully encrypted, the organization doesn't have to go through the notification process, thereby avoiding public embarrassment as well as potential liability.
When it comes to protecting data on laptops, organizations can implement full disk encryption or risk the consequences. In addition, organizations should evaluate their user-access controls, and review and enforce policies designed to protect data on laptops.
They also need to take laptop backup more seriously. Beyond simply keeping data from prying eyes, companies are beginning to recognize that data residing on laptops is valuable organizational knowledge that may not be sensitive but is too valuable to lose. For this, companies are turning to everything from remote backup for laptops and USB thumb drives, to file synchronization and backup over the network. Analysts suggest a four-layer approach to laptop data protection: policy enforcement, data backup and file synchronization, encryption and authentication (see "Four layers of laptop data protection").
|Four layers of laptop data protection|
First, organizations need to establish and enforce security policies for laptops. "Companies need to make it clear that the data on laptops is company data--valuable intellectual property that must be backed up," says W. Curtis Preston, vice president, data protection services at GlassHouse Technologies Inc., Framingham, MA.
A company policy could go so far as to define what data can be stored on laptops. "Why keep [company-sensitive] data on the laptop at all?" asks Avivah Litan, vice president and distinguished analyst at Gartner Inc., headquartered in Stamford, CT. "The only possible valid reason is a remote worker who needs that data in the field and has no access to a network," she adds, noting that the data should then be encrypted.
Backup and file synchronization
It's a fact of life: Laptops will be lost and stolen. When it happens, you'll need some form of data backup and recovery optimized for the realities of laptop usage.
"That a lost laptop automatically compromises your data is more a perception than reality," says Russ Cooper, director, risk intelligence team at Cybertrust based in Herndon, VA. Rarely is a laptop deliberately targeted for theft--thefts are more opportunistic than targeted.
The biggest loss, then, is access to your own data. If you were working on a proposal, that data has value to you and your organization, even if it isn't confidential. When a laptop is missing, the data is gone unless it was backed up.
"People should back up the data on their laptops, but you need to use backup tools that were designed for remote backup," says Preston. Whatever tool you choose, it must do two things: track data that has changed and offer data deduplication capabilities.
By backing up only the data that has changed, organizations greatly reduce the amount of data to be backed up. This is especially important if the plan is to back up the data over a communications link to a server in the office. Deduplication eliminates the need to back up the same file multiple times (see "The skinny on data deduplication," Storage, January 2007).
Many popular backup software products are suitable for use with laptops. Microsoft Windows has the Briefcase feature that automatically tracks the relationship between files on two or more computers. It can be used between a remote laptop and an office server for backup purposes. If you've made changes to any files in the Briefcase while you're away from the office, Briefcase automatically synchronizes those files whenever you log onto the network, in effect backing up your changes.
A number of products do the same thing. "They are called file synchronizers. IBM [Corp.] Tivoli has one. Tacit [Software Inc.] also has one," says Greg Schulz, founder and senior analyst, The StorageIO Group, Stillwater, MN.
If the organization doesn't want to back up laptops over the network to a central office, Schulz suggests other options, such as external storage devices or removable media. "You can back up to USB thumb drives, but they also increase vulnerability because they are easily lost or stolen," he says. Encrypted USB thumb drives, such as Kingston Technology Co.'s DataTraveler Elite–Privacy Edition, ensure that data remains protected if they're lost or stolen. Another option entails backing up your data to a CD and keeping it separate from the laptop.
Jack Duggal, managing principal at Projectize Group in Avon, CT, takes a different approach. "I keep a 100GB external hard drive in the office and plug in the laptop once a week to back up the data there," he says. If the laptop is lost, at least he still has his data current as of the last backup.
Data protection services
Protecting data on laptops is a two-pronged process: ensuring data is always available through backup and securing data from prying eyes through encryption. Most organizations separate these two efforts, according to Brian Babineau, an analyst at Enterprise Strategy Group in Milford, MA. Iron Mountain Inc., however, has merged the two processes in its PC Data Protection Suite, which combines its DataDefense and Connected Backup/PC products.
DataDefense encrypts data or destroys it. For encryption, it relies on Windows Encrypting File System (EFS), which is considered weak, especially vs. full-disk encryption. "It just makes it a little harder for someone to get the data," says Babineau. The product promises to destroy specified data on an AWOL laptop, but only if the organization has previously enabled policies directing it to do so. Such a policy would typically trigger the automatic deletion of the data as soon as the machine powers up if it hasn't connected to the network within a specified period of time. Still, "it would be hard to unequivocally state that the missing data was safe," adds Mike Karp, senior analyst at Enterprise Management Associates, Boulder, CO.
Connected Backup/PC backs up data to a central site, either at the company or to Iron Mountain. Both Iron Mountain products are sold on a per-seat basis, as licensed software or as a managed service. Connected Backup/PC is $9 per seat/month ($108 per laptop per year), while Data-Defense is $6 per seat/month ($72 per laptop per year). That's $180 per laptop per year for both products.
