Protecting mobile data – what to consider in evaluating solutions

Depending on whose research report you read, 40% to 60% of enterprise data now resides on mobile end point devices – laptops, PDAs, smart phones, and portable storage media such as USB flash drives and CDs. Without question, these mobile devices enhance workforce productivity but they also put sensitive enterprise data at risk. The Privacy Rights Clearinghouse reported over 218 million instances of compromised data records last year [1], many of which were the result of mobile computers – or their storage peripherals – that went missing.

The sheer volume and increasingly damaging consequences of data security breaches are forcing prudent organizations to re-examine how their enterprise information is stored, and the measures in place to protect it. New privacy and security regulations are governing data protection practices as well.
This article reviews some of the factors driving demand for mobile data protection, the proven controls for protecting enterprise data, as well as some of the considerations for evaluating end point data protection solutions.

A number of trends are driving requirements for mobile data protection. Deployments of portable computing devices – laptops, wireless handhelds, PDAs, cell phones – are increasing sharply. The capacity of these devices to store valuable content – both business and personal – is increasing as well. It is not uncommon for an IPOD to store hundreds of dollars worth of downloaded music. The business information stored on a typical executive’s laptop is no doubt worth considerably more.

Estimates now suggest there are as many as three billion cell phones in use around the world. Considering the earth’s population is about 6.6 billion, the penetration of these devices is truly remarkable.

Another clear trend is the steady migration from desktop to laptop PCs, as businesses look to empower their mobile workforces with new applications. Many of these applications require that customer or proprietary information goes into the field, and therein lies the problem. While data mobility is a new business imperative, employees lose laptop computers at alarming rates.

One of every 10 laptops will be lost or stolen over its lifetime. 89% are never recovered.

The concern in many cases is not the laptop, but rather the sensitive information stored within. Recent estimates suggest the average cost of a security breach is around $150 to $200 per compromised data record. Clearly, a compromised database can easily outstrip a laptop in terms of lost value.

The threats to data have intensified in recent years as well, as hackers have become better organized. Motivated by the prospect of financial gain, cyber-criminals have made identity theft ‘the crime of the 21st century’, with annual losses in the U.S. at around $50 billion a year.

In response to growing concerns over identity theft, a complex array of privacy regulations has been introduced in recent years. The EU Data Privacy Directive (European Union), the Gramm-Leach-Bliley Act (USA), the Health Insurance Portability and Accountability Act (USA), and the Personal Information Protection and Electronic Documents Act (Canada) are examples of legislation that require corporations to collect, retain and use personally identifiable information or ‘PII’ more responsibly.

With individuals’ identities under relentless attack, government and industry regulators are beefing up these privacy regulations to force custodians of PII to adopt stronger data protection policies. The new incentive – a stick rather than a carrot – comes in the form of ‘breach notification’ amendments.
Breach notification legislation (the foremost example being California Senate Bill 1386) requires organizations to disclose breaches of PII to affected individuals in the ‘most expedient manner possible’. The legislation is intended to mitigate losses by alerting potential victims of identify theft so that they can better protect themselves. Notification usually requires some form of a public statement, backed up by a call centre for victims. Here they can make inquiries and access any support services, such as credit monitoring services, proffered by the negligent organization.

Now introduced in over 35 U.S. states, breach notification legislation exposes organizations that fail to properly safeguard PII. It is the risk of bad publicity and potential loss of customer trust that are changing organizational data security policies and practices. Data encryption in particular is gaining in popularity for one compelling reason. Breach notification legislation often includes safe harbour provisions, in which organizations are not required to disclose breaches of PII if it is encrypted. Encryption is analogous to a ‘get out of jail free card’ in these instances.

Is data encryption the answer?
While encryption is part of a comprehensive data security strategy, it is not a panacea. Effective data protection requires ‘layers of security’ [1] – policies, procedures and technologies that reinforce one another to achieve organizational security goals.

