Main story | Full-disk encryption can take a lot of risk out of mobile computing<@VM>Sidebar | Is full-disk encryption for you?<@VM>Sidebar | Getting the best deal on full-disk encryption<@VM>Sidebar | Installing full-disk encryption<@VM>Sidebar | Full-disk encryption performance issues<@VM>Sidebar | When fully encrypted disks go bad<@VM>Sidebar | Full-disk encryption software vendors
- By David Cassel
- Oct 18, 2007
No great loss: When a laptop with an encrypted disk is stolen, only the hardware ' not the data ' is lost, said Chris Rushkin of the California Franchise Tax Board.
California Franchise Tax Board
People like to stay off of the front page,' said Dan Roddy, security administrator at the Oregon State Treasury. He's read too many news stories about government agencies scrambling after the theft of a laptop PC that held unencrypted data, which led to his determination not to fall into the same trap.
More than 165 million records containing sensitive personal information have been breached in recent years, according to the Privacy Rights ClearingHouse, a nonprofit consumer watchdog organization.
In 2006, the Office of Management and Budget mandated that all data on mobile devices be encrypted. Starting with California, more than half of all states have augmented federal privacy laws with their own statewide privacy regulations. Many require disclosure to the public of all data thefts ' unless that data is encrypted.
With the mounting pressure for ongoing data protection, many systems administrators have discovered they can buy security for their data drives ' along with some peace of mind ' by implementing full-disk encryption.
The idea of full-disk encryption ' also called whole-disk encryption ' is simple: Instead of just encrypting sensitive files or selected directories, encrypt everything on the disk. Selective encryption can be an administrative headache, figuring out which files should be scrambled. With full-disk encryption, you scramble everything and just make sure the user or administrator doesn't loss the password.
'It's pure logic,' Roddy said. 'If everything on the disk is encrypted, you don't have to worry about what was on it!'
'There have been products that provided this for at least 10 years,' said John Girard, a vice president and analyst at Gartner. 'People only bought them if they absolutely had to, because they didn't like the extra complexity of managing the systems. It wasn't really until the press started covering it on a regular basis that people realized how bad it was.'
'We've had laptops that have been stolen out of cars,' said Chris Rushkin, a systems security analyst at the California Franchise Tax Board, 'but they were encrypted. At that point, it's a paperweight for the thief. We lose that asset, but the data is secure, and that's probably our most important asset.'The California experience
California has been practicing what it preaches when it comes to data security. The California Department of Insurance is using full-disk encryption for its laptops, said Tadesse Chekol at their Information Security Office.
California's Board of Equalization is a longstanding user of the GuardianEdge Data Protection Platform. 'I can tell you that we use encryption technology and have since about 2000 on some hard drives for auditors,' said Anita Grandrath Gore, chief communications officer at the board. 'They're on the road, and they take laptops with them, so full-disk encryption is necessary for securing confidential taxpayer information.'
Gore said the board is moving to encryption for desktop PCs, too. 'We have a million taxpayers registered with us, and we have lots and lots of information relevant to their accounts that would be considered confidential. We don't want to risk [that] any of that information might become public,' she said, noting that many of the board's desktop computers are near windows, where they are at risk for smash-and-grab robberies.Hardware or software?
Before taking the plunge into full-disk encryption, you have to answer one question: Do you want a hardware- or software-based method of encrypting your content? Each has its advantages.
'There are certain levels of security certification that can't be achieved without hardware,' Girard said. 'But even so, the software vendors have made an excellent showing of meeting some rigorous government certification [requirements] for protection.'
Girard points out that the vast majority of full-disk encryption installations are software-based. Setting a policy requiring a specific hardware component can limit your flexibility, he said, and enforcing a specific hardware specification is even trickier with contractors.
'When you're dealing with a contractor, it's very hard to say we expect you to use this exact hardware configuration,' Girard said. 'And what if they're not maintaining it to your specifications? At a certain point you have to get involved, but getting involved at the hardware level is very complicated ' whereas getting involved at the software level is achievable.'
But hardware encryption has its advantages. Seagate is one vendor offering a full-disk encryption product built directly into the hard drive.
'It's data security at the core of where your data lives,' said Joni Clark, Seagate's notebook marketing manager. 'Once you write, you're encrypting.'