Finally, there are companies that offer remote data deletion for stolen laptops. Absolute Software Corp. and Everdream Corp., for example, offer products that remotely delete files when the stolen or lost machine is reconnected to the Internet. But security experts scoff at this approach as a general practice. A competent thief would have grabbed any data long before connecting it to the Internet. "It will catch the dumb criminals, so it is better than nothing," says Black Hat's Moss.
The government's recent laptop fumbles have focused the immediate spotlight on encryption as the primary means of protecting data on laptops. In August, the U.S. Department of Veterans Affairs (VA), smarting from the widely publicized loss of laptops containing sensitive data on thousands of individuals, awarded a contract for the encryption of approximately 300,000 VA PCs and mobile devices to San Francisco-based GuardianEdge Technologies Inc. (formerly PC Guardian Technologies).
TruWest Credit Union, a 16-branch credit union headquartered in Tempe, AZ, didn't wait for the feds or any state regulations. It identified laptop data security as a critical issue five years ago when it began implementing two-factor authentication for its laptops. "We have been taking measures to protect laptop data for quite a while, things like passwords at power up and policies about what data could be put on the laptop," says Thomas Gessel, TruWest's senior vice president and technology officer.
TruWest deploys approximately 50 laptops and has had only one stolen. That laptop, used by an IT staffer for maintenance, contained no confidential data, but "its loss made us realize the risk," says Gessel. The credit union, which had been looking at laptop encryption for two years, decided to roll out Naples, FL-based SafeBoot Corp.'s Device Encryption for PC/Laptop.
"We looked at all of them [laptop encryption products] and found SafeBoot was the easiest to deploy, and it didn't require a dedicated server," says TruWest's Gessel. "We were able to deploy it on the maintenance server where we have our antivirus protection. And we got it for less than $150 per laptop."
Cost is one objection to encryption. Managers also object to the resulting performance hit and the difficulties of key management (see "Encryption resistance").
Despite headline-grabbing laptop losses and laws like California SB 1386 popping up in state after state, laptop encryption hasn't yet caught on big. "We have a ton of security measures such as physical locks and we use biometric authentication, but we do not have full disk encryption on the laptops," says Chris Curran, chief technology officer at Diamond Management & Technology Consultants Inc. in Chicago. Diamond's consultants simply don't put the kind of confidential data that would require disclosure on their laptops.
Encrypted file system
Ironically, most laptops today already have encryption, although most people don't realize it. Microsoft's Windows EFS has long come as part of Windows OS. But EFS comes up short as an encryption approach that will allow you to avoid notification requirements in the event of the loss of a laptop with sensitive data.
"Windows EFS is the most common solution, but it can be circumvented easily if you know what you are doing," says GlassHouse's Preston. "Anything that relies on [a] Windows' user name and password is pretty hackable." Once a user is authenticated by Windows, EFS encryption and decryption is automatic.
Other shortcomings include its weak encryption algorithm, which falls short of the strength provided through 256-bit AES encryption, today's corporate security standard. EFS also lacks a public/private key mechanism, which eliminates the complications of key management but further weakens security.
Still, some security experts aren't so quick to dismiss EFS, using the logic that it's better than nothing. "Most users don't need fancy encryption and PKI," says Cybertrust's Cooper. "They can use the encryption built into Windows [EFS], which costs zero." For those wanting to bolster EFS, he recommends using PGP encryption within EFS, which strengthens security but adds complexity.
Even Microsoft recognizes the shortcomings of EFS. For its new Vista Windows OS release, Microsoft will offer BitLocker Drive Encryption. According to Micro-soft, BitLocker Drive Encryption provides increased protection through a combination of full-drive encryption and integrity checking of early boot components. Integrity checking of early boot components prevents someone from circumventing encryption by booting the drive through another OS. With BitLocker Drive Encryption, data decryption is performed only if the boot components appear unmolested and the encrypted drive is located in the original computer. BitLocker Drive Encryption encrypts the entire Windows volume, including all user and system files, plus any swap and hibernation files.
Along with backup and encryption, managers need to address access control and authentication. The OMB now requires users intending to access government data remotely to use two-factor access control where one of the factors is provided by a device separate from the computer gaining access. It also wants users to log all extracts of sensitive data they download to their laptops.
"Everybody uses access controls, but they are easily broken," says Gartner's Litan. "It is easy to break a Windows password. You need at least two-factor authentication."
For example, Diamond Management & Technology Consultants uses biometric authentication to provide access to laptops. "We then link the biometric authentication to the password for operating system and hard drive security," says the firm's Curran. Should the laptop be lost or stolen, no one would be able to authenticate to gain access to the hard drive or data at any level.
Despite what encryption advocates say, there's no single approach to protecting data on laptops. "It's the belt and suspenders thing. You will need to use several approaches," says Moss at Black Hat, who uses PGP, WinMagic and other technologies to protect his firm's laptops. The alternative: Don't keep data you're not willing to lose on the laptop.