Laptop Encryption: Compliance without sacrificing performance, now that’s magic!

Pressures to comply with state and federal legislation in addition to compliance with national and international encryption standards, have allowed WinMagic® to assist organizations to comply with security and privacy regulations while not sacrificing performance on encrypted hard drives. The transparency delivered to end-users, the necessary compliance in securing data from unauthorized access, and the maintenance of performance through a robust solution, can be made to look easy. However, the complicated measures to ensure that the “magic happens” is a difficult process that WinMagic’s SecureDoc™ has been able to embrace as a competitive advantage. Recent government regulations have emerged worldwide dealing with data security and privacy that now have serious impacts on normal business activity. In the most recent 2006 Computer Security Institute/FBI Computer Crime and Security Survey indicates that 50 per cent of organizations had raised their level of interest in information security as a result of complying with Sarbanes-Oxley. The same survey reveals that the most critical computer security issue facing organizations for the next two years is data protection. Indeed, recent regulations affecting security and privacy of personal information has changed the focus from technology to corporate governance. As such, organizations are increasingly integrating physical and information security as they become more aware of the impact of privacy breaches. While security in itself provides no immediate ROI, the cost of non compliance can be much more damaging than the revenue loss, loss of shareholder trust, damage to the brand, remediation, fines, and potential criminal / civil action if organizations do not protect sensitive data from unauthorized access. This growing concern has made its way to boardrooms. This dynamic in the market place has tipped the decision making scales favouring action where sensitive data is often more valuable to a corporation than the asset on which it is stored and where the loss, theft, or unwanted disclosure of that data can be very damaging to organizations. Spurred on by demands from consumer advocacy groups and resulting privacy / security regulations have acted as a catalyst in making it increasingly important for the convergence of business and IT processes to be part of the overall IT security strategy. Organizations now understand that not only must processes be put in place to limit physical access to hardware devices (to protect them from loss or theft) but that the actual data stored on those devices must be encrypted to prevent unauthorized access to private customer information. Further, protecting data via encryption needs to be accomplished without sacrificing the performance of the hard drive from a robustness, functionality, and interaccessibility perspective. But, how can organizations ensure that employees adhere to endpoint security practices? The best approach is to make the entire process completely transparent to the user. This does not mean that policies surrounding the care of laptops and mobile devices should be ignored, but rather that organizations should understand that simply implementing a sound policy does not mean that it will be adhered to at all times. The onus to safeguard information must be shared between organizations and their employees. Yes, organizations must implement sound security protocols, and yes most users will adhere to them most of the time, but most of the time simply does not cut it when data security is concerned. Organizations must take permanent steps to secure data, and that means ensuring that all information is encrypted at all times. As an analogy, simply taking driving lessons, being conscious of your surroundings while driving, and being a good driver is not good enough. Insurance is necessary to account for the unanticipated incidences which are beyond your control. Full-disk encryption provides that data security insurance by ensuring that all information is protected at all times…even when corporate security policies fail or are not adhered to. Organizations worldwide are currently scrambling to understand the full ramifications and implications of information security laws and regulations that govern their industries. Simultaneously, these organizations are also coming to terms with the consequences of non-compliance. Compliance with legislation now means disclosing incidences when personal information is put at risk, and that the worst case scenario must be assumed in these cases. It is irrelevant whether the incidences are related to the loss or theft of notebooks, the sale of old IT inventory into the marketplace, or breaches to due human error in putting customer information at risk. The result is the same in that organizations need to disclose the leakage of sensitive data to the general market place, and that the worst case scenario needs to be assumed with reference to identity theft and to the financial hardship directly related to those individuals whose personal information has been put at risk. As in the case with California Senate Bill 1386, mandatory disclosure obligations must occur in "most expedient time possible" and "without unreasonable delay". Further, organizations must take other measures, such as a "conspicuous notice on the public web site" and notification to the major media. And yet, despite all the legislation, recent surveys report that as few as 37 per cent of organizations have an overall security strategy in place, and that 66 per cent of organizations have yet to hire a CSO or CISO. It appears that the although security issues have reached the boardroom, and the need for action is understood, it still does not command the same attention as other traditional business areas, such as sales, marketing, operations, and finance. In essence, evidence suggests that the majority of organizations tend to make a token security effort based on meeting minimum requirements. This fact is underscored by surveys that indicate that 18 per cent of U.S.