Only 27% of Organizations Use Encryption

An anonymous reader writes "According to a Check Point survey of 224 IT and security administrators, over 40% of businesses in the last year have more remote users connecting to the corporate network from home or when traveling, compared to 2008. The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users. Yet, regardless of the growth in remote users, just 27% of respondents say their companies currently use hard disk encryption to protect sensitive data on corporate endpoints. In addition, only 9% of businesses surveyed use encryption for removable storage devices, such as USB flash drives. A more mobile workforce carrying large amounts of data on portable devices leaves confidential corporate data vulnerable to loss, theft and interception."

Dont blame IT

[jhoegl]

We would do it if we werent undermanned, underfunded, and had competent users.

Support for things is already maxing many people out, now you want to add this?

Please.

Re:Dont blame IT

[MortenMW]

+1

Time, money and people could solve it

Re:Dont blame IT

[physburn]

I do blame IT at least partially, a business IT center, might well see the wisdom of data encryption everywhere, but competing against this is, how easy it is to recover lost data (damaged disk, lost passwords or encyrption keys), plus the add complexity of managing the system. If it was built into windows i'm sure many more companies would us it. It is built into linux, but not exactly visable, or well known. Better support in OS would i'm sure make encryption much more commonly used.

---

Cryptography Feed @ Feed Distiller

Re:Dont blame IT

[Atrox666]

I would push for this if I could sell these people on a functional backup system for the users.
I can't afford to lower my chances at recovering HDs where no backup exists.
I also have 11000 computers to deal with in my environment. If it costs $1 per seat for software then I will have no hope at getting funding.

Re:Dont blame IT

[IdleTime]

Well, I guess your company is mismanaged then.

I've been working from home for over 7 years. I have two USB drives I use for work, a 1TB and a 2TB FreeAgent drive which have been encrypted using TrueCrypt. My /home/xxxx directories are also encrypted.

Re:Dont blame IT

[grcumb]

We would do it if we werent undermanned, underfunded, and had competent users.

Dude, my Director doesn't even know her laptop's home folder is encrypted. She just logs in and everything is there.

She's a die-hard XP user who is anything but technologically adept. But when I told her that she'd have to choose between Ubuntu and Windows 7 on her new laptop, she chose Ubuntu. During the install, it asked if I wanted home folder encryption, I said yes, and that was that.

I've had exactly one support session with that laptop since: Her default file association was opening documents in OO.o instead of MS Office (running under WINE). I changed the association and haven't heard a peep since.

Remote Desktop

I telecommute and all my work is stored on the server I remote into.
As I have no work stored locally there is no encryption (aside from the VPN into the server).

Re:Remote Desktop

[fuzzyfuzzyfungus]

I have to wonder how many of the outfits in TFA's little scare story fall into your category.

Remote access to network resources via a Citrix or other terminal server setup isn't exactly uncommon and means that no data of any interest actually end up on the user's HDD. They could still have a keylogger or screen-grabber lurking; but full disk encryption wouldn't save you from that in any case.

Frankly, unless the remote users are all on fully-managed-owned-and-issued-by-IT laptops, which are the only ones where full disk crypto is really going to be practical on any scale, a terminal server is overwhelmingly easier to set up and run. "Go to our website, click here, receive desktop" is a far simpler instruction than "Establish a VPN connection, now connect to our fileserver to access your documents, now configure your email client, now do all the other little things that would happen automagically if you were on a machine we had set up. Oh, you'll probably be asked for your credentials 10 times or so, because your machine isn't bound to our domain."

Re:Remote Desktop

"Go to our website, click here, receive desktop"

Off topic but, how do you do that with just Terminal Services?

Re:Remote Desktop

Frankly, unless the remote users are all on fully-managed-owned-and-issued-by-IT laptops, which are the only ones where full disk crypto is really going to be practical on any scale, a terminal server is overwhelmingly easier to set up and run. "Go to our website, click here, receive desktop" is a far simpler instruction ...

