How to Lock Up Laptop Security

Haven't encrypted your laptop fleet yet? There's no excuse for that choice anymore. Check out today's smart strategies for improving laptop security—before the next machine disappears.

1 2 3 4 Page 2
Page 2 of 4

Management Hurdles

CIOs implementing encryption on laptops (and desktops, for that matter) should focus mainly on key management and user management strategies, advises Kocher. The encryption technology itself is mature: One factor that varies from vendor to vendor and enterprise to enterprise is management techniques. Main issues include deciding what should be encrypted, how to recover the passwords that unlock encrypted data when users lose them or leave the company, and how to make passwords available to backup and client management software that run unattended.

Both California's Quinlan and Simon Szykman, CIO of the National Institute of Standards and Technology, use whole-disk encryption, which protects all files on the laptop, even applications. This type of software used to slow down performance noticeably, causing some enterprises to move to file-based encryption instead. File encryption puts more responsibility on users to save their files to the right folders to ensure encryption. And, laptops built in the last several years can handle whole-disk encryption without hindering performance. "So why not protect everything?" says Szykman.

Many enterprise-class encryption tools come with management tools that issue and reset passwords (often via Web-based self service to reduce help desk involvement). These tools also update encryption policies to laptops as they connect to the network. Many CIOs would prefer having their existing PC client management software handle encryption management, but IT organizations are already used to having multiple consoles for antivirus and backup. So if you can't get a tool that integrates into your client management system—and few do—then the hassle of adding one more console is still better than doing nothing.

Ken Juneau, assistant VP and director of enterprise architecture services at American National Insurance, found that having a separate management console was not that burdensome for his PGP encryption software.

California's Quinlan chose greater integration. For example, she uses the Microsoft SMS client management tool to ensure that the current version of the encryption client is installed on every laptop, and applies encryption policies through the same Active Directory policy server that's used for everything else. She also integrated password management with her agency's single-sign-on service, so users have only one password to remember—and the help desk has only one to reset. But accomplishing this integration required more up-front development resources, she notes.

None of these IT leaders has provided his or her backup or client management systems access to the encryption passwords, which would let them act on the users' laptops in unattended mode. Instead, users need to be attached to the network and logged in (which makes their data accessible) before backup and management tools operate.

1 2 3 4 Page 2
Page 2 of 4
Download CIO's Winter 2021 digital issue: Supercharging IT innovation