Tuesday, February 17, 2009

The Case For Full Disk Encryption: Military Gear On the Open Market

Military.com's recent article "US Gear Ending up in Pakistan Markets" offers a great example of why organization wide full disk encryption is a good idea. One of the items that author Shahan Mufti found for sale was a Maintenance Support Device (a ruggedized laptop), which contained "documents and photographs inside the computer" that indicated that "the assigned user of the laptop likely belonged to the U.S. Army's 864th Engineer Combat Battalion". In addition, "the computer also contained dozens of manuals on how to operate, assemble and trouble shoot U.S. Army equipment".

It is not at all surprising that the paper versions of these support documents are also available. What is surprising is that a military laptop does not have protections preventing unauthorized users from accessing it. While combat systems may need to be operated at short notice by other members of a team, laptops and desktop computers would benefit from having at least data partitions encrypted.

For most companies, encrypting portable devices is a good first step, and full disk encryption is easily available in a variety of price ranges and support models. From a risk management perspective, being able to confidently state that a stolen device which contained sensitive data was encrypted and inaccessible when stolen is a huge benefit - one which many current laws recognize as a means of avoiding their disclosure notification clauses.

We've discussed using TrueCrypt 6.0 for Windows as a free solution in the past, but many vendors offer enterprise ready products as well.

No comments: