Computerworld - Lost backup tapes may be the IT security issue du jour, but stolen laptops are a bigger and more intractable problem. Critical business data walks out the door every day on notebook computers. Increasingly, those devices are going missing.
Laptops are easy targets because of their portability. That makes restricting physical access all but impossible. Just recently, for example, two laptops stolen from a human resources service provider put the names and Social Security numbers of Motorola employees at risk . At Wells Fargo last fall, information on thousands of the bank's borrowers was compromised when three laptops were stolen from a subcontractor . In both cases, the data wasn't encrypted.
Therein lies another problem. All too often, logical security controls that could protect data simply aren't used. While encryption provides an obvious remedy for securing backup tapes in transit, there are no easy fixes for securing those very personal mobile computing devices -- only trade-offs.
Encryption slows down performance, which may irritate power users. And employees may view biometric devices, smart cards and other access-control mechanisms as burdensome. Unfortunately, the people whose laptops have the most sensitive data tend to be the ones who have the least patience dealing with layered security.
Yet the consequences of inaction are increasingly public, thanks in part to the law known as California SB 1386, which requires companies to notify customers of data breaches. Had Wells Fargo required its subcontractor to encrypt all data, it wouldn't have had to notify customers of the theft.
Any machine that has the potential to hold sensitive data or e-mail should be encrypted. But don't bother with Windows XP's Encrypting File System. "If you know your Windows password, you know the keys to the hard drive. There are a lot of ways to hack that," says Clain Anderson, director of wireless and security at Lenovo.
Full disk encryption works better because it's transparent: Users don't have to be trained -- and trusted -- to save all their data in an encrypted folder. Most approaches use the Triple Data Encryption Standard algorithm to encrypt data, which is very secure. But the encryption keys still must reside on the disk. Some laptops, including some of Lenovo's ThinkPads, store this data on a security chip based on the Trusted Platform Module (TPM) standard.
"That gives you a gatekeeper so your passwords and digital certificates can be protected and aren't just laying around on the hard disk somewhere," says Anderson. If employees forget their password, they're locked out, but a separate administrator password can be configured for support
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