-based organizations reported non compliance with California security breach notification law CA 1386, 35 per cent admitted to not yet being in compliance with Sarbanes-Oxley, 40 per cent of U.S. healthcare respondents did not yet meet the requirements of HIPAA, and a massive 41 per cent of organizations reported non compliance with general state/local privacy regulations. So, with such a clear business case for data security in general and full-disk encryption in particular, and such severe penalties resulting from not encrypting data, why is there still resistance in the market place? The truth is that organizations simply have not taken the time to educate themselves and their employees on matters relating to security and related legislation while the processes and applications needed to resolve this issue simply are not seen as providing the same immediate ROI as enterprise applications, such as CRM. Also, despite its critical role in protecting all data at all times, encryption is often considered the last layer of security. Most importantly from an efficiency and productivity standpoint, installing disk encryption traditionally meant sacrificing user efficiency and significant system performance. But, over the last couple of years, encryption solutions have addressed this very-real issue. Many of today’s encryption solutions provide robust, reliable full-disk encryption that makes it simple to resolve endpoint security issues without sacrificing user access or system performance. The WinMagic SecureDoc solution prevents any unauthorized user who is seeking to start the Windows operating system, or who is seeking to gain access to the same encrypted hard drive now installed as a slave drive, from performing offline viewing of the files stored on the protected drive. Access to the hard drive can only be obtained at pre-boot through end user authentication employing a password, hardware token possessing an electronic key, PKI (Public Key Infrastructure), smart card technology, biometrics and any combination thereof. Once the hard drive is encrypted, data is simultaneously encrypted and decrypted as information is being written and read off of the hard drive. In this process the speed at which this occurs is negligible, comparing encrypted and non encrypted hard drives. The standard by which WinMagic develops its technology is simple: the hard drive should behave exactly the same pre-encryption as post-encryption. At WinMagic, we clearly profess that robustness of encryption solutions are not only defined by their stability in encrypting and decrypting data onto the hard drive, but also be ensuring that performance of the hard drive and associated applications are not affected. Full-disk encryption software must allow end users to gain maximum performance out of the hardware while not limiting use of imaging software and disk utilities. In seeking endpoint security solutions, executives need to be conscious that the inevitability is that endpoint security solutions will reach commoditization at some point in the future. While looking at the future, convergence of various security solutions will lead to open standards that must be adhered to and some-what anticipated. Security will be built into every application. As with the example of firewalls, they currently exist in software format and in hardware devices like routers and network cards. Open standards in dealing with security platforms and protocols are an eventuality and therefore best of breed solutions that have been developed and tested against the strictest security conscious marketplaces are favourable. SecureDoc has earned its stripes in the toughest security marketplace of all, the U.S. government. When investing in full-disk encryption technology, the standard should be that the post-encryption performance of the hard drive should be the same as its performance pre-encryption with only negligible difference in performance and operability. A pre-requisite of doing business should be that the speed and robustness of an encrypted hard drive should deal with issues like preserving the use of imaging applications like Ghost as well as preserving the function of hard drive utilities; like dealing with operating systems performing operations like pre-fetch or defragmentation while encrypting; like handling normal end user interactions including intentional or unintentional power disruptions; and like dealing with the need to potentially resize partitions after encrypting the hard drive. Looking back at the last 5 years, most if not all of the innovation seen in today’s disk encryption arena has consistently been delivered by WinMagic. These comprehensive solutions for the marketplace are robust and yet flexible to meet the unique processes inherent with corporate governance from organization to organization. In exhibiting ourselves as thought leaders and innovators, we work towards open standards in forecasting the adoption of security enhancing technologies like supporting a Trusted Platform Module. Other examples include, the foresight to be the first to support biometric pre-boot authentication, as innovators supporting removable media since 1998, the first to support hibernation, imaging software like Ghost, and disk utilities like defragmentation. In order to ensure all data is protected, it is important for enterprises to drive the convergence of IT business processes and business security, as well as their associated expenditures. However, this convergence should not come at the sacrifice end-user productivity and hard drive robustness, or limit the functionality of imaging software or disk utilities. Equally, any technology deployed without taking into consideration corporate governance and unique security requirements is doomed to fail because it will not account for the non-technical processes related to securing data at rest. For example, in addressing the specific requirements of the National Security Agency WinMagic had to provide dual pre-boot authentication via crypto tokens and PKI integration as a pre-requisite of doing business. While other vendors failed in meeting this requirement, WinMagic delivered a solution in record time that addressed all issues relating to compliance with encryption open standards, compliance with security and privacy legislation, and adhesion to the human element wrapped in corporate governance. Like insurance, full-disk encryption provides a safety net should other security policies fall short. By encrypting all data at all times full-disk encryption ensures organizations do not have to worry about the negative publicity that accompanies high-profile data breaches. In conclusion, when purchasing technology, organizations will always weigh the cost of the solution against the cost of not purchasing the technology (potential data theft). Although data security might not generate a direct ROI, the lack of data security can certainly adversely impact revenues. Clearly a tipping point has been reached, and it is no longer a matter of whether or not to install full-disk encryption, but simply a matter of which solution makes the most business sense. And now, thanks to WinMagic’s innovative functionality, it is easy for organizations to protect all data at all times with full-disk encryption without having to sacrifice end-user productivity or system performance. In essence, WinMagic provides an encrypted drive that performs like an unencrypted drive…now that’s magic! Pressures to comply with state and federal legislation in addition to compliance with national and international encryption standards, have allowed WinMagic® to assist organizations to comply with security and privacy regulations while not sacrificing performance on encrypted hard drives. The transparency delivered to end-users, the necessary compliance in securing data from unauthorized access, and the maintenance of performance through a robust solution, can be made to look easy. However, the complicated measures to ensure that the “magic happens” is a difficult process that WinMagic’s SecureDoc™ has been able to embrace as a competitive advantage.

