Sep 26 2011

Keep Those Notebooks Safe with Encryption

These tools can help businesses better manage risk.

Every year, thousands of notebook computers go missing around the country. The security administrators responsible for the safety of those systems can be divided into two camps. The first contains those who rest easy because they make use of notebook encryption technology and are confident that their loss is limited to the cost of the notebook. The second group, a much more stressful place to find oneself, contains those who haven’t deployed encryption technology and who must spend hours or days trying to reconstruct the sensitive data that may have been stored on the missing device.

Encryption technology obscures the data stored on notebook computers, rendering it completely inaccessible to users who don’t know the encryption key, which is usually linked to a password, fingerprint or other authentication technology. There are four main options for encrypting notebooks: leveraging the operating system’s built-in security features; purchasing a stand-alone encryption product; licensing a suite of security tools that includes endpoint encryption; or going the open-source route.

Leveraging Operating System Tools

The first place many administrators look for encryption capabilities is between the covers of something they’ve already purchased — the operating system itself. Until recently, this evaluation did not take long: The limited encryption capabilities provided in Microsoft Windows Vista and Mac OS X 10.6 simply didn’t rise to the challenge for businesses that need to manage encryption across multiple systems. With the release of Windows 7 and Mac OS X 10.7 (Lion), however, the market slowly began to shift.

On the Windows front, Microsoft added one of the most sought-after features to the Windows 7 version of BitLocker: the ability to encrypt removable devices. That said, BitLocker adoption is going to be quite slow, mainly because Windows 7 adoption is lagging in many organizations. As long as enterprises have mixed environments, including non-BitLocker versions of Windows, Microsoft’s encryption offering will not be a viable contender.

Apple is further behind on the device-encryption front, but they too have made major strides in their most recent operating system release. Earlier versions of Mac OS X included FileVault (an encryption product that allowed users to encrypt their home directories) but did not offer full-disk encryption. This presented challenges to those seeking to backup their files and protect data stored outside of the home directory, leading many to adopt third-party alternatives. However, Lion has taken a major step forward by offering full-disk encryption for the first time.

The bottom line here for most organizations is that the encryption capabilities provided by operating systems, while tempting, aren’t quite ready for prime time. If you’re a Microsoft shop and you’ve fully adopted Windows 7, you might consider piloting BitLocker. But if you’re in any type of mixed environment, you should probably look elsewhere for endpoint encryption.

Opting for Stand-Alone Encryption

While operating system vendors work to catch up with endpoint encryption functionality, software vendors who produce stand-alone encryption products are seeing changes of their own. Security giant Symantec recently acquired PGP, Sophos bought out encryption vendor Utimaco, and Intel purchased McAfee. The market for these third-party products will likely remain until native operating system capabilities become widely available.

The major appeal of stand-alone encryption products is that most will work across operating system platforms and versions, providing a unified point of management and adding encryption functionality to OS versions that don’t natively provide it. A stand-alone encryption product might be the best choice for an organization that already has other security solutions in place and wants to add endpoint encryption to its toolkit.

Integrating Encryption with Other Protection Tools

While native operating system tools are very popular because of their cost, information security professionals who seek more advanced products are shifting away from stand-alone solutions toward those that integrate with endpoint protection suites, such as the tools available from Intel/McAfee, Sophos and Symantec, among others.

The main driver behind the adoption of these products is the reduced administrative burden they provide for the technical staff. When malware protection, host intrusion prevention, data loss prevention and other security technologies are combined with endpoint encryption functionality in a single product, administrators benefit from a centralized console that provides a one-stop shop for monitoring, policy configuration, agent deployment and reporting. This increases the security staff’s productivity and also the probability that the tools will be used correctly and maintained in an appropriate fashion.

For those who are looking for a comprehensive endpoint security solution, these suites are probably the best way to go, in that they minimize both expenses and administrator time commitment. In fact, the recent consolidation in the stand-alone encryption marketplace points toward continued adoption of the endpoint protection suite approach, as traditional players in the field acquire those who specialize in endpoint encryption.

Evaluating Open-Source Offerings

It would be remiss to discuss notebook encryption without mentioning the final player in the field: the open-source community. The dominant player in this space is TrueCrypt, an open-source product that supports many versions of Microsoft Windows (from Windows 2000 through Windows 7), all versions of Mac OS X later than 10.4 (Tiger), and flavors of Linux using the 2.4 or 2.6 kernel. TrueCrypt’s feature set rivals that of commercial products, including transparent encryption, the use of hardware acceleration and support for removable devices — and to top that off, it’s completely free.

While this might sound like an appealing option, it comes with a catch: There is no commercial support available for TrueCrypt. If you experience an issue, you’re on your own to sort it out. Most organizations simply aren’t willing to accept this lack of support for such a critical security technology.

That said, implementing any type of endpoint encryption across your organization will ensure your place among those system administrators who don’t lose any sleep when a notebook is lost or stolen. Of the many products available, the best bet in today’s market is to purchase a stand-alone encryption product or license the functionality as part of a full security suite.