Encrypting the Endpoints
Implementers offer these six tips for protecting sensitive data with full-disk encryption.
South Carolina Chief Security Officer Jim MacDougall pairs full-disk encryption with tokens for added security on portable computing devices.
Milton Morris
Most IT leaders would rather err on the side of caution than run the risk of data leaking through lost or stolen devices. So instead of encrypting only some files on some computers, many are relying on full-disk encryption.
Full-disk encryption uses hardware or software to encrypt the entire contents of endpoint hard drives, including temporary files, swap space and other places where data linger. Compared with file-level encryption, this option is automatic and removes the element of human error in deciding which files to encrypt.
After advocating for encryption for the past two years, South Carolina Chief Security Officer Jim MacDougall took advantage of Homeland Security grants and attractive state contract pricing to recently begin rolling out PGP Whole Disk Encryption to more than 7,000 computers throughout the state. “Encryption is one of my objectives,” says MacDougall, who is part of the Division of State Information Technology. “The project is not only for our agency, but I’m trying to get all healthcare and major law enforcement agencies on board.”
To smooth your rollout, security experts recommend focusing on education, collaboration, key management and centralization.
Overcome Initial Objections
The proposed State Cyber Security Protection Act of 2008 aimed to establish a pilot program for cybersecurity best practices, innovation and knowledge transfer within state governments. However, the bill never became law.
When the Texas Department of Information Resources launched its notebook encryption program, it had to beat back the perception that encryption is expensive, says Walter Wilson, assistant director of network security services with DIR. His agency negotiated a volume purchase of PGP Whole Disk Encryption software for $11.41 per seat. “The cost was so nominal that purchases among the agencies we’re supporting have gone up from 500 licenses in fiscal year 2007 to about 50,000 licenses by end of fiscal year 2008,” he says.
Driving encryption through policy also helps overcome objections, Wilson notes. Employees who don’t use sanctioned encryption aren’t allowed to put any sensitive data whatsoever on their mobile computers. With such a requirement, business units are quick to see that without encryption, mobile workers who manage confidential information are essentially disabled.
A simple phase-in also helps mute objections, says Wilson. In 18 months, hardware-embedded disk encryption in DIR notebooks will be ubiquitous, he adds.
Ease Into Implementation.
Like Wilson, MacDougall recommends a phased deployment. “Use a methodical, targeted approach, not a hammer,” he says. His agency first targets portables, then targets anyone who uses personally identifiable information on a regular basis.
Along with endpoint encryption, South Carolina is deploying PGP Universal Server and PGP Universal Gateway Email. IT evaluated a few encryption products and chose PGP’s because of its smooth integration with e-mail, which is especially helpful for law enforcement and healthcare in dealing with outside agencies.
Decide Who Gets the Keys
Where and how to manage encryption keys is a critical choice organizations should make based on size and objective, says Robert Pittman, chief information security officer for Los Angeles County. The California county has more than 102,000 employees, 11,000 of whom carry mobile computers that contain health services, law enforcement and social services data and other departmental information requiring encryption.
“We had to do some brainstorming: How do you want to manage these keys across the county? We decided each department would manage their own keys,” says Pittman.
Now, information officers for 38 major county departments handle key management and maintain their own key recovery disks using Check Point’s Pointsec Mobile.
Prepare for Lockouts
Unwanted Exposure
Percentage of data breaches by different government groups during the past 8 years:
- Federal government: 6.81%
- State government: 11.04%
- Local government: 7.2%
Source: Privacy Rights Clearinghouse
Having a way to help users who are locked out of their systems is crucial to a successful deployment, says Grayling Jones, network engineer for the Georgia Department of Community Health in Atlanta. The only way to accomplish this, say Jones and others, is to use enterprise-level products with centralized management consoles.
“Make sure you look at more than one encryption vendor and test the products to see how sensitive they are to lockout,” Jones recommends. For instance, desktop and notebook computers protected with McAfee Endpoint Encryption can be locked out by incorrect implementations or system changes. When users are locked out because of encryption problems, they can call the help desk for assistance.
Pick Proper Passwords
“One of our practices is to use two passwords in our encryption application,” says Wendy Nather, information security officer at the Texas Education Agency in Austin. “We require a minimum 22-character password at boot, and a more traditional-length password at the application login screen.”
PGP Whole Disk Encryption provides boot-level authentication and supports passwords of up to 2,048 characters, or 128 characters if integrating with Active Directory, she says. Passwords that long are virtually uncrackable by today’s character-by-character and common-word password-guessing programs.
Aren’t such lengthy passwords too difficult to remember? Not really, says Nather. She suggests users select a line from a familiar jingle, song, poem or phrase for the longer passwords.
Strengthen All Security
Endpoint encryption protects against data loss when devices are lost or stolen, but cannot protect data should a system be compromised while the computer is turned on and the user logged in, says Chris Ruskin, information security analyst at the California Franchise Tax Board in Sacramento.
His organization secures its 1,200 notebooks with GuardianEdge Encryption Plus, which is part of the GuardianEdge framework for centrally managed endpoint data-loss prevention.
“Users and IT departments cannot fall into a false sense of security just because they have boot-level encryption on their laptops,” Ruskin says. “Encryption is only good when the computer’s turned off and cooled down. Physical security of the device is still extremely important. So is central security management of configuration, firewalls, antimalware and other endpoint security using network access control or other means.”
Spec It Out
Earlier this year, the Trusted Computing Group released three storage specifications to add security to PC and data center storage devices.
The Opal Security Subsystem Class Specification is aimed at PC clients, while the Enterprise Security Subsystem Class Specification targets data center storage. The Storage Interface Interactions Specification focuses on interactions between storage devices and underlying SCSI/ATA protocols.
Storage device specifications give manufacturers a standard way to develop self-encrypting storage devices. Some manufacturers have already shipped such products based on the Opal specification.