While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The fear of compromising citizens’ privacy — to say nothing of sitting in the hot seat at a congressional hearing and answering questions — has all federal agencies working to protect data on notebook computers.
Here are pointers for keeping data at rest safe.
When considering the best way to protect data on mobile devices, the first and most important decision is what data to encrypt. The unanimous answer from security experts is simple and straightforward: everything.
Although file-and-folder encryption gives users flexibility, its perils far outweigh any advantages, says David Vergara, director of data security products at Check Point Software. “You’re relying on end users to secure all sensitive files, and there’s no guarantee that they will,” Vergara says.
Even the most diligent employee might inadvertently put sensitive files in an unencrypted section of the hard drive. Full-disk encryption is the only way an agency can be certain that a stolen or missing notebook is merely a brick and not a gold mine of secure data.
Full-disk encryption is virtually transparent to end users. Individual files are decrypted and encrypted as they are opened and closed.
Full-disk encryption can enforce encryption policy, but that doesn’t free agencies from the need to set those policies.
“Encryption applications are tools. The organization will have to configure them to meet their own policy requirements,” says Bob McLernon, vice president and general manager of federal operations at GuardianEdge Technologies. Agencies must determine, based on the sensitivity of the data, such things as how often passwords will be changed, the complexity of passwords, and how quickly systems will go to standby mode after a period of inactivity.
The more stringent the policies, the more difficulties end users will have following them. For example, few users will reliably remember long alphanumeric passwords that they must change every three months. “This is an area where convenience has to be balanced against security,” says McLernon.
Another decision involving user convenience but also IT overhead involves how users recover forgotten passwords.
Obviously, all keys have to be backed up. And organizations with sensitive data will require users to call the help desk to recover their keys.
McLernon suggests providing, when possible, a self-service password recovery process that is self-contained on the notebook. This usually involves asking employees to respond to a number of on-screen questions, which, in totality, could be known only by them.
Although full-disk encryption provides absolute protection once data is on the hard drive, it has no effect on data downloaded to removable media. Encryption experts emphasize the importance of whitelisting and blacklisting removable storage media.
In general, allowable removable media should have the same level of encryption protection as the internal hard drive itself.
Randal Barber, CEO of CRU-DataPort, which makes removable hard drives, says that one government agency worked with his company to develop a removable 2-inch bootable hard drive, with full-disk encryption, that can be used externally via a USB 2.0 interface. “Some government agencies that have full-disk encryption on internal drives don’t want to lose that protection when they move to removable externally connected media,” Barber says.