David S. Read

This is a follow-up to my previous entry regarding full disk encryption (see: http://monead.com/blog/?p=319).  In this entry I’ll look at Blue Slate’s experience with rolling out full disk encryption company-wide.

Blue Slate began experimenting with full disk encryption in 2008.  I was actually the first user at our company to have a completely encrypted disk.  My biggest surprise was the lack of noticeable impact on system performance.  My machine (Gateway M680) was running Windows XP and I had 2GB of RAM and a similarly-sized swap space.  Beyond a lot of programming work I do video and audio editing.  I did not notice significant impact on editing and rendering of such projects.

Later in 2008, we launched a proof of concept (POC) project involving team members from across the company (technical and non-technical users).  This test group utilized laptops with fully encrypted drives for several months.  We wanted to assure that we would not have problems with the various software packages that we use. During this time we went through XP service pack releases, major software version upgrades and even a switch of our antivirus solution.  We had no reports of encryption-related issues from any of the participants.

By 2009 we were focused on leveraging full disk encryption on every non-server computer in the company.  It took some time due to two constraints.

First, we needed to rollout a company-wide backup solution (as mentioned in my previous post on full disk encryption, recovery of files from a corrupted encrypted device is nearly impossible).  Second, we needed to work through a variety of scheduling conflicts (we needed physical access to each machine to setup the encryption product) across our decentralized workforce.

(more…)

Security is a core interest of mine.  I have written and taught about security for many years; consistently keeping our team focused on secure solutions, and am in pursuit of earning the CISSP certification.  Some aspects of security are hard to make work effectively and other aspects are fairly simple, having more to do with common sense than technical expertise.

In this latter category I would put full disk encryption.  Clearly there are still many companies and individuals who have not embraced this technique.  The barrage of news articles describing lost and stolen computers containing sensitive information on unencrypted hard drives makes this point every day.

This leads me to the question of why people don’t use this technology.  Is it a lack of information, limitations in the available products or something else?  For my part I’ll focus this posting on providing information regarding full disk encryption, based on experience. A future post will describe Blue Slate’s deployment of full disk encryption.

Security focuses on three major concepts, Confidentiality, Integrity and Availability (CIA).  These terms apply across the spectrum of potential security-related issues.  Whether considering the physical environment, hardware, applications or data, there are techniques to protect the CIA within that domain.

(more…)

Privacy is an issue which is consistently in the news.  Large amounts of data are stored by retailers, governments, health care providers, employers and so forth. Much of this data contains personal information.  Keeping that data private has proven itself to be a difficult task.

We have seen numerous examples of unintended data loss (unintended by the company whose systems are stolen or attacked).

We hear about thefts of laptops containing personal information for hundreds of thousands of people.  Internet-based attacks that allow attackers access to financial transaction data and even rogue credit card swiping equipment hidden in gas pumps have become background noise in a sea of leaked data.  This is an area that gets the lion’s share of attention in the media and by security professionals.

Worse than these types of personal data loss, because they are completely preventable, are those that are predicated on a company consciously releasing their customer data.  Such companies always assume that they are not introducing risk, but often they are.  In all cases, if the owner of the data had simply held it internally no privacy loss would have occurred.

There have been cases of personal data loss due to mistakes in judgment.

AOL released a large collection of search data to researchers.  The people releasing the data didn’t consider this a risk to privacy.  How could the search terms entered by anonymous people present a risk to privacy?

Of course we now now know that within the data were people’s social security numbers (SSN), phone numbers, credit card numbers and so forth.  Why?  Well, it turns out that some people will search for those things, quite possibly to prove to themselves that their data is safe.  What better way to see if your SSN or credit card number is published on the Internet than by typing it into a search engine?  No matches, great!

Personal data has even been lost by companies releasing data after attempting to mask or anonymize it.

The intent of masking is to remove enough information, the personally identifying information (PII), so that the data cannot be associated with real people. Of course this has to be done without losing the important details that allow patterns and relationships in the data to be found.

(more…)