Mobile Encryption: Don't Leave Home Without It

Let's face it, laptop loss is reaching epidemic proportions. In the just released 2007 CSI Computer Crime and Security Survey, half of respondents had a laptop or mobile device stolen in the past year. In response at least 35 states require some form of notification when customers' or employees' personal information has been compromised. Federal laws such as HIPAA, GLBA and even SOX mandate data protection efforts, with encryption strongly suggested—and stiff penalties if recommendations are ignored.

And then there are your customers. A study by the Poneman Institute found that only 7% of companies said concern about protecting customers was a motivating factor to invest in encryption. We can only hope that's a statistical blip, for all our sakes. As the public becomes weary of continual data breaches—everyone has a friend who's been a victim of identity theft—inevitably customers will begin to scrutinize the practices of companies they do business with. Complicating all this are new e-discovery rules; claiming you can't access data because no one knows how to decrypt it isn't going to win points with a judge.

Data Privacy
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

Policies

We've said it before and we'll no doubt say it again: Successful security starts with comprehensive policies. This is true in spades with mobile encryption. There's no way around the fact that device encryption is inconvenient for users. A policy will help garner support at the executive level, vital to reduce pushback. Policy should also define exactly what data needs to be protected in which circumstances, and when various safeguards, including encryption, are to be applied.

Your policies should limit the amount of sensitive data stored on mobile devices, favoring instead secure remote access. Mobile devices are uniquely dangerous because all the normal security risks are present, along with the added threat of loss or theft. Your goal is to prevent someone in unauthorized possession from accessing data. Limiting encryption to this threat profile can greatly simplify both the rollout of the encryption system and improve ease of use.Whenever users must take data with them, it should be the minimum necessary. A business analyst studying customer buying trends doesn't need credit cards numbers. Building the capability into corporate data systems to exclude sensitive data from export, or even better, make it difficult to output to a portable format, perhaps by requiring managerial approval, is key to compliance. A database extrusion prevention system like those we recently reviewed can help here.

All About The Form Factor
Mobile devices such as PDAs and smartphones can be even tougher to encrypt than laptops. First, it's difficult to enter complex passwords on small keyboards, especially special characters, and multi-factor authentication is all but impossible. This could preclude integrating mobile device authentication into the corporate authentication system.

Second, the limited processing power of small devices means the extra computation required for encryption may cause them to slow down noticeably. And finally, the always-on nature of smartphones means care must to be taken in determining what data is encrypted at what times. Encrypting the calendar database seems like a good idea, for example, but if the alarm notifier can't read appointments because the password hasn't been entered, it can't remind its owner of meetings.

Data Privacy
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

Then there's portable USB storage. Encrypted USB drives like the Kingston Data Traveler Secure abound, but most of them are unmanaged, with encryption left up to the user. Worse, most also require device drivers to be installed on every computer they will connect to, meaning users will need either administrator access or increased helpdesk support. Very few encrypted USB drives work on anything but Windows, which causes problems for companies with multiple desktop platforms. We like SafeBoot Technology's new line of hardware-encrypted USB drives that require no software, instead relying on a biometric fingerprint reader to provide the decryption key. These drives are also manageable through SafeBoot's Management Center, which can handle password changes, key recovery, even device lockout.

If supporting users outside the office isn't already hard enough, now you're giving them an additional password to forget. You'll need to provide methods to help users in the field unlock their devices; most enterprise-class products support some form of key recovery. For example, PGP Whole Disk Encryption solves this problem by escrowing a single-use password on the management server. If a user forgets his password, the helpdesk can read a 32-digit string of characters, or send it via an SMS message. Once the user enters the recovery token and boots the laptop, it requests a password change, the recovery token is invalidated and a new one sent to the server for next time. This capability is also crucial for situations where the company needs access to the laptop's data, but the user no longer works for the company. Some IT shops even use the recovery token as an audited way to grant the helpdesk access to a laptop brought in for service, while others with less stringent accountability create a separate encryption passphrase that is shared among helpdesk technicians for this purpose.

What's Uncle Sam Doing?
U.S. Department of Defense CIO John Grimes issued a memorandum in July 2006 stating that all data stored on mobile devices that is unclassified but still sensitive—which for the DoD mostly includes personally identifiable information—must be encrypted.Sounds good, but there are a few problems with this approach. First, it can be tricky to identify where all this data resides, especially on far-flung mobile devices. In addition, almost by definition, you're leaving encryption decisions to users, who may either not understand what data must be encrypted or are just too busy to take the time to review their files.

Impact Assessment
Click to enlarge in another window

What it all comes down to is the difference between full-drive encryption, which locks down the entire hard drive, and folder- or file-based encryption, which allows users to select which information is protected. The safest approach, of course, is to require that all mobile devices be fully encrypted, but this can be costly. We recommend a policy of always encrypting devices of users who regularly work with sensitive data. Penalties for transporting unencypted sensitive data should be the stick attached to the policy carrot.

The federal government, under the guise of the General Services Administration Data At Rest Tiger Team, or DARTT, has also made moves in terms of vetting encryption vendors. DARTT recently completed a process to choose the encryption products that will be available for use by the Department of Defense on unclassified systems, 18 federal agencies and NATO.

