Encryption for the Enterprise

Oct. 27, 2008
Handheld devices and other mobile computing options can be the weak link in an IT Security plan

We have become a mobile computing society. Laptop computers now outsell desktop computers. Our handheld devices, which used to be simply phones and contact managers, now have the ability to create, store and transmit data quickly and efficiently.

For many business professionals, these mobile computing platforms are a “must have” and contain a great deal of confidential information. While having this information readily available is an extreme benefit from a productivity standpoint, it poses a serious problem from a security and privacy perspective.
Many business professionals still believe that the data on their personal devices and laptop computers is protected because they are required to login to the device using a username and password combination. Many are convinced that if they use a robust password, no one can get the data off of their laptops; however, if the data is only protected by a Microsoft Windows username and password, it is a trivial matter to break into the computer. First, it is possible to boot the computer using one of the many bootable Linux CD’s in existence, such as Helix (http://www.e-fense.com/helix/). A bootable CD can allow someone to access all files on the laptop’s hard drive and copy them onto a USB device. If the laptop does not have a CD or DVD drive installed, one can simply remove the hard drive from the laptop and connect it to another computer.

One of the best ways to protect data is to use encryption. Encryption uses complex mathematical algorithms to change plain text into gibberish, so it is unreadable. Decryption takes this garbled text and converts it back into readable plain text. As with any other security mechanism, some thought and prior planning needs to be completed prior to implementing any encryption mechanism.

File-Level Encryption
One of the easiest encryption options to implement is to use a file level encryption application like Cryptext. Cryptext is a Microsoft Windows shell extension that allows you to encrypt files and folders simply by right-clicking and selecting “encrypt.” One of the advantages of this type of encryption program is that the files remain encrypted until they are manually decrypted. The principal disadvantage of using a solution that encrypts individual files and folders is that they do not encrypt residual files and deleted files.

For example, whenever you create a file using Microsoft Word, 15 temporary files are created in the background. Several of these files contain the same contents as the original file. If you only encrypt the original file, the data it contains could be recovered from one of these temporary files. Granted, it requires special software and knowledge to recover this type of information, but for those with the knowledge, it is easy to do. Encrypting individual files and folders also does not encrypt deleted files, which can be recovered.

Another thing to consider when evaluating a tool such as Cryptext, is that it is not an enterprise-grade tool. If an individual were to use the software on a corporate computer and the individual were to die or become unwilling to provide the password to decrypt the files, it would be challenging to recover the encrypted data.

The Encrypted File System
Another encryption option that has been available since Microsoft Windows 2000 is EFS, the Encrypted File System. EFS is a native part of the Windows NTFS file system and is easy to implement. When you encrypt a folder using EFS, all files within that folder become encrypted, and all files are added to that folder will be encrypted.

To encrypt a folder in Windows XP Professional (encryption is not available in the Home version), you simply right click the folder and select, “Properties.” When the properties window opens, select the “General” tab, and click on the “Advanced” button, and you will be presented with the “Advanced Attributes” window, where you will see the option “Encrypt contents to secure data.” Select that option and the folder will be encrypted. The folder name will change to green. The credentials necessary for encrypting and decrypting the folder are tied to your username and password, so having a robust password is still necessary.

The use of the Encrypted File System is seamless to the user and can be implemented at an enterprise level. If EFS is used on a laptop, it will add a layer of protection to the data that is encrypted; however, it is not foolproof. EFS does not encrypt Microsoft Windows system files. This means that the SAM (Security Accounts Manager) file is not encrypted, so it is possible to extract the SAM file and use Password Cracking software to figure out the passwords.
Microsoft released the Data Encryption Toolkit for Mobile PC’s in 2007 which includes the Encrypting File System Assistant. It can be downloaded at http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/default.mspx.

Whole Disk Encryption
Many organizations uninterested in EFS are looking for a product that offers “whole disk encryption.” These products require a user to provide authentication (smart card, biometrics, password) before the computer boots. One popular whole disk encryption solution is Truecrypt www.truecrypt.com), which is a “Free open-source disk encryption software for Windows Vista/XP/2000 and Linux.”

