Following news of the Wikileaks scandal, your customers may increase their efforts to protect the data on their employees' portable devices. Initial reports allege that the Wikileaks data was obtained from a 23-year-old soldier who downloaded reams of classified government data onto portable media devices. Following such a highly publicized and harmful breach, CIOs may turn to you, their security consultant, for assistance with portable hard drive security and USB key encryption.
Before discussing available encryption products with customers, channel partners should help customers understand and evaluate their needs by answering these six basic questions:
- What data is leaving the facility on these media devices? What are the consequences if this data is exposed?
- Is there a valid reason why the data should be transported on portable media devices? Files containing credit card numbers, Social Security numbers and medical information concerning identifiable individuals should never be carried home by employees for work after-hours..
- Is the concern about accidental loss or about deliberate theft by an employee? A dishonest employee will find a way, encryption or no encryption.
- Where is the data going? For example, are employees bringing data home to work with it on unprotected home computers?
- If employees take home laptops, are their disks encrypted? A laptop that's visible in a parked car is more likely to be stolen than the USB key in an employee's pocket. <;/li>
- Are USB ports controlled and monitored? As we will review in this tip, products are available that can completely disable ports, limit what files can be written to a device, or record all traffic through the USB port.
Once these questions have been answered and the decision made to purchase a USB key encryption or other encryption product, customers can then choose an appropriate solution from a variety of available hardware and software encryption products.
Hardware encryption requires a device designed specifically for encryption. Available products include Systematic Development Group, LLC's LOK-IT USB key for USB key encryption and Apricorn Inc.'s Aegis Padlock portable hard drive. With both products, users enter their PIN via a pad on the outside of the device. Until the correct PIN is entered, the device will not appear visible to the computer operating system or transfer any data; recognition of the PIN, encryption and decryption are carried out entirely within the device. Since no host computer software is involved, these products can be accessed from any computer with any operating system.
Both products are resistant to repeated attempts to guess the PIN. After 10 incorrect entries, LOK-IT must be reformatted and all data is lost. Aegis Padlock must be power cycled after six incorrect attempts; after 100 incorrect attempts, the Padlock must be completely reset which will erase all data on the drive.
Software encryption products use software executed on the host computer to encrypt and decrypt data on the portable device. Any USB key or portable hard drive can be encrypted.
For customers who have upgraded to Microsoft Windows 7, the choice of a portable hard drive or USB key encryption product can be simple. Built into Windows 7 (and originally a feature of Windows Vista) is BitLocker Drive Encryption, which supports encryption of disk volumes on desktop and laptop systems. Windows 7 also supports portable device encryption, using BitLocker to Go.
Customers not using Windows 7 can choose among a number of vendor-supported and freeware software encryption products, such as EncryptStick from ENC Security Systems, StorageCrypt from MagicLab Software and TrueCrypt, a freeware program from the TrueCrypt Foundation. All three products support Windows versions beginning with Windows XP. EncryptStick and TrueCrypt also support Mac OS X, and TrueCrypt supports Linux.
EncryptStick is available free with limited functionality or for purchase with full functionality. StorageCrypt can be downloaded free for a limited trial period before purchase.
Evaluate security requirements against potential risk
Before making a product selection, it's important to consider the relative merits of hardware and software encryption. Vendors of hardware encryption claim their devices are more secure since any software product is vulnerable to hackers, but hardware products are generally more expensive. Customers should understand the circumstances in which software encryption is vulnerable before deciding whether the extra cost of hardware encryption is worthwhile.
Hardware encryption requires a processor on the portable device. Many devices are designed so even if an attacker is able to open the outer case, it will still be impossible to gain access to the data. As a result, encrypted keys and portable hard drives are more expensive than standard devices.
Like hardware encryption products, software encryption products may also be vulnerable to repeated attempts to guess the PIN or password. Some products insert a timeout or refuse to accept entries after some number of attempts, but because this processing is performed in software, a skilled hacker may be able to modify the software to get around the limitation.
Some software products store the program that verifies PINs and performs the encryption and decryption on the device itself. Still, the actual execution is performed in the connected computer and may be subject to possible attacker modifications.
Channel partners should work proactively with customers to determine how portable encryption devices will be used and the acceptable level of risk associated with data exposure. In some cases, such as government agencies that require the highest level of security protection, devices must incorporate Federal Information Processing Standard (FIPS) certification. For customers with less stringent security requirements, software encryption may offer sufficient security at a lower price. By clearly understanding specific customer needs, channel partners can help customers choose the appropriate encryption product.
About the author:
David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.
This was first published in December 2010