Data Security on Field Laptops

Transcription

1 Data Security on Field Laptops IFD&TC May 21, 2007 Joseph Nofziger and Reginald Pendergraph Cornwallis Road P.O. Box Research Triangle Park, North Carolina, USA RTI International is a trade name of Research Triangle Institute

2 Background Field (CAPI) Surveys Laptops dispersed Contain sensitive information Risk of equipment loss/theft 2

3 Why Worry? Protect Respondents Confidentiality Identity Theft Protect your Clients and your Business Regulation, FIPS 140 compliance Bad Press Employee Data 3

4 Focus Data on remote devices versus in transit or centrally stored Electronic data security specifically encryption - versus physical or other security issues Choosing tools Encryption granularity Example tools Costs 4

5 Encryption Strategy Considerations Answer these questions: What needs to be encrypted? What is the right tool for your needs? Do you need a combination of tools? 5

6 Analyze Your Encryption Needs Protect data from loss and exposure Prevent access to the system itself? Does software need to access the files after encryption? Do files need to be transported securely? By what means? How much user burden is acceptable? How strong does the encryption need to be? Do you need to match the solution to the hardware? Regulatory, Contractual, Organizational policy 6

7 Avoid the Risks of Misuse When it s working, it s good failure can be a disaster Data loss lost keys, unused recovery mechanisms Data exposure save to unencrypted space Choose the right combination of tools for your needs Understand the capabilities & idiosyncrasies of each tool Understand the basic concepts of encryption Protect the tool from your users :) 7

8 Types of Encryption Tools File - Encrypt a file at a time, or selected files together Folder - Encrypt all files in a folder, including newly created files Volume - Encrypt a volume, or virtual drive Disk - Encrypt entire hard disk What are the uses, advantages/disadvantages, and some examples of each? 8

9 File Encryption Examples: WinZip, PGP, GPG Pros and Cons: + Remain encrypted in transit and at destination + No general performance hit + Protection from other users of same computer - Typically must be decrypted during use - Important files may be missed - Recipient must have software 9

10 Folder Encryption Example: EFS (Windows Encrypting File System) Pros and Cons: + Automatic + Transparent to users and to software - Files copied out are not encrypted - Important folders could be missed - Encryption not allowed for some folders - Easy to misuse (encrypt without saving keys, etc.) 10

11 Volume Encryption Example: TrueCrypt Pros and Cons: + Can be portable (possibly even to other operating systems) + Software can be installed onto encrypted volumes + TrueCrypt is free - May not protect temporary files - Recovery options are limited - Not quite transparent to software and users 11

12 Disk Encryption Examples: Pointsec Pros and Cons: + All files are protected + Lost or stolen disk inaccessible to attacker + FIPS compliant + Prevents access to system 12 - Somewhat complex administration - Cost - May require special hardware

13 Performance Pointsec Run Time Sequential read time increases with Pointsec Little effect on usability Test before using for time-critical software or on servers Source: HD Tach benchmark software B a s e l i n e P o i n t s e c A v g M B / s e c 13

14 Timing - Pointsec Ghost Duplication G h o s t I B M T h i n k P a d, 3 0 G B h a r d d i s k With full disk encryption, the entire disk must be copied H o u r s T o S e r v e r F r o m S e r v e r B a s e L i n e P o i n t s e c 14

15 Timing Pointsec Hardware Duplication Better, but still slower Avoid penalty by installing just before duplication H W D u p I B M T h i n k P a d, 3 0 G B h a r d d i s k B a s e L i n e P o i n t S e c H o u r s 15

16 Cost/Benefit - Licensing Is it really free for your organization? For example, PGP is free for some types of organizations Up front costs, yearly costs Are there hardware expenses (tokens)? 16

17 Cost/Benefit - Burden Developing procedures Maintenance (e.g., key management) Support (e.g., password resets) Interviewer use 17

18 Select your Solution Analyze needs Understand the pros and cons Determine cost Test usability Have a recovery plan & don't lose the keys! Revisit as technologies change 18

19 Thanks! Contact information: Joe Nofziger: Reg Pendergraph: Acknowledgements: Bob Toler, Sotorn Muangmanee Pointsec consultation Tim Gabel, Karen Davis, R. Suresh direction Jason Butler performance measurements Preethi Jayaram performance testing 19