You can't secure what you don't acknowledge.SM

Tuesday, October 2, 2007

What's it going to take to encrypt laptop drives?!

So, the latest in the lost laptop world is that 800,000 job applicants of Gap, Inc. now have their personal information exposed. Apparently the laptop was stolen from the office of an "experience third-party vendor". Experienced in what? Not taking security seriously? Apparently the contractor wasn't using encryption which was in violation of an agreement it had with Gap, Inc. You mean contracts aren't enough to protect information? Go figure.

Gee folks, how many more "incidents" are we going to read about over the next decade that can be traced back to someone - likely in management - not investing in laptop and mobile drive encryption? Just look at all of the stolen laptop breaches documented here. What is it going to take to make people realize that mobile devices are at risk and there drives need to be encrypted!!??

Yep - I said drives, not folders, not partitions, and not data. As long as software and users are involved, I'm not convinced anything other than encrypting the whole disk is foolproof. When you use other types of encryption controls, you're depending on applications and people to make sure that sensitive information goes where it needs to go. You can't rely on this. All it takes is an application or a user to store one single sensitive document outside of the encrypted area - like the Windows desktop, the local temp directory, or application directories and it's as good as an unencrypted drive at that point.

I paid less than $200 per license to encrypt my drives with PGP's whole disk solution. The annual maintenance is less than that. And this is for their personal/SMB product. Their enterprise licensing for a centrally-managed solution is not expensive either - especially when you consider the value you get. I'm only touting PGP because that's the solution I've used for years. I know there are others out there both free and commercial.
Good encryption doesn't guarantee good security but it does show that you take security seriously and will keep your organization out of the data breach notification mess. Paid or free - for crying out loud - get something to encrypt those mobile drives! Anything to the contrary is dangerous, careless, and inexcusable.