How to Lock Up Laptop Security

Even before her state of California put a stake in the ground regarding public disclosure of data breaches, Christy Quinlan could see the wisdom in encrypting client data on mobile devices. Shortly after Quinlan became CIO of California’s Department of Health Care Services in 2005, one of the agency’s partners lost a computer. The contractor had to notify everyone who might have been affected, at a cost of several hundred thousand dollars: And while Quinlan’s staff had not lost the laptop, they still spent much of the week before a holiday coordinating with the contractor to determine the possible scope of the security breach and then ensuring swift and proper notification. “Once information is on the loose, you can never get it back,” Quinlan says.

MORE ON LAPTOP SECURITY

Managing Mobile Devices

By the Numbers: Laptop Encryption Strategies

Study: Average Value of Business Info on Travelers’ Laptops Equals $525K

ABC: An Introduction to Mobile Security

California eventually created a state law that required the public disclosure of data breaches (quickly followed by most other states). But ironically, at the time of Quinlan’s contractor incident, the state was still trying to figure out the right internal policies to protect data across its many agencies.

After her experience, Quinlan decided she could not wait for that final internal policy, so she directed her staff to encrypt all data on the field force’s 2,000 laptops within 30 days, which they did using GuardianEdge’s software. California’s law exempts encrypted data from requiring public disclosure, since the data would be inaccessible to thieves. Quinlan gambled that the statewide policy direction under discussion would ultimately be approved, and that even if she had to throw out her agency’s specific system, the cost was justified because she was reducing so much risk by adding encryption.

As it turns out, the encryption effort proved less difficult than she’d feared, thanks to systems and infrastructure already in place. The agency had recently updated its laptops to support Windows XP, providing sufficient computing and storage capabilities as well as an operating system to support enterprise-class encryption software. And the agency had a client management system in place to update users’ laptops with new software and enforce encryption and other security policies automatically.

CIOs should take Quinlan’s experience to heart, says Paul Kocher, president and chief scientist of consulting firm Cryptography Research. “Anyone not doing it has no excuses anymore,” Kocher says: Encryption technology is now widely available and proven.

Management Hurdles

CIOs implementing encryption on laptops (and desktops, for that matter) should focus mainly on key management and user management strategies, advises Kocher. The encryption technology itself is mature: One factor that varies from vendor to vendor and enterprise to enterprise is management techniques. Main issues include deciding what should be encrypted, how to recover the passwords that unlock encrypted data when users lose them or leave the company, and how to make passwords available to backup and client management software that run unattended.

Both California’s Quinlan and Simon Szykman, CIO of the National Institute of Standards and Technology, use whole-disk encryption, which protects all files on the laptop, even applications. This type of software used to slow down performance noticeably, causing some enterprises to move to file-based encryption instead. File encryption puts more responsibility on users to save their files to the right folders to ensure encryption. And, laptops built in the last several years can handle whole-disk encryption without hindering performance. “So why not protect everything?” says Szykman.

Many enterprise-class encryption tools come with management tools that issue and reset passwords (often via Web-based self service to reduce help desk involvement). These tools also update encryption policies to laptops as they connect to the network. Many CIOs would prefer having their existing PC client management software handle encryption management, but IT organizations are already used to having multiple consoles for antivirus and backup. So if you can’t get a tool that integrates into your client management system—and few do—then the hassle of adding one more console is still better than doing nothing.

Ken Juneau, assistant VP and director of enterprise architecture services at American National Insurance, found that having a separate management console was not that burdensome for his PGP encryption software.

California’s Quinlan chose greater integration. For example, she uses the Microsoft SMS client management tool to ensure that the current version of the encryption client is installed on every laptop, and applies encryption policies through the same Active Directory policy server that’s used for everything else. She also integrated password management with her agency’s single-sign-on service, so users have only one password to remember—and the help desk has only one to reset. But accomplishing this integration required more up-front development resources, she notes.

None of these IT leaders has provided his or her backup or client management systems access to the encryption passwords, which would let them act on the users’ laptops in unattended mode. Instead, users need to be attached to the network and logged in (which makes their data accessible) before backup and management tools operate.

Above all, make sure that adding encryption does not add passwords for users to remember, says John Pironti, chief information risk strategist for IT services consultancy Getronic. You don’t want users writing them down and taping them to their laptops. As he notes, “If someone gets the password, the encryption is meaningless.” That’s another reason why California’s Quinlan ensured that the encryption software worked with the agency’s existing single-sign-on technology. NIST’s Szykman uses the same approach.

The PDA Time Bomb

What’s even more likely to get lost than a laptop? The increasing storage power of handheld PCs makes them a ticking time bomb, warns Getronic’s Pironti. They tend to be used by executives who work with the enterprise’s most critical and valuable data, and “these guys lose these things all the time,” he says. The problem for CIOs: Encryption software available for handhelds is not as effective as it needs to be, says Cryptography Research’s Kocher, due to their relatively limited computing capabilities.

The only consolation, Kocher says, is that handhelds don’t store much data. That will be a bigger problem in the future. Meanwhile, IT should enforce password access to the devices.

Although vendors promote remote-kill capabilities to wipe a stolen or lost handheld’s data, this leaves a huge gap; Pironti notes that the devices are vulnerable before reported lost or stolen.

Citing the unsatisfactory security situation, NIST is considering standardization on Research in Motion’s BlackBerry devices, which have built-in data encryption capabilities, says Szykman. He’d prefer to be able to allow the device diversity that his users would like to have, and will continue to explore encryption solutions available for other vendors’ offerings, he says, but one option that may emerge is not supporting other PDA platforms.

Facilities service provider Aramark has standardized on the BlackBerry due to security concerns, says CIO of Aramark’s global food and facility services businesses David Kaufman. A big BlackBerry advantage: “It has a consistent security model across all devices and networks,” he says, so the tools are quite reliable. That wasn’t the case for other handhelds he tested.

Insurance Will Cost

Ultimately when you encrypt data, you’re buying an insurance policy, which has several costs. The obvious cost is the up-front deployment spending, including software licenses, installation, integration and often upgraded hardware. For example, NIST’s Szykman had to replace a few laptops because their hard drives were too small and their CPUs too slow to handle the added demands of encryption. Then there’s the several hours necessary to encrypt each drive the first time, which can disrupt user productivity.

Increased requests of your help desk will be an ongoing cost, says Getronic’s Pironti. Users will request more password resets, and IT will need to work harder to access encrypted data if the data or password gets corrupted. Aramark’s Kaufman agrees: “There’s more of a burden for my staff.”

CIOs can work to manage the costs of encryption deployments. At Aramark, Kaufman encrypted all laptops belonging to what he considered the highest-risk departments—HR, payroll and health-care services—but he’s encrypting other users’ laptops only when they are replaced or require other IT services.

“We want to have maximum security and minimum disruption,” he says, so a risk-based trade-off is typically required. For these CIOs, encrypting sensitive data that can go missing in the field just constitutes good policy. Encryption becomes another cost of doing business, says Kaufman: “Given the value of our data and the effect [of a breach] on our reputation, how could we not do it?”