Tuesday, April 10, 2007

Hard drive encryption and breach notification

I've had a number of conversations about SSN disclosure laws recently, and they're a major topic in the higher education security space. If you're an Indiana resident, last year's SSN release law and the breach disclosure laws for both private and public institutions made life more interesting. The usual disclaimer applies - I am not a lawyer, and you should talk to yours definitely applies here. With that said, the Indiana laws and others include a possible out for organizations - for example, the state agency version reads:

"Sec. 5. (a) Any state agency that owns or licenses computerized data that includes personal information shall disclose a breach of the security of the system following discovery or notification of the breach to any state resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person."
The key here is the "unencrypted" - if you can reasonably state that the data was encrypted, and could not be accessed, then your reporting requirements typically are lessened, if not largely removed. It is worth noting that in general, the laws do not specify an encryption technology - presumably ROT13 would be considered a less than good faith effort.

Does it now behoove you to encrypt everything? Possibly, if you deal with covered data everywhere, but few organizations do. At the least highly sensitive systems, or systems that are likely to be exposed should be considered in your remediation plan. Most organizations are considering laptops and PDA/smartphone devices as part of their first round of targets. Both of these are likely to be exposed or stolen, and often contain local copies of sensitive data. The past 12 months have shown a number of cases of stolen or missing laptops.

From a technical perspective, you have a few options:
  1. Full drive encryption software. Utimaco's product is a good example of this. The best part about software of this nature is that it can be installed on existing systems. Pay particular attention to backups, key escrow, and OS and hardware compatibility. You're sure to find some systems that your encryption scheme just won't work on - many products are Windows-centric. There are some real benefits to full drive encryption, including temporary space and virtual memory being encrypted. There is also typically a real performance hit, particularly for disk intensive activities such as using a virtual machine.
  2. User directory encryption - things like Bitlocker and FileVault can easily encrypt user directories. The caveat here is that you have to make sure that data isn't stored elsewhere - a single application that stores data elsewhere, or a user who stores to the unencrypted root directory of the hard drive can make your encryption useless. In the case of FileVault, you'll also need to make sure you figure out a method for managing the master password. There is still a performance penalty, but general non-user directory software should run at normal speeds - the performance hit is constrained within the bounds of files in the user's encrypted directories.
  3. File or volume encryption. Security professionals will probably point you to software like TrueCrypt for this. You must encrypt the file or volume and unlock it when you use it. This does not account for memory resident data, nor does it handle temporary files, thus making it far more difficult to claim that data would not have been potentially exposed.
Should your organization use an encryption product? If you deal with sensitive data, and want to safeguard it, you should definitely take a look at the products on the market. If your organization is subject to a disclosure law, encryption products may also provide a needed protection in the form of both a reputation and a data disclosure control.

What about cost? In most cases, encryption products can be had in a variety of price ranges - Bitlocker and FileVault are free with Vista and OS X, while commercial solutions range in price up to a few hundred dollars per machine. As with any security control, you'll need to gauge the cost and benefit to determine where and when you should deploy the technology.


Second D Silent said...

Good post David, although I wanted to point out one factual error. When you talk about user directory encryption you mentioned BitLocker. I believe you mean EFS here as BitLocker is a full drive encryption solution.

Also, when it comes to BitLocker being "free", that's only if your organization is already buying the versions of Vista that include BitLocker (Ultimate and Enterprise editions, IIRC). Otherwise, you'll have an additional OS license fee to purchase these.

David said...

Second D Silent is right - I swapped BitLocker and EFS while writing the post. I won't edit it as it stands, but yes, BitLocker does full drive encryption. Thanks!