Except when the home machine is compromised.

SunRays (which work with both Unix and Windows remote logins) are a good solution. They plug into any network (e.g., home Linksys) and can get an address via DHCP, and then connect to a pre-configured VPN server for remote desktoping. You can plug in any monitor, and they use something like 20W. They also have built-in smart card readers for two-factor authentication (in addition to a network/AD password) if so desired.

Re:Remote Desktop

[nprz]

Same with me.
The article doesn't really say whether the survey asked whether they needed disk encryption because all the data is still on the servers, not the laptop / home computer.
I don't have a USB thumb drive at home, so should I have to encrypt it? No, so I'm part of that 91%?

And to connect to my work VPN, it is as simple as logged into a web site (with my RSA key) and it does the VPN connection.
Normal users from there get access to their web sites that they normally use. But I use my RDP, VNC, SSH to wherever I need to go.

Business As Usual

Yeah, blame the users, that will always make up for the fact that they depend on you to take care of these things for them.

Re:Business As Usual

Security is not a product, I can give you the best security tools, but if you are too lazy to learn how to use them and the to use them with the needed competence(and paranoia) it will not work. There is no way to transform security in a magic button which an incompetent user just clicks and gets it.

Secutrity requires effort to check the keys, keep them private, accept the extra steps to apply and check it, remember passwords , keys and credentials ecc.ecc.

90% users are plainly and loudly annoyed by common access password expire time and complexity requirements. They are simply not intellectually ready to manage encryption of fixed and removable media.

Re:Business As Usual

[tomtomtom]

90% users are plainly and loudly annoyed by common access password expire time and complexity requirements. They are simply not intellectually ready to manage encryption of fixed and removable media.

I have complained to my corporate IT-droids about this before. My issue isn't the expiry (90 days is perfectly reasonable), it's the ridiculous policy they enforce which means that about 70% of the RANDOMLY-GENERATED passwords I try to use won't even work. They enforce: (1) At least one of each of: number, upper case, lower case, symbol; (2) No two consecutive characters a repetition; (3) No two consecutive characters may be adjacent on a QWERTY keyboard; and (4) No three or more consecutive characters are allowed to form ANY dictionary word (if you've ever played Scrabble you'll know how many ridiculous 3-letter combinations get caught by this)?).

The net effect of this (aside from the fact that it dramatically reduces the valid search space for brute-forcing) is that once people have a pattern which actually complies with the rules they then WRITE IT DOWN AND PUT IT ON A POST-IT ON THEIR MONITOR and then just increment the digits they invariably put on the end every 90 days. Net result: LESS security, AND more complaints to IT. Utterly stupid.

Re:Business As Usual

There is nothing reasonable about password expiration.

Re:Business As Usual

[Sir_Lewk]

I can give you the best security tools

Well according to this article, it seems the vast majority of your peers cannot even be irked to do that much. Blaming users for not knowing how to use software they were never given in the first place takes a special kind of jackass.

Also, password expire times are idiotic that probably do more to reduce password security than increase it.

Re:Business As Usual

[networkBoy]

sure there is.
It is basic mitigation against a compromised account.
If an account is silently compromised by login creds then after the password change the account is once again secure.

Re:Business As Usual

[RockDoctor]

Secutrity requires effort to check the keys, keep them private, accept the extra steps to apply and check it, remember passwords , keys and credentials ecc.ecc.

I sincerely hope that that's a joke. The "error-correcting-code.error-correcting-code" bit that is, not the typo.

90% users are plainly and loudly annoyed by common access password expire time and complexity requirements. They are simply not intellectually ready to manage encryption of fixed and removable media.

That's fine for those of us who are in the 10%, as long as the losing 90% end up losing their jobs, dieing of starvation and selling their children to the Dean Swift Fricassee Factory for a lifetime in catering. "Just think of it as evolution in action."

Re:Business As Usual

Yes, please keep the expiration period off of all userids.
It gives me an easy way to hack into your company's systems, I don't like being held in a window of time.

lose the keys, lose the data ...

There are corporate docs using Office 2003 DRM where I work. I'm literally the only person in a multi-national company that can read the docs because I'm the only one who applied the hotfix for the expired certificate.

IT can't or won't do it through the domain.

Re:lose the keys, lose the data ...

So either you are part of IT or the security is ..

Does anyone beiieve this number?

[upuv]

I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.

Exactly where does this BS stat come from again?

Re:Does anyone beiieve this number?

[commport1]

I'm with you. In the consulting space, and the MAJORITY of companies don't have anything coming close to 'sensitive corporate data' to fall into the wrong hands that would necessitate encryption. To tell you the truth, the majority couldn't give two hoots about who reads their monthly sales figures, HR reviews, etc etc. Anyone who REALLY wants to is going to read them anyway, right? The MAJORITY of companies could care less. Eg. a Club. They sell alcohol and have a couple of restaurants, etc. Exactly the same as the Club down the street. And there is NO competitive advantage for the 'club down the street' to gain by reading the competitors reporting. Not a big deal.

Re:Does anyone beiieve this number?

I work in a large corporate environment (20,000+ desktops) - we implemented full disk encryption for laptops and enforced the use of encrypted USB sticks across the estate last year.

I wasn't directly involved in the projects, so product selection may have been botched, but neither solution we've chosen appears enterprise-ready. Both have come with a high support overhead.

Re:Does anyone beiieve this number?

[AliasMarlowe]

I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.

Where I work (company has over 10^5 employees worldwide), whole disk encryption is standard on all laptops. It is uncommon on desktops, however, and not compulsory on removable devices. All remote access is always encrypted, and requires the correct encryption package and authorizations. A similar situation existed at the place I worked before (about 3.10^4 employees worldwide).

Due to the support and policy infrastructure needed, I suspect encryption is much commoner in large organizations than small ones. How the statistics on use of encryption (TFA says 27%) are formed is another matter.

Re:Does anyone beiieve this number?

[uuddlrlrab]

In what office jobs I've held (mostly inbound customer service), I've never encountered an encryption program deployed company-wide to make sure data stays secure. I did see a lot of company propag-, I mean, materials referencing the need for encryption and good data protection practices. In other words, a lot of hot air.

Re:Does anyone beiieve this number?

I've worked for the Dutch ministry of foreign affairs, and at least my department not only didn't use encryption, but also no virus scanners, and yes, everyone was administrator on his computer. I've seen computers with sensitive data teeming with worms and viruses. (I was the guy who had to clean them up.) Truth is, people won't care about this until two things happen: 1) something goes spectacularly cataclysmically wrong and 2) the government fails to cover it up properly.

Re:Does anyone beiieve this number?

[asc99c]

Agreed. I'm not in consulting myself, but I do write custom software, and regularly visit customer sites for install and commissioning of the software. I have also never once seen a company encrypting stuff like this. Just one company wouldn't let us connect our own laptops onto their network, and instead provided laptops we could collect each morning. That's about the most security conscious place I've ever encountered, and most of these are very large companies typically tens of thousands of employees.

Re:Does anyone beiieve this number?

[the_xaqster]

I suspect that 99% of laptops that are either lost by the owners (Left in a cab or whatever) or stolen are by people who will either want to fence it quick so don't care what is on it, or will want to keep it and see these corporate files as taking up space they could fill with pr0n.

Most thieves will not be thinking "Oh, that's the big bank execs laptop, I wonder what confidential information he has? Let's have a look shall we", but more likely "Oh, look. Shiny!"

Re:Does anyone beiieve this number?

[Mr.+Freeman]

Sure, the usual thief doesn't give a shit about the data. What you need to worry about are the thieves that are after your laptop because of the data on it. They'll certainly care about it. I lock my door at night because I'm concerned about the small number of people that would break in with the intention of harming me, not the 99.9% of people that wouldn't do anything even if the door was wide open.