Recent government regulations have emerged worldwide dealing with data security and privacy that now have serious impacts on normal business activity. In the most recent 2006 Computer Security Institute/FBI Computer Crime and Security Survey indicates that 50 per cent of organizations had raised their level of interest in information security as a result of complying with Sarbanes-Oxley. The same survey reveals that the most critical computer security issue facing organizations for the next two years is data protection. Indeed, recent regulations affecting security and privacy of personal information has changed the focus from technology to corporate governance. As such, organizations are increasingly integrating physical and information security as they become more aware of the impact of privacy breaches.

While security in itself provides no immediate ROI, the cost of non compliance can be much more damaging than the revenue loss, loss of shareholder trust, damage to the brand, remediation, fines, and potential criminal / civil action if organizations do not protect sensitive data from unauthorized access. This growing concern has made its way to boardrooms. This dynamic in the market place has tipped the decision making scales favouring action where sensitive data is often more valuable to a corporation than the asset on which it is stored and where the loss, theft, or unwanted disclosure of that data can be very damaging to organizations.

Spurred on by demands from consumer advocacy groups and resulting privacy / security regulations have acted as a catalyst in making it increasingly important for the convergence of business and IT processes to be part of the overall IT security strategy. Organizations now understand that not only must processes be put in place to limit physical access to hardware devices (to protect them from loss or theft) but that the actual data stored on those devices must be encrypted to prevent unauthorized access to private customer information. Further, protecting data via encryption needs to be accomplished without sacrificing the performance of the hard drive from a robustness, functionality, and interaccessibility perspective.