While Truecrypt works well, organizations should think very carefully before implementing it in an enterprise environment. Truecrypt does not have any back doors, so if an organization needs to access data on the drive and they do not know the password, they will be unable to access the data. If you forget the password, a Truecrypt-encrypted hard drive becomes a brick.

In researching this article, I spoke with security directors from two different large organizations that were evaluating whole disk encryption solutions. One works for a law firm, the other for a firm in the pharmaceutical industry. They both agreed to be interviewed anonymously. They evaluated products from the following vendors: Utimaco, Credant, SafeBoot, PGP, PointSec and BitLocker which is native to Microsoft Windows Vista Enterprise and Ultimate editions. One of them said that they were probably going to use BitLocker because “it is free” — the catch is you must have Microsoft Vista and have the hardware to support it. To really take advantage of BitLocker, the systems must have a Trusted Platform Module (TPM) chip, which is only available in newer systems.

All the tools evaluated offer centralized management, which is critical in the enterprise. One reason is that while it is important to protect data from the “bad guys,” businesses still need to access information quickly and easily. The Federal Rules of Civil Procedure now require electronic information to be produced as part of the discovery process.

Additionally, organizations want easy access to data for internal investigations. If a centrally managed product is not used, organizations can spend significant amounts of time and money trying to produce data in litigation and internal investigations can be stopped in their tracks.

If an employee has deployed whole disk encryption, it may be difficult to compel them to provide the password. In a recent ruling in Vermont, Judge Jerome J. Niedermeier stated that a person did not have to supply the password to an encryption program, because compelling a person to enter a password forces him to produce evidence that could be used to incriminate him, violating the Fifth Amendment. (Visit http://www.news.com/8301-13578_3-9834495-38.html for details).

Another advantage to the enterprise tools mentioned above is that they also offer products that can provide encryption to other devices, such as cell phones, PDAs and USB devices.

Keep Your Guard Up
Encryption tools are a great way to protect information. But no organization should think their data is completed protected simply because they have implemented encryption. What users do with the data during the normal workday is still a concern. Information can still be easily disseminated with the click of a mouse. Where are employees placing proprietary data and information? On unsupported devices? On home computers? On online storage sites like Xdrive? And what about paper? Can encryption prevent an executive from printing out large amounts of files and taking them home or giving them to a competitor? Even if an enterprise solution is used, will all devices be supported?

One of the most popular cell phones on the market today is Apple’s iPhone. Encryption is not available and centralized management is not available. If an executive wants to use an iPhone, can the IT department prevent him from doing so? Granted, the iPhone does not have the ability to transfer files without the use of a third-party tool (iPhoneDrive — http://www.ecamm.com/mac/iphonedrive/ or TouchCopy, http://www.touchcopy.com), but it does have the ability to send and receive e-mail, surf the Internet, and store contact and calendar information.

Options Abound
Encryption is becoming commonplace and readily accessible. It is only a matter of time before encryption is installed by default on our computers. Dell offers what it considers the “World’s Most Secure Notebook,” with the Seagate Momentus 5400 encrypting hard drive. I also looked at the customization options of a Latitude D830 computer, and noticed that the encrypting hard drive was offered at no additional cost.

All of the encryption options available can’t be addressed in a short article. This article is designed to get you thinking about encryption. Before any encryption solution is implemented, additional research should be conducted. This article focused on encrypting data at rest, but organizations should also think about encrypting data in transit. A place to start the research is the whitepaper by Jeremy Gibb, “The challenge of securely storing and transporting large files across a Wide Area Network,” which is available at http://www.sans.org/reading_room/whitepapers/vpns/1946.php.

When evaluating options, initial cost should not be the most important factor. While low-cost solutions exist, they do not necessarily offer the management features and robust capabilities of enterprise tools. A low initial cost can be offset by the high cost of support and management.

John Mallery is a managing consultant for BKD LLP, one of the 10 largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of “Hardening Network Security,” which was recently published by McGraw-Hill. He can be reached at [email protected].