The fact that most of the laptops being stolen are falling into the hands of idiots is no excuse for failing to protect them from the real threats.

Re:Does anyone beiieve this number?

[bertok]

I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.

Where I work (company has over 10^5 employees worldwide), whole disk encryption is standard on all laptops. It is uncommon on desktops, however, and not compulsory on removable devices. All remote access is always encrypted, and requires the correct encryption package and authorizations. A similar situation existed at the place I worked before (about 3.10^4 employees worldwide).

Due to the support and policy infrastructure needed, I suspect encryption is much commoner in large organizations than small ones. How the statistics on use of encryption (TFA says 27%) are formed is another matter.

I've been to about 100 organisations, and I've seen only 2 with widespread encryption, and only 1 with 100% encryption.

If you count every organisation that uses SOME encryption, maybe 27%, but even then, how many small businesses use serious security?

Re:Does anyone beiieve this number?

[badevlad]

I have had remote work in foreign IT company. As one of standard requirements was having encrypted disk with all working materials. Except for this one case, I never encountered any user at any company encrypting anything.

Re:Does anyone beiieve this number?

[SharpFang]

The fact the thief doesn't go after your data doesn't mean they won't enjoy benefits from whatever they got it once they realize it's there. So even very simple encryption helps, but no encryption at all means trouble.

A laptop was stolen from a politician in Poland. It was a common thievery, nothing political. But tabloids wrote about sexual preferences and music tastes ("...500 mp3 files which we believe were of course ripped from legally owned CDs and not downloaded illegally") of that politician a week later - as soon as the thief realized what he stole, and found the right people to sell it to.

Re:Does anyone beiieve this number?

[david.given]

...about 3.10^4 employees worldwide...

<pedant> 92 employees isn't such a big number. And who's the 0.3521 of an employee? Did someone fail to get out of the way fast enough when closing the tape vault? </pedant>

Re:Does anyone beiieve this number?

[cheesewire]

Yup, you can take my usb stick and read it all you want. Unless you're particularly interested in seeing what I've been working on recently, it will quickly bore you silly. The most damage loosing it would do it inconveniencing me. Whereas encrypting the thing would prevent me simply hand it to people so they can access my files.

9% encrypt their flash drives vs. x% who cypher their paper docs before leaving the building?

I'm not saying it shouldn't be done - I'd hope someone actually carrying sensitive data around would encrypt it as a precaution, just as I hope the people I just sent a paper copy of my passport to will have the diligence to not take on the train and leave it on the table.

Re:Does anyone beiieve this number?

[TheCarp]

Have you worked in health care...recently?

I think it was only regulations that made us do it. Well, made them do it. When they came to me and asked if I installed their encryption product, I told them that I had been encrypting my drive for over 3 years on my own, and unlike most others, my job really is easier if I run linux than windows, and then I tossed the key size and encryption mode at them (figured if I made their eyes gloss over they wouldn't want to continue the discussion) and told them I would be happy to talk to whoever I have to to get proper approval to use this instead.

They gave me the check mark and moved on. Good thing too, had to send the laptop to the shop a couple of years ago, and they replaced it/kept the old one with hard drive. Had I not been encrypting, that would have been a much bigger deal.

-Steve

Re:Does anyone beiieve this number?

[VoiceOfSanity]

Let me state that at the company I work for, disk encryption is *MANDATORY* for all computer systems, including servers. In addition, encryption is also mandatory for anything being saved to removable media (read thumb drives, portable hard drives, but not CD and DVD media), and that digital rights management is installed for email so that you can protect a message by restricting it to only those recipients and prevent (or at least mitigate) the ability to copy that message.

Admittedly this does make my job of supporting the systems more complicated, as previously if the operating system suffered a failure, I could still access the user's data. Today, the odds of being able to decrypt the drive (yes, there is a procedure for it) and recover data is slim... and if the user didn't install/use the company data backup software that is provided to them, then their data is lost.