But, how can organizations ensure that employees adhere to endpoint security practices? The best approach is to make the entire process completely transparent to the user. This does not mean that policies surrounding the care of laptops and mobile devices should be ignored, but rather that organizations should understand that simply implementing a sound policy does not mean that it will be adhered to at all times.

The onus to safeguard information must be shared between organizations and their employees. Yes, organizations must implement sound security protocols, and yes most users will adhere to them most of the time, but most of the time simply does not cut it when data security is concerned. Organizations must take permanent steps to secure data, and that means ensuring that all information is encrypted at all times.

As an analogy, simply taking driving lessons, being conscious of your surroundings while driving, and being a good driver is not good enough. Insurance is necessary to account for the unanticipated incidences which are beyond your control. Full-disk encryption provides that data security insurance by ensuring that all information is protected at all times…even when corporate security policies fail or are not adhered to.

Organizations worldwide are currently scrambling to understand the full ramifications and implications of information security laws and regulations that govern their industries. Simultaneously, these organizations are also coming to terms with the consequences of non-compliance. Compliance with legislation now means disclosing incidences when personal information is put at risk, and that the worst case scenario must be assumed in these cases.

It is irrelevant whether the incidences are related to the loss or theft of notebooks, the sale of old IT inventory into the marketplace, or breaches to due human error in putting customer information at risk. The result is the same in that organizations need to disclose the leakage of sensitive data to the general market place, and that the worst case scenario needs to be assumed with reference to identity theft and to the financial hardship directly related to those individuals whose personal information has been put at risk.

As in the case with California Senate Bill 1386, mandatory disclosure obligations must occur in "most expedient time possible" and "without unreasonable delay". Further, organizations must take other measures, such as a "conspicuous notice on the public web site" and notification to the major media.

And yet, despite all the legislation, recent surveys report that as few as 37 per cent of organizations have an overall security strategy in place, and that 66 per cent of organizations have yet to hire a CSO or CISO. It appears that the although security issues have reached the boardroom, and the need for action is understood, it still does not command the same attention as other traditional business areas, such as sales, marketing, operations, and finance. In essence, evidence suggests that the majority of organizations tend to make a token security effort based on meeting minimum requirements.

This fact is underscored by surveys that indicate that 18 per cent of U.S.-based organizations reported non compliance with California security breach notification law CA 1386, 35 per cent admitted to not yet being in compliance with Sarbanes-Oxley, 40 per cent of U.S. healthcare respondents did not yet meet the requirements of HIPAA, and a massive 41 per cent of organizations reported non compliance with general state/local privacy regulations.

So, with such a clear business case for data security in general and full-disk encryption in particular, and such severe penalties resulting from not encrypting data, why is there still resistance in the market place?

The truth is that organizations simply have not taken the time to educate themselves and their employees on matters relating to security and related legislation while the processes and applications needed to resolve this issue simply are not seen as providing the same immediate ROI as enterprise applications, such as CRM. Also, despite its critical role in protecting all data at all times, encryption is often considered the last layer of security.

Most importantly from an efficiency and productivity standpoint, installing disk encryption traditionally meant sacrificing user efficiency and significant system performance. But, over the last couple of years, encryption solutions have addressed this very-real issue. Many of today’s encryption solutions provide robust, reliable full-disk encryption that makes it simple to resolve endpoint security issues without sacrificing user access or system performance.

The WinMagic SecureDoc solution prevents any unauthorized user who is seeking to start the Windows operating system, or who is seeking to gain access to the same encrypted hard drive now installed as a slave drive, from performing offline viewing of the files stored on the protected drive. Access to the hard drive can only be obtained at pre-boot through end user authentication employing a password, hardware token possessing an electronic key, PKI (Public Key Infrastructure), smart card technology, biometrics and any combination thereof. Once the hard drive is encrypted, data is simultaneously encrypted and decrypted as information is being written and read off of the hard drive. In this process the speed at which this occurs is negligible, comparing encrypted and non encrypted hard drives. The standard by which WinMagic develops its technology is simple: the hard drive should behave exactly the same pre-encryption as post-encryption.

