Even before her state of California put a stake in the ground regarding public disclosure of data breaches, Christy Quinlan \n\ncould see the wisdom in encrypting client data on mobile devices. Shortly after Quinlan became CIO of California's Department \n\nof Health Care Services in 2005, one of the agency's partners lost a computer. The contractor had to notify everyone who \n\nmight have been affected, at a cost of several hundred thousand dollars: And while Quinlan's staff had not lost the laptop, \n\nthey still spent much of the week before a holiday coordinating with the contractor to determine the possible scope of the \n\nsecurity breach and then ensuring swift and proper notification. "Once information is on the loose, you can never get it \n\nback," Quinlan says.\n MORE ON LAPTOP SECURITY\n \n Managing Mobile Devices\n \n By the Numbers: Laptop Encryption Strategies\n \n Study: Average Value of Business Info on Travelers' Laptops Equals $525K\n \n ABC: An Introduction to Mobile Security\n California eventually created a state law that required the public disclosure of data breaches (quickly followed by most \n\nother states). But ironically, at the time of Quinlan's contractor incident, the state was still trying to figure out the \n\nright internal policies to protect data across its many agencies.After her experience, Quinlan decided she could not wait for that final internal policy, so she directed her staff to \n\nencrypt all data on the field force's 2,000 laptops within 30 days, which they did using GuardianEdge's software. \n\nCalifornia's law exempts encrypted data from requiring public disclosure, since the data would be inaccessible to thieves. \n\nQuinlan gambled that the statewide policy direction under discussion would ultimately be approved, and that even if she had \n\nto throw out her agency's specific system, the cost was justified because she was reducing so much risk by adding \n\nencryption.As it turns out, the encryption effort proved less difficult than she'd feared, thanks to systems and infrastructure \n\nalready in place. The agency had recently updated its laptops to support Windows XP, providing sufficient computing and \n\nstorage capabilities as well as an operating system to support enterprise-class encryption software. And the agency had a \n\nclient management system in place to update users' laptops with new software and enforce encryption and other security \n\npolicies automatically.CIOs should take Quinlan's experience to heart, says Paul Kocher, president and chief scientist of consulting firm \n\nCryptography Research. "Anyone not doing it has no excuses anymore," Kocher says: Encryption technology is now widely \n\navailable and proven.Management Hurdles\nCIOs implementing encryption on laptops (and desktops, for that matter) should focus mainly on key management and user \n\nmanagement strategies, advises Kocher. The encryption technology itself is mature: One factor that varies from vendor to \n\nvendor and enterprise to enterprise is management techniques. Main issues include deciding what should be encrypted, how to \n\nrecover the passwords that unlock encrypted data when users lose them or leave the company, and how to make passwords \n\navailable to backup and client management software that run unattended.Both California's Quinlan and Simon Szykman, CIO of the National Institute of Standards and Technology, use whole-disk \n\nencryption, which protects all files on the laptop, even applications. This type of software used to slow down performance \n\nnoticeably, causing some enterprises to move to file-based encryption instead. File encryption puts more responsibility on \n\nusers to save their files to the right folders to ensure encryption. And, laptops built in the last several years can handle \n\nwhole-disk encryption without hindering performance. "So why not protect everything?" says Szykman.Many enterprise-class encryption tools come with management tools that issue and reset passwords (often via Web-based self \n\nservice to reduce help desk involvement). These tools also update encryption policies to laptops as they connect to the \n\nnetwork. Many CIOs would prefer having their existing PC client management software handle encryption management, but IT \n\norganizations are already used to having multiple consoles for antivirus and backup. So if you can't get a tool that \n\nintegrates into your client management system\u2014and few do\u2014then the hassle of adding one more console is still better \n\nthan doing nothing.Ken Juneau, assistant VP and director of enterprise architecture services at American National Insurance, found that \n\nhaving a separate management console was not that burdensome for his PGP encryption software.California's Quinlan chose greater integration. For example, she uses the Microsoft SMS client management tool to ensure \n\nthat the current version of the encryption client is installed on every laptop, and applies encryption policies through the \n\nsame Active Directory policy server that's used for everything else. She also integrated password management with her \n\nagency's single-sign-on service, so users have only one password to remember\u2014and the help desk has only one to reset. \n\nBut accomplishing this integration required more up-front development resources, she notes.None of these IT leaders has provided his or her backup or client management systems access to the encryption passwords, \n\nwhich would let them act on the users' laptops in unattended mode. Instead, users need to be attached to the network and \n\nlogged in (which makes their data accessible) before backup and management tools operate.Above all, make sure that adding encryption does not add passwords for users to remember, says John Pironti, chief \n\ninformation risk strategist for IT services consultancy Getronic. You don't want users writing them down and taping them to \n\ntheir laptops. As he notes, "If someone gets the password, the encryption is meaningless." That's another reason why \n\nCalifornia's Quinlan ensured that the encryption software worked with the agency's existing single-sign-on technology. NIST's \n\nSzykman uses the same approach.The PDA Time Bomb\nWhat's even more likely to get lost than a laptop? The increasing storage power of handheld PCs makes them a ticking time \n\nbomb, warns Getronic's Pironti. They tend to be used by executives who work with the enterprise's most critical and valuable \n\ndata, and "these guys lose these things all the time," he says. The problem for CIOs: Encryption software available for \n\nhandhelds is not as effective as it needs to be, says Cryptography Research's Kocher, due to their relatively limited \n\ncomputing capabilities.The only consolation, Kocher says, is that handhelds don't store much data. That will be a bigger problem in the future. \n\nMeanwhile, IT should enforce password access to the devices.Although vendors promote remote-kill capabilities to wipe a stolen or lost handheld's data, this leaves a huge gap; \n\nPironti notes that the devices are vulnerable before reported lost or stolen.Citing the unsatisfactory security situation, NIST is considering standardization on Research in Motion's BlackBerry \n\ndevices, which have built-in data encryption capabilities, says Szykman. He'd prefer to be able to allow the device diversity \n\nthat his users would like to have, and will continue to explore encryption solutions available for other vendors' offerings, \n\nhe says, but one option that may emerge is not supporting other PDA platforms.Facilities service provider Aramark has standardized on the BlackBerry due to security concerns, says CIO of Aramark's \n\nglobal food and facility services businesses David Kaufman. A big BlackBerry advantage: "It has a consistent security model \n\nacross all devices and networks," he says, so the tools are quite reliable. That wasn't the case for other handhelds he \n\ntested.Insurance Will Cost\nUltimately when you encrypt data, you're buying an insurance policy, which has several costs. The obvious cost is the \n\nup-front deployment spending, including software licenses, installation, integration and often upgraded hardware. For \n\nexample, NIST's Szykman had to replace a few laptops because their hard drives were too small and their CPUs too slow to \n\nhandle the added demands of encryption. Then there's the several hours necessary to encrypt each drive the first time, which \n\ncan disrupt user productivity.Increased requests of your help desk will be an ongoing cost, says Getronic's Pironti. Users will request more password \n\nresets, and IT will need to work harder to access encrypted data if the data or password gets corrupted. Aramark's Kaufman \n\nagrees: "There's more of a burden for my staff."CIOs can work to manage the costs of encryption deployments. At Aramark, Kaufman encrypted all laptops belonging to what \n\nhe considered the highest-risk departments\u2014HR, payroll and health-care services\u2014but he's encrypting other users' \n\nlaptops only when they are replaced or require other IT services."We want to have maximum security and minimum disruption," he says, so a risk-based trade-off is typically required.\nFor these CIOs, encrypting sensitive data that can go missing in the field just constitutes good policy. Encryption becomes \n\nanother cost of doing business, says Kaufman: "Given the value of our data and the effect [of a breach] on our reputation, \n\nhow could we not do it?"