Home » Data Protection » Wireless/Mobile

In Depth

How To Protect Your Mobile Data

Encrypt data that leaves the office? Yes. The best way to do it? It depends. Here's how to develop a strategy for your organization seeking to secure data on those roaming, mobile devices.

By Galen Gruman

Page 3

If full-disk encryption has an Achilles' heel, it's the password used to enable access to the hard drive. When users work on files, the full-disk encryption software decrypts files as they are opened, then reencrypts them when they're stored. If the password is easy to guess&mdashor if it's taped to the laptop&mdasha thief has full access to the drive's data, defeating the encryption. "Allowing a weak PIN means it doesn't matter if you use encryption," says Maiwald.

If data is especially sensitive, a password requirement can be paired with a hardware token for two-factor authentication, says Jerry Johnson, CIO of the Pacific Northwest National Laboratory, a U.S. Department of Energy research facility.

Similarly, laptops should be set to time out after inactivity, so data is not accesÂsible until the password is reentered, says

Cryptography Research's Kocher. The trick is setting the time-out period, he notes. The more frequently it must be reentered, the easier a would-be thief can "shoulder-surf" the password in a public space (such as a hotel lobby), while the less frequently it must be reentered, the more time the bad guy has to access the data when the laptop is left unattended. A time-out of a few minutes works in most cases, says Johnson.

Diabolical Devices

Although data stored on laptops is fairly easy to secure, three common conduits can confound the strongest encryption: USB drives (including iPods and thumb drives), recordable CD and DVD drives, and e-mail.

In all three cases, data is decrypted when moved to these media, since the usual goal of copying data to external devices is to make it available to systems that may not have the same encryption tools. Over-the-network encryption and policy-based management tools that screen e-mail contents can handle e-mail security. But removable media are more difficult to safeguard.

The simplest solution is to not provide CD or DVD burners on corporate laptops, says Jacob Mays, assistant vice president for IS at Stillwater National Bank. But handling USB drives is trickier. There are two basic approaches to securing external storage devices: disallow their use or use software that applies encryption to them as if they were an internal hard drive.

"You could put glue in the ports. We considered that," Johnson says, half seriously.

Although some vendors offer encrypted thumb drives, the encryption works only with their hardware, so users simply can buy their own thumb drives to bypass the security. Windows XP lets IT set policies to enable or disable whole classes of devices, including thumb drives, but there's no way to tell it to distinguish between approved and unapproved devices, says Nate Lawson, a senior engineering director at Cryptography Research. CISOs will need to consider third-party products such as those from Safend, SecureWave and Trigeo.