Companies must also develop a culture of security in which employees fully understand the need for data protection, the implications of a security breach, and the processes and technologies in place to safeguard PII and other valuable data assets.

In fact, data encryption without user authentication is not at all useful in protecting enterprise data. It is analogous to a locked door in which everyone can access the key. However, when data encryption is combined with strong user authentication, it is the most effective control for protecting sensitive data stored on mobile computers and portable media.

User authentication is strongest when performed at ‘pre-boot’, after system start-up but before the operating system loads. Pre-boot user authentication prevents unauthorized users from bypassing the data encryption layer. Authentication is further strengthened when it requires multiple steps or ‘factors’ to successfully identify authorized users. ‘Multi-factor user authentication’ typically requires ‘something you know’ (a password) combined with ‘something you have’ (a token or smartcard) or ‘something you are’ (a fingerprint).

Data encryption solutions for laptops should seamlessly integrate with a wide range of authentication methodologies such as passwords, smartcards, USB tokens, biometrics and TPM, at pre-boot.

Drilling down a little further, sector-by-sector, full-disk encryption (FDE) is the most secure method for protecting data stored on hard drives and portable media. Unlike file or folder encryption, FDE encrypts the entire disk, including the operating system, application software, user data, the recycle bin and swap files. Security administrators need not be concerned that copies of sensitive data are left inadvertently in the clear within ghost or temporary files. FDE encrypts file names (and other metadata used to identify files), rendering them ‘invisible’ to potential attackers. It is highly transparent technology, requiring little user intervention.

‘Advanced Encryption Standard’ or AES is the new standard cipher algorithm for data encryption. It has been analysed extensively and is currently being deployed on a large scale. The vast majority of mobile data encryption solutions support AES.

Enterprise-Class Management – the key to successful deployment
There are several other important attributes to consider when selecting a mobile data protection solution. Ease of deployment, management and use are surfacing as key purchasing criteria among pragmatic buyers. Vendors are being challenged to drive down the cost of ownership while ensuring the end user’s experience is not unduly impacted (see sidebar ‘Lowering the Total Cost of Ownership’).
Without centralized management, enterprise organizations would find it virtually impossible to configure, install and manage data encryption across large user groups. Fortunately, there are management tools that reduce the hands-on effort required to roll-out these solutions.

Centrally-Administered Security Policies
A number of security policies have to be defined before a data protection solution can be deployed – password rules, acceptable use policies for portable media, and users’ rights to make configuration changes, to name a few. Centralized security policy configuration makes it easier for administrators to set up and maintain data security policies. It also ensures consistent application and enforcement of policies across large groups of users.

Centralized Deployment
Once the policy configuration has been defined, there are management tools to ‘push’ the encryption software to large numbers of users from one central location. These tools install software in the background, without user or (local) administrator intervention. Deployment is further simplified by synchronizing users and user groups with LDAP servers, such as Microsoft Active Directory. Up-to-date user information is maintained in one place (instead of two or more) thus reducing duplicate efforts.

Consolidated Management of Multiple Platforms and Point Solutions
Large organizations are typically heterogeneous IT environments, comprising a wide variety of computing platforms – Windows, Mac OS, Linux, Symbian – and invariably a mix of end point security solutions from multiple vendors. Data protection solutions typically support a broad range of computing platforms and operating systems. In addition, best-of-breed management systems consolidate support for multiple end point solutions – full-disk encryption, file and folder encryption, port control, anti-virus, data loss prevention, etc. – under one console. The efficiencies realized from the ‘single, extensible console’ serve to further reduce IT operating expenses.

Key Management and Data Restoration
Enterprise-class management systems make it simple for security administrators to back-up encryption keys and restore them if necessary to access encrypted data archives. These systems should scale to accommodate millions of encrypted data objects – disk drives, USB sticks, files, folders, e-mails, database records – and millions of encryption keys. A single instance of the management application should support the requirements of large enterprises from one central location. The application should also automatically provision encryption keys to authorized users so they can easily share access to encrypted data objects.

