Allen began the process of hard disk encryption two years ago using PGPs Whole Disk Encryption and Universal Server. It was not practical to do a full-blown inventory project, Allen said, so he started with laptops known to contain confidential data. Earlier this year, encryption of all faculty and staff laptops, along with some desktops, was completed.
Centrally managed PGP encryption does not, however, extend to Baylors approximately 14,000 students, 93 percent of whom have laptops. In safeguarding data on those systems, the university seeks to control access to sensitive information and prevent it from getting on student systems to begin with, according to Allen.
Kevin Wilson, an architect planner for the desktop at an energy company in North Carolina, took a similar approach. "Its easier to encrypt them all rather than to find the ones that are most at risk—and then risk the theft of the one you havent encrypted," Wilson said. "If I put a machine name in an Active Directory group, then its going to get encrypted. I can do 20,000 as easily as I can do 20."
Even so, Wilson does move laptops that are likely to contain personal information to the top of the encryption queue. He said he uses Utimacos SafeGuard Easy for encryption.
In his next wave of laptop purchases, Wilson is ordering systems that come with hard drives pre-encrypted by the manufacturer. This will save time and trouble, Wilson said, but will also introduce an additional type of encryption to his organization, creating the burden of carefully tracking and managing each system.
Gartner analyst John Girard said the presence of multiple encryption methods in an enterprise means IT pros need broader management tools. "An encrypted drive is a great idea, but you need an overarching system that lets you manage the drives," Girard said. "Your primary encryption method needs to offer management of other encryptions."
Businesses that upgrade to Microsofts Windows Vista Ultimate or subscribe to the companys Software Assurance program may deploy Microsofts BitLocker encryption algorithm, but since most companies wont move all their systems to Vista at once, they are also likely to face the problem of managing a laptop population using different types of encryption. Furthermore, BitLocker encrypts only single drive volumes and not USB drives.
A laptop with an encrypted hard drive could still be a leaky data faucet if it is used to write critical information to a USB drive or to burn a CD or DVD. The approaches taken to eliminating these sources of data leakage range from the reported use of glue to plug USB drives by some federal agencies to the disablement via software of CD- and DVD-burning capabilities.
Full-disk encryption is only partial protection, experts say. Click here to read more.
These measures, while effective, tend to rile users because they impede the utility of their laptop machines. IT managers are likely to find that purchasing encrypted USB drives or software for encrypting the data stored on USB drives and CD and DVD storage makes more sense.
To ensure that sensitive data never is written to removable storage devices in the first place, organizations can choose from a variety of software from vendors such as Reconnex and Vontu that recognizes patterns in data—such as telltale signs of intellectual property or the numerical pattern of Social Security numbers—and prevents writes from taking place when those patterns are detected.
Another approach is to make the USB drive itself the trusted device. RedCannons KeyPoint Alchemy, for example, encrypts USB devices and implements policy management rules for their use. Similarly, VMwares ACE 2 implements a virtual PC, with security policies, on a USB drive. "The USB drive is a manageable asset," Gartners Girard said. "It will cost you some money, but you can do it."
The epidemic of laptop thefts has spurred other, more novel approaches. Absolute Softwares Computrace LoJack for Laptops works much the same as the LoJack automobile anti-theft device. When a stolen system is connected to the Internet, it sends out a signal that enables it to be traced. The signaling works even if the hard drive is removed and installed in another system.