Clark points to one of the big advantages in performing the encryption in the hardware. 'It's not something that people are known for hacking into,' she said, referring to hard drives. 'It's done within a closed environment. You're not going to the operating system; all the security is done natively.'Use it, don't lose it
One thing to keep in mind about full-disk encryption is that good management is vital. After all, if every one of your disks is being locked up, or encrypted, with a key, you want to make sure you ' or your users ' don't lose that key.
'If you don't handle it properly, encryption is a great way to lose your information forever,' said Trent Henry, a senior analyst at the Burton Group. He offers some simple advice: 'If you go forward with it, have a good key management strategy in place. Create the keys so they're secure, change them periodically so they're not subverted by bad guys and make sure they're properly backed up ' in case the IT guy gets hit by a bus.'
Key management is a big concern for systems managers. The California Franchise Tax Board, for instance, is managing more than 6,000 encrypted desktop computers. 'It's a lot of PCs,' Rushkin said.
The GuardianEdge software the board uses seems to work well enough at this scale, however. 'Since it's an enterprise solution, it's easy to manage, Rushkin said. 'The product we have has a master console that our help desk uses. It verifies the user and then lets them know what code they need to get back into their PC. With the way we implemented it, we haven't had any problems with recovering data.'
Roddy thought of this when examining the native encryption on a new Sony Vaio laptop. 'It's great, absolutely, but when you get it into an organization's environment, you need a way to manage that, and you can't do it without software. You need a network program to administer the settings to make sure they're all the same on every laptop.'
Oregon has been running a management console provided by Voltage Security, called SecureDisk. 'I tested it ' it's been in production for about a year now,' Roddy said. 'I can't think of a single problem we've had with it. It's been really solid.'
The management gets trickier if an organization has already applied a patchwork approach to encryption using a variety of products, possibly managed at different security levels.
Here, Henry advised managers to 'centralize the policy guidelines for the use of encryption and, wherever possible, create some kind of centralized key management.'
But most vendors seem aware of the need for an easy key management solution. 'The Pointsec PC Enterprise Workplace is a turnkey encryption solution,' David Vergara, marketing director at CheckPoint, said of his company's product. 'The key management is baked into the product. There's no third-party key management or any additional steps that the business needs to do.'
And their recovery procedure is automatic. 'Before any machine is encrypted with the Pointsec PC product, we actually create a recovery file that can be stored on a remote server,' he said. 'It does that automatically, just to ensure that every system can be recovered. There's been no case in history where we've not been able to recover a machine.'
One way to mitigate the risk is to disable the preboot challenge, or the authentication step that users go through to access their encrypted files. This challenge requires users to log in twice ' once before the computer starts and then again when Microsoft Windows asks for a password.
Despite the extra work on the part of users to log in twice, everyone interviewed for this story felt that disabling the preboot challenge was a bad idea.
'If there's no challenge when they start the machine, then where's the security? It's like leaving your front door unlocked so you don't have to be interrupted by the key,' Girard said.
Clark said there's no way to disable the preboot authentication with Seagate's hardware-based system. 'If you don't have a strong front door, you might as well not have a safe. Don't provide encryption if you're not going to give a preboot authentication that keeps thieves out.'
Rushkin agreed. 'I think that's more of a security risk,' he said, adding that his systems require both the preboot authentication and then a separate Windows authentication. 'I can't say that we have a perfect solution, but I think it's definitely a secure solution.' It may add one small additional inconvenience to users, but 'when people get used to it, the inconvenience is gone.'
Girard points out that different systems offer different levels of difficulty for recovering passwords, though the point is to not make password recovery too easy.
With powerful tools come powerful responsibilities. But powerful tools such as full-disk encryption lets managers sleep better at night ' and not end up on the front page of a newspaper.Full-disk encryption isn't always the only way to go for complete coverage.
Of course, full-disk encryption isn't always the only way to go for complete coverage. "There are products that are not full-disk encryption that can actually do a very good job," said John Girard, a vice president and distinguished analyst at Gartner.
"There are times when you do want people to be able to access all the applications and all the operating system," said Eric Hay, a field engineering director at Credant Technologies. Credant's Mobile Guardian solution even received one of the designated full-disk encryption software agreements from the Defense Department ' even though instead of full-disk encryption, the company offers what it calls policy-based intelligent encryption. Such encryption, Hay said, makes it easier for multiple users to share a single laptop.
