I know aspects of this were reported and blogged upon in February-March of this year; however, the release of a US GAO report on government disk encryption prompted us to make another pass...
Firewalls, intrusion detection systems, access controls, security suites, tokens, smart-cards. Corporations, governments throw a lot of money at the information security problem- only to fall on their face in a critical area- protecting data at rest!
Encrypted transmission pipes aren't enough. Fine, your email is encrypted. Then you save the attachment to your hard-disk- an unencrypted hard disk. The black hat gods are surely pleased by your sacrificial offering.
They smile even larger when it is a US government computer.
The US Government mandate: "Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing..."
Yet GAO claims 70% of the laptops in use are not encrypting their data! Wow...
And don't let me get started on the fact that the data at rest that is most at risk isn't on a laptop-in-transit at all. It's your office workstation... or the file servers. Why don't we mandate encryption of those? If the technology isn't mature, robust or fast enough... throw money at the problem. Drive toward total encryption.
There a two major categories of encryption
- disk encryption
- file-system level encryption
Which do you need? Quite possibly both.
Q: Okay, I have full disk encryption on my laptop. I'm safe, right?
A: Well, you are better than 70% of the US government; however, that isn't saying much. Put a password on that boot-up to slow down the bad guy while your RAM's data fades...
Okay, done. Am I safe? Probably not. As the venerable Bruce Schneier has stated (paraphrased), "if you think encryption it the answer, then you don't understand the problem." Key management, correct implementation of the encryption, compromises that get inside the encrypt/decrypt chain are all challenges.
However, it's a start. Raise the bar...
A few links you may find interesting reading:
Wikipedia: Full disk encryption
Wired article on disk encryption and potential pitfalls
skip to main |
skip to sidebar
Exploring the Boundaries of Information (in)Security.
Posts