But all these requirements are for the company's safety, not necessarily the user's.

Re:Does anyone beiieve this number?

[Kamokazi]

I would mod you higher if possible.

This is exactly the case. Most places don't need encryption. I read a cleverly worded quote once that said something to the effect that security should serve business goals, and not just be there for security's sake. This is one of those cases. Encryption is a pain in the ass and not usually necessary.

The only data virtually every company needs to protect is their employees' personal info, generally in HR. SSN's, any Medical info from insurance claims, etc.

Re:Does anyone beiieve this number?

[characterZer0]

I'm a consultant.

That is why you do not see it. The companies that use it know what they are doing, and do not need you.

Re:Does anyone beiieve this number?

[Neoprofin]

If you really wanted to be mean you could've pointed out that simply writing out the number would have been more space and time efficient.

Re:Does anyone beiieve this number?

It included all the smart-asses who said they use double ROT13 encryption.

Re:Does anyone beiieve this number?

Most places don't need encryption.

The only data virtually every company needs to protect is their employees' personal info

Although employee data will usually be secured and not widely dispersed around the company and so not too much of a problem, you're forgetting customer data. This will frequently be widely spread around a company and is highly likely to contain confidential customer details. Any loss of such data unencrpyted (even if it doesn't measurably damage the customer) will cause a severe loss of confidence and possibly loss of business, because it will be seem as unacceptable incompetance. Also, loss of any customer data containing personal data about customer employees (maybe as little as their name and non-work contact details) could bring legal penalties into play depending on the local data protection laws.

 

Re:Does anyone beiieve this number?

[dueyfinster]

Same here. I worked for a large public sector health company in Europe. After a few data breaches at Energy companies and Banks, it was a ticking timebomb for management. Every new laptop is encrypted being handed to the user and a big effort is underway to get the older ones. Old laptops which can't handle encryption are being replaced, all for 100,000+ employee organization.

Re:Does anyone beiieve this number?

My employer does it for email; where everyone has gpg set up. We use Google Apps for email, and the Firefox "FireGPG" extension makes this really easy even for people who use browsers as their email client.

I've seen people use encrypted folders at work too - but that was for the purpose of hiding pr0n from their boss.

Re:Does anyone beiieve this number?

[bschorr]

What about bank account info? Account numbers and balances? Saved passwords to financial sites or corporate resources? What about customer data? Credit card numbers? We see data in customer sites every day that shouldn't be exposed outside the organization. Granted it's not always found on portable devices but sometimes it is.

Whole disk encryption is really not difficult to do and it's a heck of a lot easier than having to apologize to all of your customers because you lost an unencrypted laptop with their information on it.

Re:Does anyone beiieve this number?

[Pushpabon]

It's "couldn't care less", not "could care less". See, if you could care less then you're not caring as little as possible. If you couldn't care less then you're caring the minimum amount.

How much of this is really SENSITIVE?

[Isaac-1]

I have to wonder how much of this data that most people deal with in a work from home, telecommuter lifestyle is really that confidential. It seems to me even those with cut throat rival competitors where corporate espionage is the accept norm would find little value in much of the information they could gain by sifting through the virtual in boxes of these people. After all its not like your likely to find the super secret plans for the new product, instead you are likely to find random puzzle pieces that give no clue as to the big picture. Some email exchange about being mis-billed for janitorial supplies here, someone talking about the revising the employee lunch schedule, and then a bit of gold, a 23 page spreadsheet file projecting the cost vehicle fleet utilization.

Re:How much of this is really SENSITIVE?

[uuddlrlrab]

I don't think this is so much corporate espionage, as it is personal data of either customers, clients, or even the company's own employees, falling into the wrong hands. Like identity thieves or black-hat hackers sifting for credit card numbers or other usable financial information, payroll/account details that could possibly include bank account numbers, etc. How many people these days use direct deposit? And some companies that handle medical/rx must abide by HIPAA (Health Insurance Portability and Accountability Act), which requires certain "Personal Info" to be released only internally, or only to third parties directly involved with a given person's health care. There are companies that need this, either by law, or just as a good common sense measure, and if not for the entire organization, then at least some departments should look into it.

