Jun 02 2009

5 Tips for Protecting Sensitive Data at the Endpoint

Advice to help your agency reduce the risk of lost or stolen data.

Most IT leaders would rather err on the side of caution than run the risk of data leaking through lost or stolen devices. So instead of encrypting only some files on some computers, most are making the move to full-disk encryption.

Full-disk encryption uses hardware or software to encrypt the entire contents of endpoint hard drives, including temporary files, swap space and other places where data linger. Compared with file-level encryption, this option is automatic and removes the element of human error in deciding which files to encrypt.

To smooth your rollout, focus on education, collaboration, key management and centralization.

One: Overcome Initial Objections

Driving encryption through policy helps overcome objections. That way, employees who don’t use sanctioned encryption aren’t allowed to put any sensitive data whatsoever on their mobile computers. With such a requirement, offices will quickly see that without encryption, mobile workers who manage confidential information are essentially disabled.

Two: Decide Who Gets the Keys

Where and how to manage encryption keys is a critical choice agencies must make based on size and objective. Los Angeles County, like many federal agencies is huge. The California county has more than 102,000 employees, 11,000 of whom carry mobile computers that contain health services, law enforcement and social services data and other departmental information requiring encryption.

“We had to do some brainstorming: How do you want to manage these keys across the county? We decided each department would manage their own keys,” says Robert Pittman, the county’s chief information security officer.

Now, information officers for 38 major county departments handle key management and maintain their own key recovery disks using Check Point’s Pointsec Mobile.

Three: Pick Proper Passwords

PGP Whole Disk Encryption provides boot-level authentication and supports passwords of up to 2,048 characters, or 128 characters if integrating with Active Directory. Passwords that long are virtually uncrackable by today’s character-by-character and common-word password-guessing programs.

Four: Strengthen All Security

Endpoint encryption protects against data loss when devices are lost or stolen, but cannot protect data should a system be compromised while the computer is turned on and the user logged in. Physical security of the device is still crucial. Central security management of configuration, firewalls and other endpoint security using network access control or other means should also be considered.

Five: Spec It Out

Earlier this year, the Trusted Computing Group released three storage specifications to add security to PC and data center storage devices.

The Opal Security Subsystem Class Specification is aimed at PC clients, while the Enterprise Security Subsystem Class Specification targets data center storage. The Storage Interface Interactions Specification focuses on interactions between storage devices and underlying SCSI/ATA protocols.

Storage device specifications give manufacturers a standard way to develop self-encrypting storage devices. Some manufacturers have already shipped such products based on the Opal specification.