When considering encryption for data in transit, consider these 5 questions.
Every time you turn around, it seems as if there's a report of data being stolen, either from a notebook computer or from mishandled archive tapes.
In June 2007, personally identifiable information for more than 64,000 Ohio state workers (and 129,000 taxpayers) was stolen from an intern's car. As a result, the state bought 60,000 copies of encryption software to protect its data.
With the proliferation (and affordability) of notebook computers, it's only a matter of time before one belonging to your organization ends up in the wrong hands. Start planning now so that when you receive that phone call, you can rest assured your data is safe. No IT leader wants to tell the news media that critical student files were exposed on a stolen computer. The blow will be lessened if you can report that you took steps to encrypt your data.
Here are five things to work through when you plan a notebook data encryption project:
1. Should we even bother with encryption?
Setting up an enterprisewide encryption strategy is no small task. Determining products to use requires careful consideration. You might decide that encrypted USB thumb drives such as those from IronPort are an easier way to go.
2. Which computers need to be encrypted?
It should be obvious which computers need protection, and which don't contain sensitive data and can be ruled out. Anyone who carries sensitive data on a notebook computer, whether routinely or infrequently, should be included.
3. Should we encrypt the entire drive or only certain folders?
In some cases, you will want to encrypt entire notebook hard drives because of the applications and data they hold -- your treasurer's, for instance. But what about the staff member who takes home a copy of a spreadsheet to work on? These two users are different, but their security needs are much the same. The user with a spreadsheet may not know that the data should be saved in a particular folder, so it might be easier to encrypt the entire hard drive.
4. How do you recover the data?
Suppose a worker forgets the password to decrypt his or her hard drive, or the USB key used for decryption is lost or stolen. How will you retrieve the data? The encryption tool you choose will dictate how (or if) you can get your data. Many products provide some method of recovering data. The open-source TrueCrypt requires users to make a recovery CD before it encrypts data, for instance.
Microsoft BitLocker stores recovery passwords in Active Directory and secures them so they're accessible only by administrators. Determine how data will be recovered before implementing a solution. Otherwise, your data could be gone for good.
5. How do we get staffers to encrypt data?
This depends on your strategy. If you decide on full-disk encryption, it's easy: They have to do it (unless they save their files to an unencrypted thumb drive). McAfee Endpoint Encryption encrypts and decrypts files on the fly and is nearly transparent to the end user; all files written to the hard drive are automatically encrypted. Except for authenticating the program at power-on, the user is unaware of the security. On the other hand, if you encrypt only certain folders or use encrypted USB thumb drives, then staff will need to be trained to save sensitive data to specific locations.
Regardless of the approach you choose, it never hurts to have a policy governing the use of sensitive data and how it will be stored on a notebook. If you aren't convinced that this is something you need to think about, take 30 seconds and do a Google search on "data encryption policy." At the time of this writing, five of the first 10 results were either government agencies or educational institutions.