Encryption for Mobile Hosts

Regulatory changes, including the requirement to (and consequences of) disclosing breaches that occur have raised the visibility of encryption as a protective mechanism for sensitive data on mobile computer systems (notebooks, laptops, PDA, cell phones and even desktops in some cases). Recent regulatory changes, such as California Senate Bill (SB) 1386, other US state laws and privacy laws in other countries (such as those in Japan and in Europe), have spurred the adoption of encryption across many industries. In short, the laws and regulations exempt the organization from notification requirements if the sensitive customer information is known to be encrypted.

The response to regulatory changes has been an increase in spending on this product category. The market is no longer limited primarily to financial institutions and government. Now, any organization that holds consumer information is at risk for bad publicity if an unauthorized disclosure occurs and is therefore interested in these products.

While negative publicity is a driving factor, any use of encryption must fill a business requirement. Questions such as “What data should be encrypted?” “From whom should the data be protected?” and “Where is the data located?” should be addressed by the organization as part of an overall architecture for encryption and sensitive data protection.

Products are available that support a wide range of authentication mechanisms, and the authentication mechanisms must be appropriate for the data being protected since authentication governs access to the encryption keys. If the authentication mechanism is too weak, the strength of the encryption system is compromised. Another important factor to consider is the recovery of the encrypted data by the user (if a password or token is forgotten or lost) and by the organization (if the user is not available). Products offer options for the recovery of the encrypted data, ranging from recovery encryption keys to one-time passwords and challenge/response mechanisms. No matter which mechanism is used, the organization’s help desk will need to be familiar with it so as to be able to assist users to recover their data.

Platform support must be appropriate to the computer systems in use within the organization. The overall management of users and the mobile computer systems must be taken into consideration when selecting products. Windows platforms are generally supported. However, support for non-Windows platforms is significantly less than universal.

Requirements for encryption

The need for protecting information on mobile computer systems comes from the organization’s risk-management approach. Sensitive information is often placed on computer systems that travel outside the physical perimeter of the organization’s facilities or that are stored where physical perimeter protection is weak. At the same time, the computer systems are relatively small and may be lost or stolen. It is the potential for loss or theft of these devices that is most worrisome and that drives the use of encryption. Other security mechanisms, such as personal firewalls, anti-virus software and host intrusion prevention, are used to manage the risk of system compromise, but these mechanisms can do nothing to protect information if an unauthorized individual obtains the computer system.

The costs associated with compromised information can be high. A 2005 study by the Ponemon Institute and distributed by PGP found that the average spending resulting from a data breach was $5 million and the average total recovery cost came to $140 per lost customer record. Of course, the financial loss to an organization if sensitive business plans are disclosed may be very high and could potentially harm the organization well into the future, depending on who learns of the plans. The dollar costs tell only part of the story, as several US state laws (such as California’s SB 1386) require the breached organization to inform the individuals that their information may have been compromised. In cases of large numbers of individuals, broadcast media must be used for notification. The disclosure laws in other countries can be even stricter. In Japan, for example, any time that a name and an e-mail address are linked together and disclosed, the Japanese government must be notified.

The exception to all of these disclosure laws and regulations is when information is known to be encrypted when the loss or theft occurred. In the case of a portable computer system, if the sensitive information is stored in encrypted files or on an encrypted hard drive, it may be assumed to be protected and therefore no disclosure is required. Laws and regulations vary in terms of the protection mechanism that is considered sufficient. In Japan, for example, full-disk encryption is required in order to avoid reporting.

While external disclosure is an important driver, there is also the aspect of protecting sensitive information from unauthorized internal disclosure. Some information is not to be disclosed to employees, including administrators. If this is the case, the requirement for encryption is to protect the information on the mobile computer system if it is lost or stolen, as well as when that system requires maintenance and when the information is being backed up or stored on file servers.

Encryption is only as good as the authentication mechanism used to unlock the encryption keys. Therefore, any use of encryption to protect data on mobile computer systems must be coupled with an appropriate authentication mechanism.

What should be encrypted

When we think of sensitive information residing on a mobile computer system, we often think of spreadsheets, document files, databases or perhaps diagrams. If the files are only copied over to the mobile computer system, this may be the case. However, once the files are opened, the sensitive information may be placed in other locations. Perhaps temporary files are created or the information is saved as part of the memory swap space on the computer. Files may be attached to e-mails and received or sent, thus placing the information in the user’s inbox, sent items, deleted items or other personal folders. Files may also be deleted which, in most cases, causes the reference to the file to be removed but does not actually cause the bytes to be overwritten on the disk. Tools that can read all portions of the computer system’s hard drive and recover the sensitive information even if the original file is encrypted are freely available and widely used for service and maintenance as well as forensics work.

The protection mechanisms to be employed must be appropriate to the consequences and threats to the organization. If the organization is concerned only about the inexperienced user finding a lost computer and looking at the files, just about any commercial-grade, host-encryption product will keep the information safe. However, if the threat is sophisticated or someone is motivated enough to use forensic or systems administration tools, unencrypted sensitive information located anywhere on the hard drive is at risk.

Information on mobile computer systems may also be transferred to other individuals by the user. This can be done via removable media or through e-mail or other file-transfer mechanisms. Once the information has left the mobile computer, any type of encryption used on the mobile computer system can no longer affect how the information is accessed. It may be appropriate for the organization to try to restrict the use of removable media or to force the use of encryption when files are moved to removable media. In the latter case, some type of digital rights-management system may be required.

Full-disk or file/folder encryption

Products that perform full-disk or file/folder encryption on mobile computer systems have been available for a number of years and have been used to help manage the risk of unauthorized disclosure of sensitive information. Early deployments were mostly found in government and financial organizations, but small deployments could also be found in other organizations in which sensitive information was stored on mobile computers. Recent product changes have blurred the distinction between full-disk and file/folder encryption and reduced the risk of user errors.

Full disk encryption products do just what the name implies – they encrypt the entire hard drive. A pre-boot kernel is loaded on the computer which requests the user to authenticate. After successful authentication, the pre-boot kernel decrypts information as it is read off the disk and allows the operating system to start. The user does not need to make any decisions about what information to encrypt since the entire disk is encrypted.

File/folder encryption products run within the context of the operating system. Only selected files or folders are encrypted and the choice of what to encrypt is often left to the user. Newer products in this category allow the organization to set policies with regard to what is encrypted (based on file type, application or user context) so that the decision to encrypt is not left in the user’s hands.

Encryption is only one alternative to protect information. It may be more appropriate for the organization to employ systems that do not store sensitive information where it can be lost or stolen. Business requirements for information access (such as requirements for information to be available when there is not mechanism for communication) is a key consideration here.

An increase in spending on this product category is primarily being driven by regulatory changes. The market is no longer limited to financial institutions and government. Now, any organization that holds consumer information is interested in protecting the information and is therefore interested in these products. While the long-term future for these products may be murky because of new features planned for Microsoft Vista, the inclusion of encryption technology on hard drives and the potential of digital-rights management, the near-term future is bright for the increased deployment of encryption technology.