Credant's solution lets administrators set policies for their users' encryption ' which moves the responsibility away from users. "You don't want them making security decisions. We know where that'll go," Hay said.
This approach is not without its potential points of failure. Burton analyst Trent Henry said users can cause big problems if they're implementing their own encryption. "It can be very easy for users to inadvertently put documents outside their encrypted folders. If the laptop is lost, you can't be sure all the sensitive information was encrypted. Users are notorious for making mistakes."
Another proponent of partial encryption is Jim Peterson, chief scientist at PKWare, maker of the SecureZip software. "A data-centric approach should be considered as an alternative to ensure that data remains persistently secure both at rest and in transit," he said. Encrypting only pertinent data "provides greater flexibility in how and where data is protected," he said.Will budgets be destroyed by the cost of a full-disk encryption solution? Maybe not.
"In the end, tough negotiating is what you do to get the price. With a blank purchase order, it's probably going to make it easier to get a good price," said John Girard, vice president and distinguished analyst at Gartner.
Girard tells the story of a client who had 2,000 employees but only needed to protect the data on 800 notebooks. "It turned out that the discount they would get for the full 2000 was so good, they actually ended up paying less."
The organization still ended up absorbing some extra setup costs and help-desk time, but they ultimately bought a simpler, one-stop solution. "If you don't do all the machines, and you have a problem with one of the machines, you're going to have to start all over again anyway. Plus, you'll have the embarrassment. It may just be easier to get it out of the way," Girard said.
Girard offers other ways to drive down the cost of implementation. One idea: "Look at other contracts you've got. Chances are good a systems integrator will offer one of these products. You may be able to get this added to your next image update much more cheaply than doing it yourself. And you can always ask for discounts on upgrade or training."
David Vergara, marketing director at CheckPoint, which sells Pointsec FDE software, agrees that bulk orders bring the pricing down to competitive levels.
No doubt FDE will cost. For instance, a hard drive from Seagate capable of full encryption will cost probably about 40 percent more than a plain vanilla hard drive, said Joni Clark, Seagate's Notebook Marketing Manager, but in the long run, it still may be a good deal.
"When you look at the whole price of the laptop, it's relatively insignificant; when you multiply that out by how many people you have, it's significant. But remember what you're trying to accomplish. The benefit outweighs the cost," said Chris Rushkin, systems security analyst at California's Franchise Tax Board. "We have the security of knowing that if a laptop gets stolen out of a car or airport, the data is still confidential." 'Will full-disk encryption be hard to implement? Maybe not. It's often not as bad as you think.
"If you have a distribution tool in place, encryption software is just another package you send out," said John Girard, vice president and distinguished analyst at Gartner. He recommended giving users a certain time frame to perform the installation and suggesting that they run it overnight so it won't disrupt their work. "These encryption products will all tell you that you can continue to work while they're installing, but it's not a good idea. I don't think it's a good idea to interrupt something that's encrypting your hard drive."
If all your hardware meets the necessary specifications, Girard sees smooth installations, though he still recommends trying it on a test group first.
"Test on your platform, make sure they all have enough RAM and memory, and you can roll this stuff out very fast. I've seen thousands of installations in a week," he said. But a little training might also be necessary before the first sign-on to keep users from being locked out of their own systems. "There's a certain amount of interaction that's required for the user to identify themselves to their machine," said Girard, "and I've seen users mess this up."
With some solutions, that first full encryption can take hours. But at the Burton Group, senior analyst Trent Henry puts it into perspective. "If the encryption chose to only encrypt the boot partition table, it'd be faster, but weaker. That's almost always a trade-off."
"There [are] configuration things that you have to do with every product," said Oregon Treasury security administrator Dan Roddy, though he quickly added a cautionary note to vendors: "I have a pain threshold." Fortunately, it only took him a couple of hours to install Voltage's SecureDisk solution on his 25 laptops.
And at California's Franchise Tax Board, systems security analyst Chris Rushkin is having an even easier experience: New laptop PCs are ordered with the encryption component already installed.
"We buy it with every single new PC we purchase now. We implemented a program of making sure that all laptops'were ordered with the Encryption Plus product," from GaurdianEdge, he said.
Before this blanket approach, however, full encryption could be a time sink for the agency. "When I first had a laptop, it took me a couple hours to fully encrypt a 40-gig drive initially. But since our IT asset center deploys the laptops to the end user, it's already installed for them."
