Protecting Data Stored on Enterprise Laptops: 10 Best Practices

by Chris Preimesberger

Results from a survey recently conducted by Ziff Davis Enterprise Editorial Research for eWEEK indicated??íthat a whopping 99 percent of respondents agreed that effective laptop security requires a combination of physical and information security measures. This includes encryption, password protections, physical locks and biometric methods.

The first and most important step is to make sure that your employees’ laptop data is properly encrypted while on the hard drive. The more advanced and performance-friendly alternative is file- and folder-based encryption. This method encrypts data as it is stored on the laptop and decrypts it when an employee opens an application file, which greatly reduces the performance penalty. File- and folder-based encryption also ensures that data is protected whether the laptop is on or off.

Consider how encryption works around data in motion. If you are going to allow employees to copy files to USB drives or burn data to CD/DVD ROM drives, make sure you are using an encryption solution that follows with the files as they are being copied off the laptop and onto the portable media.

Make sure that backed-up data is properly encrypted with a secure transmission and a lock-tight storage facility. The best way to ensure that your corporate data stays private and secure during backup is to generate and manage cryptographically random keys in a scalable way. The way in which the key is managed is critical to enabling data to be restored when the original laptop is not available.

You should think about is how encryption impacts the amount of data you have to store. To address rapid data growth, you may use data deduplication. However, traditional data deduplication and encryption often are at odds with one another. Data that is encrypted using different encryption keys looks random and thus cannot be deduplicated. Secure, automated key management makes it possible for encryption and data deduplication to work together. The best way to do this is to complete the encryption process up front and then run data deduplication on the encrypted data using a secure key escrow system.

You should assess encryption manageability for both your company and your IT team. All too often, ease of use is sacrificed for a secure encryption solution. The reality is that the more friction your employees experience, the more likely they will work around the security solution. The best way to deliver on the data security and privacy promise is to find an end-to-end solution that is easy to deploy (ideally a silent install) and integrate it with your existing desktop management infrastructure. Most of all, you need a trouble-free solution that minimizes forgotten passwords.

Thanks to major improvements in GPS-related security software, having the ability to remotely shut off and lock down a lost or stolen laptop is an important feature. A central administrator can render the mobile device useless with a couple of clicks. Several vendors now offer this—Juniper Networks, for example, features it in its new Junos Pulse Mobile Security Suite.

Similar to remote shutoff and lockdown, several companies provide remote wipe, in which a hard drive’s contents are backed up in the cloud and then wiped completely from the disk. A user or IT department sends an SMS text message to the laptop that disables the PC. Datacastle offers it in its Red package; Juniper Networks has it in Junos Pulse Mobile Security Suite; Ericsson has integrated Intel’s new Anti-Theft PC Protection technology into its mobile broadband modules. Lenovo and Phoenix Technologies are offering similar capabilities with Lenovo’s ThinkPad notebooks.

Passwords are exploding and require constant vigilance—from steady rotation to the use of differentiated passwords across accounts—to maintain security best practices. “You don’t need to remember all of those changing passwords if you place security at your fingertips. A full 80 percent of enterprise laptops today have fingerprint readers built into the system, making enterprise security a snap,” said Vance Bjorn, CTO and co-founder at DigitalPersona, a biometric identity protection solutions provider.??í

Datacastle, Juniper Networks and Trellia Networks are providers of software to address enterprises’ growing need to automate and enforce security policies on mobile workforce laptops. Trellia’s MPME (Mobile Policy Management and Enforcement) solution supports central management of essential security policies for network selection, VPN, proxy and bridging prevention.