A brief introduction for Enterprise Leadership
Many enterprises have been in the news lately for losing laptop computers containing sensitive or private data. These events have brought data security to the attention of regulatory agencies and they are requiring remediation as well as fines for violation of a wide variety of regulations. In addition when the Payment Card Industry (PCI) audits data protection measures for credit card transactions they are finding them lacking in rigor. The PCI is requiring enterprises that wish to continue accepting credit card to reduce the risk of exposure of credit card and financial data.
What are you going to do to protect your companyâ€™s interests? There are a wide variety of measures that you can take that will help, but, alas, most of them are for the office environment, which leaves your on-the-go staffâ€™s data unprotected. You canâ€™t cripple them by not allowing them access to the data they need to do their job, but, being out and about, their computers are at greater risk. What can you do? There is one tool that you can utilize that will go a long ways toward protecting your intellectual assets as well as satisfying the regulators: encryption.
The only two questions left to answer is, â€œWhat type of encryption is best, file or full disk encryption?,â€ and â€œWhoâ€™s computers should be encrypted?â€
To get the answer for the first question we need look at what others are doing, like large financial institutions, health care organizations and governmental organization, the answer is quite clear: full disk encryption is the only way to ensure that data is not leaked by covert channels or forgetfulness on the part of the user. High security environments like the Department of State and the Department of Defense have adopted full disk encryption as the standard so it makes sense to piggyback on what they have learned.
As to the second question, the answer is, â€œAll of the.â€ You may wonder why every laptop, desktop, and end point device needs to get encrypted if some of your staff doesnâ€™t have direct access to sensitive data. Basically the more people have sensitive data, the more likely a mistake will be made that will reveal private information you are required to protect. Often people do not realize they have sensitive or private data on their computers, and additionally, it sometimes gets sent to them without either the sender or the recipient realizing the significance of the risks. Since encryption protects against accidental loss of data when a computer is lost or stolen, having every computer encrypted makes business sense. Having both an approval process to access private and sensitive data, as well as encryption is much like having a knob lock and a deadbolt on your door â€“ each by itself will work, but together they make the risk of intrusion even less.
Some people are concerned about the risk of data loss or computer malfunction due to encryption, especially full disk encryption. First weâ€™ll cover the real-world risks of data loss with encryption. Boiled down to the basics there are seven:
- Hardware failure
- Cracking (breaking) the encryption algorithm
- Unencrypted residual data left behind by the encryption process or other applications
- Weak keys (passwords), i.e., â€œpassword1,â€ â€œBob,â€ â€œX-Rayâ€ and similar easy to guess or readily available in a dictionary or other common resource
- Keys not protected, i.e., left on a sticky note on the CRT or a bulletin board to protect against failing memories
- Lost or forgotten password
- Data corrupted by the encryption process
The first risk of data loss exists regardless of whether the data is encrypted or not. Encryption neither enhances nor reduces this risk. The only protection against the risk of hardware failure is data backup and archiving. The second risk is mitigated by the fact that the current approved encryption method, the Advanced Encryption Standard (AES), has been peer reviewed and tested by a variety of people such as the National Security Agency and private researchers who have spent a great deal of time attempting to crack the algorithm. So far the only method shown to work is â€œbrute forceâ€ and it takes years and years of super-computer use to even attempt this, so for all practical purposes it is considered â€œunbreakableâ€ at this time. This may change in the future, but we will have warning when this happens because the standard is reviewed every five years to make sure it is still secure against even theoretical attacks.
The third risk is very real and exists with every modern computer that does not encrypt the whole hard disk and protect working memory because almost all programs have â€œscratch padsâ€ and other artifacts that they create and use while they do their work. Often these â€œscratch padsâ€ can be read by sophisticated hackers. In addition there are common, freely available tools to enable even non-experts in recovering what is located in these â€œscratch padsâ€ and other artifacts. Since these â€œscratch padsâ€ and other artifacts are stored on the computerâ€™s hard disk when it is shut down, encryption, other than full disk encryption, will not protect this data.
The fourth risk, weak keys or passwords, exists whether the data is encrypted or not. If the password can be guessed or cracked easily, then any data on the computer can be accessed by anyone who wishes to do so. The only real mitigation possible for this risk is a policy requiring keys and passwords to meet certain standards and having regular audits to ensure that the policy is being followed. The fifth risk is related to the fourth and can only be mitigated by creating a clear policy forbidding such actions and auditing to ensure the policy is being followed.
This brings us to the sixth risk, lost or forgotten passwords. This is a very real risk with an un-managed environment such as a home user or where there is no provision for password recovery because there is no Encryption Key Management Process in place and enforced. This problem has similar characteristics to the use of weak keys or passwords in an un-managed environment. You can protect against this risk by installing a robust Encryption Key Management Process to allow for key recovery when someone forgets their key or password for full disk encryption. In addition many of the full disk encryption products provide a way to recover access by using an offline Challenge-Response mechanism. The end user does not even have to be logged into you network. All they have to do is call your Help Desk and they will be lead through a process to perform a key or password recovery process. Given the two different ways of recovering keys and passwords, there is very little risk of lost data from forgetting a key or password other than hardware failure. However, if hardware fails, whether or not the data is encrypted will not matter. This is why proper backup processes for all your data on a regular basis is critical.
And this brings us to the seventh risk of data loss, corruption by the encryption process and its interaction with the applications that are in use at your enterprise. Large enterprises such as Wells Fargo have used full disk encryption on all their laptops without any apparent problems. The failures they encountered appear to have been caused by laptops that were in the process of failing already before encryption was started. There can be some issues with automatic installer software at first, but manual installation proceeds perfectly. In the cases where there were problems with the installer program, either the installation stop and is rolled back, or the data had been backed up prior to the start of encryption and recovered without problems by re-imaging the laptop.
As for data corruption caused by interaction between the full disk encryption process and other applications running on laptops that have had full disk encryption applied, there have been no reports of this happening. This is not true of file level encryption.
As to the differences between file encryption and full disk encryption in terms of potential data loss due to the encryption process, since full disk encryption operates at the hardware level, not the software level, there is less risk of interaction between encryption software and other applications that could cause corruption or loss of data with full disk encryption. An additional factor is that with file encryption there is more of a load on the CPU to open a file than there is when the disk is encrypted because each file has to be opened on its own and closed on its own when you are done with it. As with everything else in life, the more often you have to do some repetitive process, the more likely there is to be a failure. Disk level encryption avoids the process bottleneck as well as the repetitive process issue because it operates at a hardware level with a much lower actual failure rate.
Some people have also expressed concern about encryption slowing down their computers. Yes, there is a small performance issue. Typically users will see a two to five percent performance hit with disk level encryption, which is almost unnoticeable with modern computers. With file encryption typically you are much more likely to be aware of the process because it happens with every file you open and close so the machine waits until it is complete before going on to the next task. The actual performance loss with file level encryption is harder to calculate as it is dependent on the size of the files being opened and closed. Typically it is in the three to eight percent range.
In summary, full disk encryption is a viable and extremely low risk way of protecting sensitive or private data and ensuring that your enterprise meets all compliance requirements mandated by HIPPA, SOX, data privacy legislation, and industry standards like the Payment Card Industry Data Security Standard. Additionally, full disk encryption, while not a panacea for data loss, it is a very good tool to prevent data loss either by theft or by human error when combined with proper policies and common sense.
Copyright 2007, Allen Schaaf - Information Security Consultant
Allen Schaaf - CISSP,
Information Security Consultant,
Network Security and Forensic Analyst,
CEH, CHFI, CEI - EC-Council