For Laptops, Encryption Isn't Everything -- But it's a Fine Start

Carl Weinschenk

Though it could have been condensed somewhat -- several of the items seem to overlap -- eWEEK has posted a nice slide show on the problems of laptop security. In this case, "nice" relates to the clarity of the presentation, not the feeling the message is likely to elicit. That message is that there are a quite a few ways that a laptop can become a problem.


The ways laptops are endangered: Hard drives aren't encrypted, USB drives are not disabled, people simultaneously use devices for personal and business tasks, users don't pay attention to security, physical security measures aren't used, people do dumb things, devices aren't labeled and thus can't be returned by the rare honest person who finds them, tracing programs aren't used enough, and systems aren't patched.


Lack of encryption is number one on eWEEK's list. That's no accident. Encryption is one of the key strategies for protecting the data on machines, since it makes that data largely inaccessible to people who steal or find devices.


There is good news on this front. Network World reports that federal agencies have bought 800,000 encryption licenses during the past year though the federal Data at Rest (DAR) encryption program, which is run by the General Services Administration and the Department of Defense. The piece says the total number of laptops the feds think they must worry about is thought to be about 2 million, split roughly equally between federally owned devices and private companies with access to government data. The story offers two very interesting links to The Privacy Rights Clearinghouse -- which, among other things, keeps a running listing of breaches -- and to a listing of the top 10 suppliers of encryption to the federal program.


On paper (or a computer screen), the idea of full-disk encryption -- as the name implies, encrypting everything on a machine from soup to nuts -- sounds great. That is, to everyone except some folks in the IT department. This TechRepublic post says full-disk encryption makes testing the device beyond hardware hard. Full-disk encryption, the writer says, also can lead to very difficult password management situations.


The writer suggests that most people don't really need full-disk encryption. There is a lot of data on a machine that is fine left in the clear. The better alternative is using encrypted disk images to store sensitive data and leaving everything else. Specifically, the writer recommends TrueCrypt, an open source utility that can switch fluidly among Windows, Mac OS and Linux.


Laptop encryption is not a one-size-fits-all undertaking. There are different approaches, and Processor looks at variables and tradeoffs of each. Perhaps the most important choice is whether to use full-disk or file-based encryption. The former offers a higher level of security but, as noted by TechRepublic, is more cumbersome. File-based approaches are easier to use, but rely on the user to implement. Even if he or she does, sensitive data can be misplaced on unencrypted drives. Another decision is whether to use free or commercial encryption. The free versions could be open source or a utility that comes in the operating system. A sidebar suggests starting with free approaches until they are proven inadequate and creating an implementation plan.


This piece posted at AlertBoot tells the story of the disappearance of a laptop from a health care office in East Hempfield Township, Penn. The machine held a file database and, apparently, was being used to scan paperwork into the system. The person doing the work apparently left the room momentarily and the machine was swiped.


The point of the story is that full-disk encryption is vulnerable if the machine is operating when it is taken and the thief goes to work before turning it off. This problem is eliminated if the machine also has file-level encryption -- assuming, of course, that a file with sensitive data is open when the machine is taken. Clearly, this shows the limits of encryption -- and suggests that more than one approach is needed to truly secure a machine.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.