Background
A new report filed by federal security auditors finds that that the Internal Revenue Service (IRS) has had almost 500 laptop computers lost or stolen over the last three years, many of which were loaded with sensitive taxpayer information. The report contends that between 2003 and 2006 the IRS had some 490 laptops lost or stolen in 387 individual incidents.
Perhaps the most notorious loss of a laptop in the federal sector came in May 2006 when a contractor working with the Department of Veterans Affairs had a computer stolen from his that carried the personal data of an estimated 26.5 million people. The laptop was eventually recovered by law enforcement officials.
In addition to failing to properly secure their devices in and out of the office, the auditors said that some of the IRS' 100,000 employees were not properly encrypting data on their machines or utilizing adequate password protections.
In their final recommendations, the auditors recommend that IRS leaders refine their incident response procedures to ensure for better understanding of any potential data exposure and more frequently remind employees to use proper device security measures. The report also contends that the agency should consider implementing a "systemic disk encryption solution" on its laptops that does not rely on employee interaction to protect sensitive information.
Systemic Disk Encryption Solution
Security mechanisms to consider when evaluating the right disk encryption solution could be expressed as follows:
Policy: Which policies and certifications are required by the organization
Information architecture: Where sensitive information is stored
Application architecture: How the application uses information
Communication: How the devices communicates
Device Management: How the device is managed
Primary use of the device: An office automation tool, industrial purposes, or mobile communication
Selection Criteria
Given the recent high profile announcements with regards to the loss of laptops and the associated liabilities to organizations that fail to take the appropriate steps with regards to addressing mobile devices vulnerabilities, I decided to take a look at Full Disk and Folder Encryption products that are commercially available today that help mitigate mobile device vulnerabilities.
The factors contained in the following table should help you in going through the process of selecting disk and folder encryption products:
Area of Comparison |
Full Disk Encryption |
Folder Encryption |
Encrypts the entire disk |
The entire disk is encrypted |
Only selected files and folders are encrypted |
Impact on the computer system |
MBR is modified |
Operating system files are excluded |
Platform support |
Generally limited to single desktops and mobile computer systems |
May not be used on most systems |
Authentication options |
Limited to drivers available at pre-boot. Vendors are expanding the capabilities to include network connectivity |
Generally, any authentication mechanism supported by the operating system |
Multiple user authentications |
Authentication required at pre-boot Authentication maybe be synchronized or linked to network authentication |
May require authentication on file access can be linked to the operating system or network authentication |
System maintenance |
Reboots during patching may be a problem |
No issues during maintenance |
Backups |
Information is generally not encrypted if the backup runs within the operating system |
Information may be encrypted or not depending on how backups perform |
User control |
User makes no determination as to whether to encrypt a file or not |
User may have control over which files are encrypted. New policy-based products transfer encryption decisions to administrator |
Recent Comments