As critical data continues to leave the office in laptops,PDAs and cell phones, the need for more efficient ways to secure it is growing exponentially.
InPart 1 of this two-part series, we examined how serious the issue of mobile device theft has become, and how deeply businesses and government institutions have been affected by it. In Part 2, we’ll look at some of the solutionssecurity companies have come up with to deal with the challenge of securing mobile device-based data.
“One of the biggest challenges — particularly on the security front — is to stay abreast of changing circumstances … [and respond] to specific problems that arise,” explained Kirk Nahra, a Wiley, Rein & Fielding partner specializing in privacy and information security issues.
Nahra and his team specialize in legal and consulting work related to privacy and security compliance for companies in heavily regulated industries such as healthcare, insurance and financial services. Nahra has been called in many times to make recommendations to companies in the wake of data security breaches.
Taking a Proactive Approach
“For example, there has been a plethora of stories recently about stolen laptops,” Nahra told the E-Commerce Times. “A responsible company would be reviewing these problems and identifying what changes can be taken in the company’s own dealings with laptops, [such as] increased encryption, reduced storage of [laptop-based] data, and harder passwords. Companies need to be reassessing their security programs on an ongoing basis.”
Regular security assessments can go a long way toward ensuring data security, but they are not ironclad preventive measures. “While policies can be established and end-users can be educated on them, it’s really hard to ensure that policies are followed in practice,” said Eric Skinner, vice president of product management and alliances for Dallas-based Entrust.
“Information protection technologies are not going to be effective if they rely on end-users to take specific action or be inconvenienced in some way,” he told the E-Commerce Times. “The solution is to make encryption automatic and transparent, which ensures compliance with the policy.”
You don’t have to be a rocket scientist, or anything even close, to exploit computer software and network vulnerabilities, Skinner added. “It does not require a high level of technical skill for an attacker or casual criminal to bypass the Windows password protection on a stolen or found laptop and gain access to confidential information. For example, one can easily boot Linux from a CD-ROM drive and start browsing the hard drive without entering any passwords. Without some kind of encryption capability to supplement the Windows login prompt, the hard drive is wide open.”
Data Retrieval a No-Brainer
Portability makes a thief’s task that much easier. Mobile devices often contain information that can be used to intrude on private networks. “Besides accessing sensitive data on these laptops, thieves often find dial-in numbers and passwords that enable them to remotely access corporate networks. An FBI study cited by the Meta Group found that roughly 50 percent of attacks against corporate networks stemmed from access codes found on stolen laptops,” Skinner pointed out.
“By far, stealing mobile computers is the easiest way to get to the information,” agreed Bob Egner, vice president of product management for Lisle, Ill.-based Pointsec Mobile Technologies.
“You do not need sophisticated methods of hacking. The simplest technique is to just take the computer, remove the hard drive or other storage device, place it into a computer you have access to, and read the data,” he told the E-Commerce Times. “In other words, you don’t have to be a hacker to get to the valuable information stored on the device.”
The predominant approach to protecting sensitive data on laptops is full disk encryption, Skinner explained. “With this approach, a customer deploys software that transparently keeps an entire hard drive encrypted, with transparent decryption occurring as a user accesses data. The user does not notice a performance impact and is not involved in the decision to encrypt data.
“Solutions that protect only specific files and folders are usually problematic,” Skinner continued, “because they require a user to store data in the correct protected folders, and often don’t protect temp files, operating system swap files and the like.”
The Productivity vs. Security Trade-Off
The proliferation of removable storage media, while offering the potential to greatly enhance worker productivity, also adds to the risk of data loss associated with portable devices.
“The complement to disk encryption is a solution that protects removable media such as USB drives and CD-R burners. Removable media is tremendously important as an enabler of communication inside a workgroup, but [it] exposes organizations to risk, as these devices are easily mislaid. The best solutions here automatically encrypt any data copied to removable media without any impact to the user,” Skinner said.
Entrust offers full hard disk, removable media, PDA and smartphone encryption as part of its information protection platform, including FIPS-140, CC EAL4 and BITS third-party validations. These can be integrated with the PKI (Public Key Infrastructure)-based authentication technologies that are widely deployed inside the U.S. Federal Government, which Entrust, as well as other vendors, also provide.
Despite facing a growing number of data security threats, it is both possible and practical for individuals, businesses and government agencies to effectively ensure that data on their laptops, PDAs, smartphones and removable storage devices is secure.
“Laptop theft wouldn’t be as much of a threat if companies knew what data was being stored on [devices] such as laptops. Tools that discover and protect confidential information could render the laptop useless to anyone with malicious intent,” Joseph Ansanelli, Vontu’s CEO and a data loss prevention expert, told the E-Commerce Times.
“This isn’t about locking your laptop in your car or keeping an eye on it at an Internet cafe,” he stressed. “It’s about making sure the data is not there or is impossible to read.”
U.S. Mobile Security, Part 1: How Great Is the Risk?