Proving Compliance – The Audit Trail
Privacy laws mandate that organizations must be able to prove that – in the event of a lost or stolen end point computer – any PII stored on the system was adequately protected. If they are unable to do so, organizations are required to act as if the data was not protected (and notify those individuals whose PII was compromised). It is critical therefore, that an encryption solution provides an audit trial that clearly demonstrates when data safeguards are in place on a system-by-system basis. It is equally important that, once these safeguards are implemented, they cannot be removed or disabled by users.

Performance Considerations
Data protection solutions utilizing the computer’s main CPU for encryption / decryption operations will degrade system performance. Improved CPU speed and the intelligent disk caching features of newer operating systems have made system degradation negligible however – typically in the order of 2% to 3% for mature full-disk encryption software from proven vendors.

Hardware-based data encryption products, such as the Seagate Momentus 5400 FDE.2 encrypting hard drive, do not rely on the host CPU for cryptographic operations. With dedicated cryptographic processors, these offerings can be even more efficient.

Summary
The growing proliferation of mobile computers and portable storage media has made it increasingly difficult to protect PII and other sensitive data assets. With identity theft on the rise, new privacy legislation, fortified with breach notification requirements, are prompting corporations and government departments to bolster data protection measures.

Encryption and strong, multifactor pre-boot authentication work hand-in-hand to protect sensitive data entrusted to your mobile workforce. These controls are just the starting point. Today’s end point data protection solutions offer centralized management systems to streamline deployment and day-to-day administrator to reduce the total cost of ownership.

About WinMagic
WinMagic, the innovative leader in end point data protection, provides the world’s most secure, manageable and easy-to–use encryption solutions.
WinMagic’s SecureDoc protects sensitive personal information and proprietary data stored on laptops, PDAs and portable media, such as USB drives and CD/DVDs. Enterprise and government organizations around the world rely on SecureDoc to minimize business risks, meet privacy and regulatory compliance requirements, and protect valuable information assets. They find SecureDoc’s enterprise-class, centralized management tools reduce IT operating costs, while its transparency and intuitive client software ensure high user acceptance and productivity.

With a full complement of professional and customer services, WinMagic supports over three million SecureDoc users in 43 countries. For more information, please visit www.winmagic.com, call 1-888-879-5879 or e-mail us at info@winmagic.com.

Lowering the total cost of ownership

Organizations are looking for ways to reduce the total cost of deploying and managing mobile data protection solutions. Centralized, enterprise-class management systems offer a number of features to help drive down IT operating costs:

• Single management console for multiple end point solutions, multiple platforms and multiple vendors;
• Automatic synchronization of users and groups with LDAP servers like MS Active Directory;
• Centrally-administered security policies for easy, consistent application;
• ‘Silent’, remote software deployment to eliminate the requirement to touch every machine;
• Remote password recovery to deal with the most problematic issue - users forgetting their passwords;
• Key labeling to ease restoration of encrypted data archives; and,
• Scalability to accommodate millions of encrypted data objects – hard disks, files, folders and portable storage devices.

Enhancing the end user’s experience

End users are motivated to circumvent security controls if they are intrusive or impede productivity. Mobile data protection solutions can enhance the user’s experience to ensure high acceptance and maintain productivity:

• Single sign-on to reduce the number of steps required for authentication;
• Transparent, background operation so users need not take action to protect sensitive data;
• Familiar Windows functions so that features are intuitive and easy to use;
• Automated file and folder encryption to protect sensitive documents moved off the hard drive;
• Automatic encryption of removable media in accordance with security policy requirements;
• Seamless sharing of encrypted information  - within, and outside of, the organization; and,
• Leveraging existing security infrastructure, such as users’ digital certificates and LDAP servers, to replicate familiar processes.

WinMagic Inc.: www.winmagic.com
200 Matheson Blvd. West, Suite 201
Mississauga, ON   L5R 3L7  Canada

References:
www.privacyrights.org: February 28, 2008.
This layered approach is described in military circles as ‘defence in depth’.