Encryption for the Enterprise

Handheld devices and other mobile computing options can be the weak link in an IT Security plan


The Encrypted File System
Another encryption option that has been available since Microsoft Windows 2000 is EFS, the Encrypted File System. EFS is a native part of the Windows NTFS file system and is easy to implement. When you encrypt a folder using EFS, all files within that folder become encrypted, and all files are added to that folder will be encrypted.

To encrypt a folder in Windows XP Professional (encryption is not available in the Home version), you simply right click the folder and select, “Properties.” When the properties window opens, select the “General” tab, and click on the “Advanced” button, and you will be presented with the “Advanced Attributes” window, where you will see the option “Encrypt contents to secure data.” Select that option and the folder will be encrypted. The folder name will change to green. The credentials necessary for encrypting and decrypting the folder are tied to your username and password, so having a robust password is still necessary.

The use of the Encrypted File System is seamless to the user and can be implemented at an enterprise level. If EFS is used on a laptop, it will add a layer of protection to the data that is encrypted; however, it is not foolproof. EFS does not encrypt Microsoft Windows system files. This means that the SAM (Security Accounts Manager) file is not encrypted, so it is possible to extract the SAM file and use Password Cracking software to figure out the passwords.
Microsoft released the Data Encryption Toolkit for Mobile PC’s in 2007 which includes the Encrypting File System Assistant. It can be downloaded at http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/default.mspx.

Whole Disk Encryption
Many organizations uninterested in EFS are looking for a product that offers “whole disk encryption.” These products require a user to provide authentication (smart card, biometrics, password) before the computer boots. One popular whole disk encryption solution is Truecrypt www.truecrypt.com), which is a “Free open-source disk encryption software for Windows Vista/XP/2000 and Linux.”

While Truecrypt works well, organizations should think very carefully before implementing it in an enterprise environment. Truecrypt does not have any back doors, so if an organization needs to access data on the drive and they do not know the password, they will be unable to access the data. If you forget the password, a Truecrypt-encrypted hard drive becomes a brick.

In researching this article, I spoke with security directors from two different large organizations that were evaluating whole disk encryption solutions. One works for a law firm, the other for a firm in the pharmaceutical industry. They both agreed to be interviewed anonymously. They evaluated products from the following vendors: Utimaco, Credant, SafeBoot, PGP, PointSec and BitLocker which is native to Microsoft Windows Vista Enterprise and Ultimate editions. One of them said that they were probably going to use BitLocker because “it is free” — the catch is you must have Microsoft Vista and have the hardware to support it. To really take advantage of BitLocker, the systems must have a Trusted Platform Module (TPM) chip, which is only available in newer systems.

All the tools evaluated offer centralized management, which is critical in the enterprise. One reason is that while it is important to protect data from the “bad guys,” businesses still need to access information quickly and easily. The Federal Rules of Civil Procedure now require electronic information to be produced as part of the discovery process.

Additionally, organizations want easy access to data for internal investigations. If a centrally managed product is not used, organizations can spend significant amounts of time and money trying to produce data in litigation and internal investigations can be stopped in their tracks.

If an employee has deployed whole disk encryption, it may be difficult to compel them to provide the password. In a recent ruling in Vermont, Judge Jerome J. Niedermeier stated that a person did not have to supply the password to an encryption program, because compelling a person to enter a password forces him to produce evidence that could be used to incriminate him, violating the Fifth Amendment. (Visit http://www.news.com/8301-13578_3-9834495-38.html for details).

Another advantage to the enterprise tools mentioned above is that they also offer products that can provide encryption to other devices, such as cell phones, PDAs and USB devices.

Keep Your Guard Up
Encryption tools are a great way to protect information. But no organization should think their data is completed protected simply because they have implemented encryption. What users do with the data during the normal workday is still a concern. Information can still be easily disseminated with the click of a mouse. Where are employees placing proprietary data and information? On unsupported devices? On home computers? On online storage sites like Xdrive? And what about paper? Can encryption prevent an executive from printing out large amounts of files and taking them home or giving them to a competitor? Even if an enterprise solution is used, will all devices be supported?

One of the most popular cell phones on the market today is Apple’s iPhone. Encryption is not available and centralized management is not available. If an executive wants to use an iPhone, can the IT department prevent him from doing so? Granted, the iPhone does not have the ability to transfer files without the use of a third-party tool (iPhoneDrive — http://www.ecamm.com/mac/iphonedrive/ or TouchCopy, http://www.touchcopy.com), but it does have the ability to send and receive e-mail, surf the Internet, and store contact and calendar information.