To encrypt or not encrypt, that is the question. It seems like encrypting everything in sight is currently in vogue. But is that the best approach? Regardless of the current mantra and compliance push to encrypt all portable media, there are (at least) two schools of thought on this topic.
First the easy part, with the headlines around data breaches, especially the scary stories regarding lost and stolen laptops leading to identity theft, every enterprise is reconsidering their portable device protection strategies – if they haven’t already done so.
The popular approach is to encrypt all portable media. A few of the benefits of this approach include:+ Most breach laws exclude loss of sensitive information that is encrypted, so you avoid costly, embarrassing, public disclosure and notification. This is huge and the main driver.+ Every person and PC is treated the same. This brings peace of mind, lowers costs for licenses, etc, etc.+ No need for a time-consuming inventory of who really has what on portable devices. I know, I know, the list is much longer. For more reasons to implement this approach, there are a myriad of good articles available from CSO Magazine and others. Also, my last blog focused on the great new contract vehicles which allow federal, state, and local governments to obtain excellent pricing on encryption products. If you Google the phrase: “Why not encrypt every laptop?” you’ll get over 1.8 million page views. But surfing through the first 50 sites, will offer some interesting perspectives that fuel the debate on encrypting everything in sight.Before entering the discussion, check out these survey stats (from early 2007) on what is actually happening - but remember this doesn't include plans.On the "encrypt all laptops" side, you can read about how Stillwater National Bank does things. Here’s an excerpt “To make sure no data can be read on a lost or stolen computer, the bank fully encrypts all of its 80 laptops with PGP software, a measure it initiated last year. Employees must enter a password before Windows even boots up.” For background on the other point of view, we need to ask the question: Why would sensitive data ever need to be on portable computers? USA Today ran an interesting article on this topic a year ago. Here’s a quote from the USA Today article:“Consider the case of the ING Financial Services adviser who had Social Security numbers and other personal data for 13,000 District of Columbia employees on his laptop — until the computer was stolen from his home last month. ING administers pensions for the district.The adviser had broken ING rules by not having the data encrypted. ING responded by recalling all employees' laptops to ensure that encryption software was turned on and couldn't be switched off. But the fact that the information was out of the office was not itself a violation.”The article goes on to discuss the case of an Ernst & Young consultant who lost the names, addresses, and credit card information on 243,000 Hotel.com customers. Their new policy was to encrypt all 30,000 of its consultant’s laptops, which they believe solved the problem – without answering the questions around why the data needed to be on the laptop in the first place.So why not just encrypt everything in site? Some of the answers are obvious, but other may not be:+ Employees may gain a false sense of security regarding sensitive information being protected. Encryption is not turned on by default (mandatory), but relies on the user’s action, in many enterprises. If not used for whatever reason, encryption does no good.+ Cost can be high to implement (although this is countered with the cost of a breach being higher)+ Slows down computers (although getting faster all the time)+ Clumsy to use (although getting easier)+ Lost encryption keys mean lost data (there are ways to help this)But the best reason that I can think of to not encrypt every portable device brings us right back to USA Today question: why let the sensitive information leave the enterprise in the first place? If you do remove it, bad things can happen. Employees can still copy sensitive information onto home networks, other easy-to-use devices like thumb drives, or even the new Apple iPhone which may not be encrypted. That is, the problem is not gone, it just moved.Why would employees or contractors do that? Possibly, as an ethical violations for personal gain. More likely, for the same reason that they want the sensitive information on laptops while traveling in the first place - convenience. They could get lazy, and copy info onto a device that’s easier to transport (and not encrypted) and leave the laptop at home.In defense of the orgs that are encrypting all portable devices, many also issue policies which restrict employees from putting sensitive data onto laptops or other portable media unless approved.What do we do in Michigan? Currently, we do not encrypt every laptop, but we’re heading in that direction. Our first policy message: Don’t Do It! Don’t put sensitive information on portable devices. Bad idea! You can go to our Cybersecurity website and watch our awareness web video for end users on how to protect sensitive data and what to do in the event of a breach.If, however, Michigan state employees/contractors have a legitimate business case that requires them to have sensitive information on portable media, we provide encryption after they receive an executive-level signoff of the risk. Our goal is to limit the number of people who ever take sensitive information off the network in the first place. Both sides agree: it’s bad when sensitive information gets in the hands of bad guys who could use it for identity theft. But almost like the debate on how to prevent sexually transmitted diseases, there are two (currently unequal) camps on how to achieve this goal. The abstinence camp says, “Just don’t do it,” Don’t allow your sensitive information to leave the enterprise – or you’ll be sorry. Know where it is, what it is, and control it. Also, giving encryption to everyone could cause the wrong attitudes towards the handling of sensitive information, so only give encryption to those who really need it.The “encrypt-all” camp wants to provide “virtual vaccines and protective devices” to everyone. They believe encrypting everything makes the most practical sense in our current situation. Their main goal: prevent the need for a public breach notification at all costs. They want to drive down the cost of encryption and build it into everything we do.Is there are middle ground? What did I miss? What are you doing?