Frankly Speaking: Encrypting end user data is tough to do

Computerworld - This version of the story originally appeared in Computerworld's print edition.

Encryption is hard. Case in point: the U.S. government, which requires its agencies to encrypt all sensitive data on laptops and mobile devices. But according to the Government Accountability Office, as of last year, 70% of such devices didn't encrypt -- and the other 30% weren't in great shape either (see story).

The GAO just released a report that audited 24 agencies and departments for their mobile encryption implementations. It included trouble spots like the Department of Veterans Affairs, which in 2006 lost a laptop containing the personal information of 26 million vets and military personnel, and the Commerce Department, which has lost more than 1,000 laptops since 2001.

You already know the headline conclusion: At the time of the audit, June to September 2007, more than two-thirds of the mobile devices in these 24 agencies weren't using encryption at all.

But that's not the interesting part. The GAO also found that, in many cases, even the devices believed to be encrypted had problems. Sometimes the encryption wasn't actually installed. Or it wasn't configured correctly. Or it hadn't been turned on. Often, users hadn't been trained, sensitive information hadn't been inventoried, and crypto key control procedures hadn't been established.

You can read the gory details by downloading the report (it's on the Web at www.gao.gov/new.items/d08525.pdf). The real horror stories start on page 29.

(Predownload quiz: Guess which department hadn't installed encryption on any laptops, even though officials insisted that it had? Guess which hotshot technical agency said it had no way of telling whether encryption software had been successfully installed on a laptop? And guess which department's employees never used encryption because no one told them it was installed?)

Even if you don't care about the dirt turned up by the audit, you should download the report. It includes a remarkably readable crib sheet on the different types of encryption for mobile device hard disks (full disk, file, folder, virtual disk), communications (VPNs, digital signatures and certificates) and handheld devices.

It also gives a good rundown of the categories of problems the agencies ran into with their encryption efforts, as well as a table listing the actual volume pricing that government agencies are getting. (One nice non-horror story from the report: The Department of Agriculture cut its own deal for 180,000 encryption licenses at $9.63 each, way below even the best government price schedule.)

In short, it's a useful, practical overview of the ups and downs of putting encryption on laptops, portable drives and BlackBerries. And it's based on real-world experience -- even if, for most government agencies, that experience hasn't yet translated into success.