At WinMagic, we clearly profess that robustness of encryption solutions are not only defined by their stability in encrypting and decrypting data onto the hard drive, but also be ensuring that performance of the hard drive and associated applications are not affected. Full-disk encryption software must allow end users to gain maximum performance out of the hardware while not limiting use of imaging software and disk utilities.

In seeking endpoint security solutions, executives need to be conscious that the inevitability is that endpoint security solutions will reach commoditization at some point in the future. While looking at the future, convergence of various security solutions will lead to open standards that must be adhered to and some-what anticipated. Security will be built into every application. As with the example of firewalls, they currently exist in software format and in hardware devices like routers and network cards. Open standards in dealing with security platforms and protocols are an eventuality and therefore best of breed solutions that have been developed and tested against the strictest security conscious marketplaces are favourable. SecureDoc has earned its stripes in the toughest security marketplace of all, the U.S. government.

When investing in full-disk encryption technology, the standard should be that the post-encryption performance of the hard drive should be the same as its performance pre-encryption with only negligible difference in performance and operability. A pre-requisite of doing business should be that the speed and robustness of an encrypted hard drive should deal with issues like preserving the use of imaging applications like Ghost as well as preserving the function of hard drive utilities; like dealing with operating systems performing operations like pre-fetch or defragmentation while encrypting; like handling normal end user interactions including intentional or unintentional power disruptions; and like dealing with the need to potentially resize partitions after encrypting the hard drive.

Looking back at the last 5 years, most if not all of the innovation seen in today’s disk encryption arena has consistently been delivered by WinMagic. These comprehensive solutions for the marketplace are robust and yet flexible to meet the unique processes inherent with corporate governance from organization to organization. In exhibiting ourselves as thought leaders and innovators, we work towards open standards in forecasting the adoption of security enhancing technologies like supporting a Trusted Platform Module. Other examples include, the foresight to be the first to support biometric pre-boot authentication, as innovators supporting removable media since 1998, the first to support hibernation, imaging software like Ghost, and disk utilities like defragmentation.

In order to ensure all data is protected, it is important for enterprises to drive the convergence of IT business processes and business security, as well as their associated expenditures. However, this convergence should not come at the sacrifice end-user productivity and hard drive robustness, or limit the functionality of imaging software or disk utilities. Equally, any technology deployed without taking into consideration corporate governance and unique security requirements is doomed to fail because it will not account for the non-technical processes related to securing data at rest.

For example, in addressing the specific requirements of the National Security Agency WinMagic had to provide dual pre-boot authentication via crypto tokens and PKI integration as a pre-requisite of doing business. While other vendors failed in meeting this requirement, WinMagic delivered a solution in record time that addressed all issues relating to compliance with encryption open standards, compliance with security and privacy legislation, and adhesion to the human element wrapped in corporate governance.

Like insurance, full-disk encryption provides a safety net should other security policies fall short. By encrypting all data at all times full-disk encryption ensures organizations do not have to worry about the negative publicity that accompanies high-profile data breaches.

In conclusion, when purchasing technology, organizations will always weigh the cost of the solution against the cost of not purchasing the technology (potential data theft). Although data security might not generate a direct ROI, the lack of data security can certainly adversely impact revenues. Clearly a tipping point has been reached, and it is no longer a matter of whether or not to install full-disk encryption, but simply a matter of which solution makes the most business sense. And now, thanks to WinMagic’s innovative functionality, it is easy for organizations to protect all data at all times with full-disk encryption without having to sacrifice end-user productivity or system performance. In essence, WinMagic provides an encrypted drive that performs like an unencrypted drive…now that’s magic!