We hear a lot about the security risks associated with mobile drives -- such as laptop hard drives and USB drives -- and there's certainly no lack of written policies on the subject. But how can you turn your words into actions and actually make your mobile drives secure?
The first essential element for protecting information on mobile drives and setting your users up for success is to setup encryption. Yep -- the tried and true security "solution" that has failed us so many times in the past actually works very well in this situation. By encryption, I'm referring to encrypting whole disks and/or volumes -- that is, entire C: drives or entire USB drives, for example. This offers the ultimate in security. Once the lost or stolen system is powered off, hibernated or (as in the case of PDAs and smartphones) has been idle for a certain period of time, the person who found (or stole) the system will be stuck at a login prompt. Just what the doctor ordered.
There is another popular way to go about encrypting sensitive information on mobile drives. You can encrypt certain portions of your mobile drives by creating encrypted "partitions" -- something that has worked well for me in the past. However, security is much weaker here because you're depending on your users to store all sensitive information on that partition -- a major no-no.
As if user carelessness is not enough, operating systems and applications often save (and don't clean up) files in areas such as temp directories and application directories, leaving the information exposed. If a mobile device is lost or stolen, the chances are good that someone can gain access to sensitive information strewn across the drive. Therefore, whole drive encryption is the best way to go.
There are various products available to help you with encrypting your mobile drives. My favorite is PGP Corp.'s relatively new Whole Disk Encryption, which has worked flawlessly for me thus far. I encourage you to check out the other options as well, such as Utimaco Safeware AG's SafeGuard Easy and GuardianEdge Technology's Encryption Plus Hard Disk. Seagate is even offering Full Disk Encryption (FDE) technology on their notebook drives which encrypts information at the hardware level. Pretty nifty.
The second essential element for keeping your data intact is to ensure you've got good backups. A tried and true method for backing up mobile drives is to integrate your backups into an existing backup system (i.e., tape) by installing client backup software, performing an initial full backup and then performing ongoing full backups once a month or so and incremental or differential backups once a week, or whatever works best.
A product that I like even better is to implement a disk-to-disk backup product such as Acronis Inc.'s True Image Corporate Workstation. Given the low price of hard drive storage combined with Gigabit Ethernet and the ability to run while Windows is loaded makes drive backups much less painful and inconvenient. In addition, you get a great benefit on the back-end because you can "mount" the backup images as a local drive to retrieve a lost file or directory and can even restore the entire drive image to a known good state.
While you're tuned into the subject of securing down your mobile drives, don't forget about your PDAs and smartphones as they often house sensitive information your organization might not be able to afford to lose either. Companies such as PDA Defense and Pointsec Mobile Technologies offer dependable products. There's also an open source product called Keyring for Palm OS. Encourage your users to sync their devices on a consistent basis as well in the event of lost data. Also, you may wish to look past laptops and other mobile devices and consider encrypting the hard drives of desktops and servers that house sensitive information if there's any chance of physical theft.
Furthermore, the last thing you and your team need to be working on is managing cumbersome backup jobs, restoring individual files from tape and other time-wasting tasks.
For more information:
About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at firstname.lastname@example.org.