Over the past few months, we've been exploring different ways to apply encryption to secure confidential business
data in a midsized business. We've looked at the basics of how encryption works and covered the application of encryption to data in transit both by electronic mail and over the Web using HTTPS. Now, we turn our attention to securing data at rest: using encryption to protect it from the prying eyes of thieves who gain physical access to the devices that store it.
As you've no doubt noticed, the past decade brought many changes in portable data storage. Devices have simultaneously shrunk in size, increased in capacity and decreased in price. This has done wonders for our ability to easily transport very large files, but it also poses a security risk, as users can now easily slip a copy of an entire database into their pocket. What happens if they lose the drive along the way or leave it stuck in a computer they used while travelling?
Fortunately, encryption technology allows us to protect the data stored on portable devices from prying eyes. In this tip, we take a look at three specific ways you can use encryption to protect your sensitive information while it's stored on portable media.
Choose devices with built-in encryption
The easiest way to address this problem is to choose portable storage devices that have built-in encryption. Many flash drive manufacturers now produce devices with built-in encryption technologies to satisfy customer demands. Lexar Media Inc. and SanDisk Corp. both produce encrypted devices that comply with the Federal Information Processing Standard (FIPS) for encryption. Specialized devices include those from IronKey Inc. that forego software encryption for more efficient hardware encryption and McAfee Inc.'s Encrypted USB Drive that supplements hardware encryption with biometric authentication.
These devices make it very difficult for a user to make a mistake. By incorporating encryption into the device itself, users have to go out of their way (if it's even possible) to disable the security functionality. When they plug the device into a new computer, they simply authenticate and gain access to the data stored on it. If someone other than the authorized user finds the device and plugs it into a computer, it's useless without the password or correct biometric login. One hurdle you may run into as a midmarket organization is the management of these devices so that authorized individuals can retrieve information from them if the user is unable or unwilling to provide authentication information. While enterprise management products are available to meet these needs, they are quite expensive. On the other hand, if portable devices are used merely to transport data that is also stored elsewhere, this may not be a concern.
Encrypt the device manually
If your budget prohibits the use of built-in portable data storage encryption or you must use specialized storage devices that don't offer this option, all is not lost. You can add encryption to standard storage devices through the use of software. The easiest (and cheapest!) way to do this is with the open-source TrueCrypt encryption package. While it's normally used for hard drive encryption, it's also compatible with USB drives and other portable storage devices. TrueCrypt is a free download and is available for Windows, Mac OS X and Linux.
TrueCrypt's traveler mode allows you to store a copy of the TrueCrypt program on the device so that you won't need to install any specialized software on the computers you use to access your data. When used in this way, TrueCrypt is just as good an option as devices with built-in encryption, but requires a little more work on the front end to configure encryption on each device. As with devices that have built-in encryption, one of the major concerns with using TrueCrypt in the enterprise is proper encryption key management. If the end user forgets the password or leaves the organization, how will you gain access to the TrueCrypt volume? It is possible to protect against this scenario by having the administrator back up the volume header when the drive is originally encrypted, but this is a manual process and requires careful management of the key inventory to ensure keys are available when needed.
Encrypt individual files
If all else fails, you can use software utilities to encrypt individual files before storing them on your device. The easiest way to do this is through the use of a compression utility that supports encryption, such as 7Zip or WinZip. Both of these packages support AES encryption and allow you to create industry-standard encrypted files.
There's an obvious downside to this approach, however. It depends upon the user to remember to encrypt files each and every time he or she stores something new on the device. This is a recipe for failure. The time will come when a user either forgets to encrypt the file before copying it or is simply in a hurry and doesn't want to take the extra minute to encrypt the data. As we all know, Murphy's Law says that instance will be the time a device is lost or stolen. Many administrators feel that you can mitigate this risk by creating a policy that requires users to take the time to encrypt sensitive documents, but these policies are often ignored by hurried users unless they are strictly enforced with clear consequences.
There are many options available to help you protect the data stored on portable storage devices, no matter your budget. Using hardware-based encryption is clearly the easiest option, but it's also the most costly, as it requires the purchase of specialized hardware. Software encryption with a tool like TrueCrypt is a good cost-conscious alternative, but it increases the demand on administrator time. If all else fails, users can encrypt their own files using a file encryption program, but this approach is highly error-prone, as it requires that users remember to encrypt sensitive files each time they are stored on the device. One of these options should be sufficient for nearly any data storage scenario, leaving you with no excuse for not deploying encryption on all of the devices used by your organization. If it's not already a matter of security policy, it's time to modify your policy!
About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.