Keeping Notebooks Off The Front Page

computer hard drive database

Despite reports indicating that the data was not accessed, the scandal that followed cost several high-ranking VA officials their jobs and prompted the Office of Management and Budget (OMB) to issue a new policy mandating that all federal departments and agencies implement safeguards to prevent such a security breach. Suddenly, every office in the executive branch needed to find a way to keep all of the data on their notebooks and other mobile devices encrypted all the time.

The Basics
As its name implies, full disk encryption (FDE) software encrypts the entirety of a hard drive, including the boot partition and all system files. Without a working password, the drive in question is both indecipherable and unbootable. While with most current FDE solutions the drive itself retains some value, any data on it is effectively out of reach.

The vast majority of current FDE solutions are implemented entirely in software. During initial deployment of such solutions, the software in question encrypts each affected hard drive, sector by sector, and installs a stripped-down custom OS known as the "preboot environment" designed solely to authenticate the user and begin decrypting the drive. At no point is any unencrypted data saved to the hard drive; data is only decrypted when needed in active memory, and immediately re-encrypted when written to storage.

Both Seagate and Hitachi Data Systems have recently begun shipping 2.5-inch hard drives with onboard hardware-based encryption; Lenovo now offers the ThinkPad T61 with the Seagate drive as a factory-installed option. While these two drives are based on slightly different architectures, they both offer a performance advantage over their software-based alternatives in that they keep constant encryption and decryption from eating up processing cycles on the main CPU. Seagate's drives also offer more security by making part of the drive inaccessible to the user.

id
unit-1659132512259
type
Sponsored post

In the short term, however, limited centralized management options make large-scale deployments of hardware-based FDE solutions difficult, though both manufacturers are working closely with existing FDE software developers. Moreover, in the federal context neither has gone through the lengthy Federal Information Processing Standard (FIPS) certification process required of encryption tools used by federal agencies.

Next: The Market The Market
The value of these technologies to federal agencies is clear, and they are moving quickly to implement them—meaning big opportunities for VARs who can move fast as well.

"It's hard not to know the value of encryption now, because every time you pick up [the paper], there's some story about some laptop," says Rick Marcotte, president and CEO of Herndon, Va.-based government solution provider DLT Solutions. "You don't even need to sell the concept anymore."

"The mandate forced a solution on the agencies," notes Prabhat Agarwal, manager of federal information security analysis at government market analysis firm Input. "They're pushed to do it, and they will do it—the risk of not doing it is too high."

Agarwal projects that the size of the federal "data at rest" market—which includes FDE as well as other encryption solutions and approaches to protecting data stored on notebooks, desktops and servers—will reach $620 million in 2007, and $780 million by 2012.

The question, then, is not whether there's a demand in the federal market for FDE solutions, but how much of that demand is already being met. That's not entirely clear.

For example, more than 90 percent of all Department of Commerce mobile devices have had FDE in place as of June 25, according to the Department of Commerce CIO Barry West. "Keep in mind that this OMB memorandum came out a year ago, so most departments should be well down the road," he says.

On the other hand, according to Josh Wolfe, director of federal sales for encryption vendor Utimaco, the Commerce Department's progress is not representative of the federal government as a whole. "There's a lot left to do. When you talk to end user customers, the mandate has been out there for a year or so, but unfunded; so you've got a lot of folks working with OMB to get a pass or a waiver. The government is by no means done."

It's significant to note that on June 18 the OMB, Defense Department and General Services Administration (GSA) awarded blanket purchase agreements to 11 primary contractors working with 10 FDE software developers as part of the federal SmartBUY program (see "And The Winners Are...," left) As the SmartBUY system is designed to simplify the procurement and contract negotiation processes, these recent awards suggest that there may be a significant number of FDE projects still up for grabs.

_ Next: The Requirements _ The Requirements
As with any area of federal IT, there are a host of different requirements. If you're going to get the contract, it's crucial to understand all of these and how they fit together.

With FDE projects, the place to start is OMB Memorandum M-06-16, which was the primary response to the VA incident. In it, the OMB lays out a four-part mandate, which includes forced time-outs and two-factor authentication for remote access, logging of all access to sensitive data, and the encryption of "all data on mobile computers/devices which carry agency data unless the data is determined to be nonsensitive, in writing," by a designated official. Technically, this last requirement can be met without FDE, but the alternatives are impractical.

"It just gets too difficult to manage," West notes. "It's much safer just to do a full disk encryption."

Every federal office will require that any FDE product be certified under FIPS 140-2. For software products, this shouldn't be a problem; FIPS 140-2 certification is simply a checkbox that all major vendors have checked from the VAR's perspective. Hardware-based encryption is another story. The FIPS certification process takes considerably longer than the product life of a hard drive, making the process inherently impractical for the drive manufacturers. Seagate is currently working with the government on developing a new certification mechanism more suitable to COTS hardware.

"What the NSA has said in public is that [hardware-based encryption] is a really good idea," says Dave Anderson, director for strategic planning for storage solutions at Seagate. "We're the first guinea pig for this new process."

While the SmartBUY selection is not technically a certification, it does carry with it an official "stamp of approval" that the products meet FIPS 140-2, interoperability and other requirements. As such, it may prove a de facto requirement in many cases.

"It's going to be very difficult for any government agencies to buy anything that's not on that particular list, says Andy Solterbeck, vice president and general manager for commercial enterprise business at FDE software developer SafeNet. "Just purely from an audit perspective, it just makes it simpler for the agencies, because they can say they bought the product based on that assessment."