Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

Simple hardware approaches to secure laptops

http://blogs.techrepublic.com.com/security/?p=662

Date: November 17th, 2008
Author: Paul Mah
Category: Encryption, Risk Management, Security
Tags: Laptop Computer, Notebooks, Hardware, Notebooks & Tablets, Paul Mah, Hard Drive, Disk Drive, USB Flash Drive, Encryption, Seagate Momentus Full Disk Encryption

Users are increasingly buying laptops and netbooks, attracted by their portability and low prices. The inevitable result is more employees bringing personal laptops into the office, where they are used to access and store corporate data. Here are some ways to mitigate the risks of data breaches.

————————————————————————————————

As evidenced by cases of mega data breaches of late, properly securing portable computers is problematic even for bigger organizations. In addition, the advent of low cost laptops and netbooks has resulted in a proliferation of such devices as consumers flock to them. The inevitable result is that these users will demand to be allowed to use these machines to access work-related data and networked systems. Indeed, shipments of laptops have already overtaken that of traditional desktops, further increasing the urgency of this issue.

There is no doubt that some very fancy - and expensive - enterprise-grade solutions exist. But in a time of economic uncertainty, the pertinent question has to do with how a corporation can quickly and easily enhance the security of these personal laptops with a limited budget.

I look at a few easy-to-deploy hardware-based solutions here.

Full disk encryption with Trusted Platform Module

One obvious solution for a company sourcing for new laptops would be to specifically request hardware with full disk encryption (FDE) hard disks that are secured by an on-board Trusted Platform Module (TPM) chip. The combination of hardware-based encryption coupled with a hardware-anchored authentication mechanism makes it an unbeatable combination in terms of security.

It must be pointed out though, that FDE does nothing to mitigate the risk represented by service personnel with temporary access to a system. This is best exemplified by the case of Hong Kong-based actor Edison Chan who had service personnel pinch a whole bunch of scandalous photos showing him being intimate with various actresses when his personal laptop was sent in for servicing. The scandal cut short his acting career in Hong Kong. As such, any FDE-related only makes sense if servicing is done by in-house IT personnel.

However, I must say that it is not all that likely for the security administrator to be fortuitous enough to encounter this “perfect” combination of hardware in a laptop at this point in time, which moves us to the next option.

FDE hard disk drive

Recent developments have seen a major vendor shipping its third generation of FDE hard disk drives that are also sold directly to consumers. The newest Seagate Momentus FDE is unique in that it comes in two modes: one is targeted at the enterprise with a firmware that works with special management software, such as McAfee’s ePO to configure and manage drives.

On the other end, there is a BIOS mode, where a BIOS-level password is used to authenticate the user before the computer is started. This opens the door for organizations to easily retrofit Momentus drives into existing laptops. The obvious advantage here is that the encryption is OS-independent, with the hard disk drive writing at full speed.

As such, if budget permits, swapping out the standard hard disk drive in laptops with Seagate’s Momentus FDE in BIOS-level protection mode makes perfect sense. In the case of budgetary constraints, or where users are not agreeable to such a move though, the next hardware-based solution would be to get users to rely on encrypted flash drives.

Encrypted flash drives

A more moderate and less invasive approach here would be to issue out personal flash drives with an on-board authentication and encryption. What it means is that all data on these flash drives are encrypted on-the-fly as they are copied in. They will only be “unlocked” and made accessible upon furnishing the correct password.

Now, encrypted flash drives have been around for a while. The IronKey might be one such option for your consideration, though similar devices are now widely available on the market. It is important to note that many cheaper variants might not actually offer hardware-based encryption, or have blatant gaps in their authentication mechanism that effectively nullify their security mechanism.

Obviously, user training will be required, especially since the drive capacities for such specialized flash drives are still relatively low at between 4GB to 8GB. However, I believe it will be relatively easy to train even novice users to recognize that only data on the encrypted flash drive should be considered secure. Another added advantage would be that users will become more conscious of following backup procedures as well, making it the best compromise between options.