Data Privacy
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

The GSA started the process by having vendors present information on their products to learn the scope of what was currently available. Then, in a process Sean Lyons, head of SafeBoot's federal and state operations group, describes as the most comprehensive framework of evaluation criteria he's seen in a formal RFP, DARTT presented vendors with a set of technical requirements classified as critical, important and desirable. Critical requirements include FIPS 140-2 verification and compatibility with the Department of Defense Common Access Card (CAC). Important criteria were items such as not changing the GINA.dll or having the ability to zero out storage. Desirable features included support for Trusted Platform Modules and operating system single-sign-on.To be considered, products had to meet all critical requirements. There was little formal lab testing; DARTT instead relied on reports from government agencies that had already used most of the products under consideration. This was key to reducing the amount of time the selection process took.

In June, the GSA awarded blanket purchase agreements for 10 encryption products, including full-disk encryption, file and folder encryption, and even a USB-connected hardware encryption device for flash RAM. Each government agency and DoD component must purchase from among these products, and state and local governments and NATO can purchase from the agreements. This could create up to a 25 million seat windfall for contract winners, a tremendous volume that hopefully will drive down prices for the rest of us, too. Over five years, the value of these purchases could exceed $79 million, according Office of Management and Budget.

The downside is that with the government's purchasing power concentrated among the BPA winners, other vendors may have a harder time keeping the cash flowing to R&D. The government's seal of approval on the winning products also automatically places them on the short list of any company that does business with the feds, further handicapping vendors that didn't get included.

Holistic Approach
Why did the government have to anoint 10 products for one function? Because there's no single ¼ber-encryption product. In fact, the only thing worse than losing a laptop full of unencrypted sensitive data is trying to manage an enterprise full of encrypted devices. For now, IT must cobble together systems that only solve parts of the problem. For example, a company may have a BlackBerry Enterprise Server to manage its Blackberrys and enforce Content Protection, RIM's built-in data encryption, while Windows Mobile devices get some of their policy management through Exchange 2003 and some from a third-party encryption console. Yet another system might be needed to manage policies and key recovery for a full-disk encryption suite for Windows laptops, while Macs can use the built in FileVault tool, which will lock down everything in the user account, but not apps or system libraries, and doesn't offer centralized management.

If you're in the process of choosing an encryption system, try to look at least 18 month down the road at platforms that may need support. Once you've rolled out encryption to the entire enterprise, it will be awfully hard to change course to suit a handful of Apple or Palm diehards. Besides the hassle inherent in multiple encryption management systems, there's risk in having inconsistent security controls across various platforms.

Data Privacy
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

The surest way to keep encryption consistent and manageable is to invest in a product that manages encryption of the widest possible swath of mobile devices and enforces a single, consistent set of policies. Last year we reviewed full-disk encryption systems from PGP, SafeBoot and SafeNet (see Lock Down Loose Cannons). Entrust, Mobile Armor, Pointsec and Voltage Security also have products in this space. In a sign of how mainstream this technology is becoming, SafeBoot, our Editor's Choice in that review, is in the process of being acquired by McAfee.

Do We Really Have To Buy This Stuff?
Microsoft has included its Encrypting File System utility since Windows 2000, and BitLocker's full-disk encryption is one of the highlights of Vista. But that doesn't mean you can do comprehensive data lockdown on the cheap.

Skipping the obvious requirement for only using Windows, there's still much ground that Microsoft hasn't covered. EFS is a fine technology, but it's better suited for preventing users sharing a computer or server from reading each other's files than preventing a laptop thief from learning all your employee's social security numbers. It's not only that users can't be trusted to always encrypt their sensitive files. Windows applications often store data seemingly willy-nilly across the hard drive. Just encrypting the My Documents folder will leave many temporary file locations accessible.BitLocker solves this weaknesses by encrypting the entire disk, minus a 1.5 GB boot partition. The downside to BitLocker is manageability, or the lack thereof. Yes, BitLocker can be managed with Active Directory GPOs, but it is not integrated with any other encryption system, not even EFS.

What of hard drives, such as the Seagate Momentus, that automatically encrypt data stored on them? The concept is a good one, but right now, it still solves only one part of the problem, just like BitLocker. And, like BitLocker, the Seagate Momentus makes use of the Trusted Platform Module included in many recent laptops for key storage. Should you decide to use a TPM-based system, be sure to consider key management. Wave Systems Embassy Security Center can remotely manage TPM passwords and the backup and recovery of keys stored on the TPM chip.

Covering Your Rear

Should a device with sensitive data go missing, you need to prove that it really was encrypted. Audit-ability is key to limiting liability.

Fortunately, this is a feature all of the centrally managed encryption suites offer. SafeBoot even provides this audits for encrypted USB flash drives, a boon because the small size of USB drives makes them most likely to be lost. Mobile Armor's File Armor creates self-decrypting archives that are very useful for sharing sensitive files among users or with partners. But the beauty of this product is that when a user attempts to decrypt the archive, the decryption software checks with the management console to verify that access to the archive hasn't been revoked, and logs the access. The ability to force a device to encrypt via policy, and then provide logs demonstrating that it was encrypted and had checked into the management console recently, can be the difference between spending a lot of money and corporate goodwill notifying your customers that their data was stolen, and just eating the cost of a stolen laptop.

Just Do Something
The embarrassment of riches in the mobile encryption marketplace can make the choice of a platform vendor daunting, but the key is to just move forward. Start with the products covered under the GSA BPA and look to other vendors to fill gaps or for smaller rollouts. All the GSA-approved products use cryptographic modules validated under FIPS 140-2 security requirements and have met stringent technical and interoperability requirements. Localities can get more info at www.gsa.gov/smartbuy.