That ease of use is an experience Seagate seeks to replicate with their hardware-based solution. "Ours just automatically encrypts," said Joni Clark, notebook marketing manager at Seagate. "Once you write, you're encrypting."
David Vergara, marketing director at CheckPoint, said his company's Pointsec encrypts in the background so it doesn't impact users. "There are some software out there where the initial encrypting ties up the machine. On ours, we actually have a throttled-back deployment mechanism that puts us as a secondary item on the machine and allows the user to use the machine while it's encrypting all the contents in the background," he said. Even if there's a power outage or the machine suddenly crashes, "once you log back on and power up, it's going to continue doing it in the background until it's 100 percent encrypted."
And Pointsec is also aiming for transparent user experience, said Vergara. "It gets deployed like any other IT software ' the user is completely unaware. They will only see if it's configured for the pre-boot authentication. If the enterprise decides that they want to do a Windows-integrated sign-on, the user will not even know it's there."One question that always comes to the minds of administrators when thinking about full-disk encryption ' will it slow down users' systems?
After all that work of decrypting data and programs upon start-up must slow the computer the crawl, yes?
Maybe not. Most industry analysts say FDE lag is not a big worry on current systems.
"The software products do have some overhead," said John Girard, a vice president and distinguished analyst at Gartner, "but the average person is not going to see the difference. They're just reading their e-mail and working on documents. For the vast majority of people, if they have enough RAM and a good hard drive and it's not fragmented, they're not going to see much of a difference."
The Burton Group's Trent Henry agreed. "Five years ago, when I talked to users they'd complain that the decryption process cost them 15 to 20 percent of their system performance. Today the results from users and vendors suggest the performance impact has become less of a problem than it was in the earlier days.
"You're certainly accessing the disk a lot more ' but that's what they're made for," Henry said.
At least one user doesn't seem to notice the difference. The California Franchise Tax Board encrypts data on its computers using Encryption Plus from GaurdianEdge, and hasn't felt the pinch of slow performance from doing so. "It's on my system ' and I don't notice it," said California's Franchise Tax Board systems security analyst Chris Rushkin.
Vendors testify that, for the most part, any noticeable performance impact is a thing of the past. "On any newer machine you'd see that that degradation should, across the board, have decreased dramatically" from use on older equipment, said David Vergara, marketing director at CheckPoint, which sells the Pointsec FDE software.
"We did a performance review with a third-party consultant who took a look at the Pointsec-enabled machine and one that was unencrypted. I think it was like a 3 to 5 percent performance degradation between the two machines ' and that was our old model."
Hardware-based encryption seems to be minimally affected by encryption as well.
"There is no performance impact because it happens at the full speed of the drive, reading and writing,' said Joni Clark, notebook marketing manager at Seagate, which sells hard drives that automatically encrypt their contents. 'It's built into the drive and you're not stealing any CPU cycles. At a very raw level you would see some performance delta ' maybe a 2 percent impact at a raw level. But the user himself will not notice anything. It's that small."
So what happens when your fully encrypted disk breaks down? Don't look towards your standard recovery tools.
"A damaged drive cannot be booted and recovered with conventional recovery tools; you'll need a special boot disk supplied by the manufacturer," said John Girard, a vice president and distinguished analyst at Gartner.
It's a small but important reminder that when you implement a full-disk encryption system, don't underestimate your commitment. "When you implement full-disk encryption, all the procedures you follow as an organization for technical support and disk recovery have to change completely," Girard said. "If there's a problem, you can't start the operating system. You can't use normal disk recovery on the system."
It's not a deal-breaker, Girard adds ' but it is something to be aware of. "It just changes the way you do it. You can't do forensics and other things on the drive until you unlock it, and you can't do that until you boot it with a proprietary system. If the disk is really damaged ' you'll have trouble getting in."
This is why, with full-disk encryption, regular backups are more important than ever.
"What I recommend to people is at the same time you put in any encryption product ' full disk or not ' it's a good time to go look at your backup strategy," Girard said. "If your systems are being backed up on a regular basis to a secure backup system, there's a lot less pressure on you to recover a damaged drive. And you can get them a working system a lot faster."
Check Point Software
www.wavesys.comSource: 'Introduction to Full-Disk Encryption'