Keeping Notebooks Off The Front Page

Page 1 of 3

May 3, 2006 has proven to be a major turning point in the federal government's treatment of information security. As most people know, burglars broke into a house in Aspen Hill, Md., and stole a notebook computer and external hard drive that contained an unencrypted database holding the names, dates of birth, and Social Security numbers of millions of veterans and active duty military personnel. The equipment in question belonged to the Department of Veterans Affairs and was issued to an analyst named Wayne Johnson, who had been bringing home the laptop loaded with confidential data for months.

Despite reports indicating that the data was not accessed, the scandal that followed cost several high-ranking VA officials their jobs and prompted the Office of Management and Budget (OMB) to issue a new policy mandating that all federal departments and agencies implement safeguards to prevent such a security breach. Suddenly, every office in the executive branch needed to find a way to keep all of the data on their notebooks and other mobile devices encrypted all the time.

The Basics
As its name implies, full disk encryption (FDE) software encrypts the entirety of a hard drive, including the boot partition and all system files. Without a working password, the drive in question is both indecipherable and unbootable. While with most current FDE solutions the drive itself retains some value, any data on it is effectively out of reach.

The vast majority of current FDE solutions are implemented entirely in software. During initial deployment of such solutions, the software in question encrypts each affected hard drive, sector by sector, and installs a stripped-down custom OS known as the "preboot environment" designed solely to authenticate the user and begin decrypting the drive. At no point is any unencrypted data saved to the hard drive; data is only decrypted when needed in active memory, and immediately re-encrypted when written to storage.

Both Seagate and Hitachi Data Systems have recently begun shipping 2.5-inch hard drives with onboard hardware-based encryption; Lenovo now offers the ThinkPad T61 with the Seagate drive as a factory-installed option. While these two drives are based on slightly different architectures, they both offer a performance advantage over their software-based alternatives in that they keep constant encryption and decryption from eating up processing cycles on the main CPU. Seagate's drives also offer more security by making part of the drive inaccessible to the user.

In the short term, however, limited centralized management options make large-scale deployments of hardware-based FDE solutions difficult, though both manufacturers are working closely with existing FDE software developers. Moreover, in the federal context neither has gone through the lengthy Federal Information Processing Standard (FIPS) certification process required of encryption tools used by federal agencies.

Next: The Market

1 | 2 | 3 | Next >>

Tweet

   

More

Comments by Vanilla