Home » Data Protection » Wireless/Mobile

In Depth

How To Protect Your Mobile Data

Encrypt data that leaves the office? Yes. The best way to do it? It depends. Here's how to develop a strategy for your organization seeking to secure data on those roaming, mobile devices.

By Galen Gruman

Page 2

Encryption for Laptops: Full-Disk or File-Based?

The first decision when implementing an encryption strategy is whether to use full-disk encryption or file-based encryption. Because Windows XP comes with file-based encryption built in (as do Linux and Mac OS X), it's tempting to use that "free" technology. Anything stored in specific PC folders, like My Documents, is encrypted automatically. But this approach has a significant security flaw: It relies on users putting files in the encrypted folders.

Furthermore, Microsoft's encryption "is not strong, and there is no good management option for the enterprise," says Northrop's McKnight. "It's hard to manage and hard to make work with backup software," warns Paul Kocher, chief scientist for cryptography at technology consultancy Cryptography Research. Although Microsoft promises better encryption in the forthcoming Windows Vista, Kocher suggests taking that promise with a grain of salt, given Microsoft's long history of security vulnerabilities.

The other option is full-disk encryption, which protects everything on the hard drive. With this approach, there's no uncertainty as to what data is actually encrypted. "It takes human judgment out of the equation, so I can tell the regulators that the entire disk is encrypted," says Kim Jones, director of security at eFunds, an electronic transaction provider to financial institutions.

The fear, widespread among users, is that full-disk encryption will slow laptop performance. Fortunately, laptops built in the past three years or so have the horsepower to run full-disk encryption so "the performance hit is nonexistent from the user's perspective," says Jones. McKnight says a slowdown is noticeable, but just slightly. Where it's most noticeable is at system boot-up and when the laptop hibernates, he says.

Several companies&mdashincluding PGP, Pointsec and GuardianEdge Technologies&mdashprovide enterprise-class full-disk encryption software that can be installed and managed using standard tools, and that works with backup software and password management systems. Still, enterprises should test any encryption software to make sure it is compatible with their management tools, advises Eric Maiwald, a senior analyst at the Burton Group research firm. They should have a tool to synchronize user passwords with a secure repository in case IT has to access the laptop (say when an employee forgets system passwords, is injured or leaves the company). McKnight suggests another precaution: Test hard drives before applying encryption, since the initial encryption can stress problematic hard drives to the point of failure. Although the problem was rare for the 35,000 laptops that Northrop encrypted, it does occur.