Re:How much of this is really SENSITIVE?

[Crazy+Taco]

Except that none of the sort of data you are talking about it going to be on a laptop. It's going to be stored on a corporate server and accessed by some application like SAP or something. Remote users may be able to log into the server through some kind of web interface or something, but they aren't going to be storing the data on their machine. And as far as protecting the server goes, since a potential theif most likely won't get physical access, they have to do some sort of remote exploit. And if they are able to pull that off, then they'll probably be running in the user space as the application they exploited, likely making the disk encryption moot.

Encryption drawbacks

[WetCat]

Using encryption has its drawbacks:
* you must provide a meaningful key management
* you lose speed of your machines for number crunching
* you can easily lose data in the event of hardware corruption
* access to data is a bit harder even for legitimate purposes
* many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
* skills of your systems management must be higher

Re:Encryption drawbacks

[grahamlee]

Taking those point by point (and staying on topic by discussing hard drive encryption, the subject of TFA):

* you must provide a meaningful key management

Depending on the size of the organisation and the purposes for using encryption, key management may not be necessary, though you still need a capable and reliable lost-passphrase-recovery helpdesk which is going to cost.

* you lose speed of your machines for number crunching

I think you need to review just how much time you think computers spend reading and preparing data from the hard drive. If you're in the middle of a number-crunching job, it's pretty much negligible. And besides that, most business laptop users (the target users of full-disk encryption) are trying to read e-mail and write Powerpoint slides, they aren't trying to simulate protein folding.

* you can easily lose data in the event of hardware corruption

* access to data is a bit harder even for legitimate purposes

Yes, that's the whole point. It's usually only a bit harder (you have to authenticate before the operating system will boot) but in return for that, the confidentiality of your data is protected. Security is about risk management and if the risk of publicising your company's secrets is more significant than the risk of users losing time by forgetting their passwords, then the trade-off is worth making.

* many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption

Firstly, the kind of encryption they're talking about in the article, as implemented by BitLocker on Windows and third-party products on many operating systems, is transparent to operating system processes.

skills of your systems management must be higher

Oh noes! I pay my systems managers to manage my systems but don't want to pay people who know what they're doing!

Re:Encryption drawbacks

[grahamlee]

Firstly, the kind of encryption they're talking about in the article, as implemented by BitLocker on Windows and third-party products on many operating systems, is transparent to operating system processes.

Erm :). Secondly, active directory domain controllers are typically run on servers rather than laptops, and full-disk encryption is typically run on laptops rather than servers.

Re:Encryption drawbacks

[KiloByte]

* you lose speed of your machines for number crunching

I think you need to review just how much time you think computers spend reading and preparing data from the hard drive. If you're in the middle of a number-crunching job, it's pretty much negligible. And besides that, most business laptop users (the target users of full-disk encryption) are trying to read e-mail and write Powerpoint slides, they aren't trying to simulate protein folding.

For typical modern hard disk and CPU speeds, it takes about a single whole core to encrypt/decrypt the data at full bandwidth. That's definitely not a negligible loss. Business users may be not trying to run make -j like we do, but they'll still suffer significantly decreased battery life.

Re:Encryption drawbacks

I ask, what are the tradeoffs though? Some of these factors can be mitigated. If you use Vista or Windows 7, Bitlocker recovery keys can be plopped into Active Directory.

The factors for not having encryption are worse, and this is not factoring PCI/DSS compliance, Sarbanes-Oxley, HIPAA, CALEA, and other laws:

* The legal liability of having records that were likely tampered with, so if there is a tax audit, there is no proof of anything that can stand in a tax court. The IRS or tax body may find that the lack of security constitutes malfeasance and assess immense fines.

* Shareholders will band together and make a class action suit at a drop of a hat. If a company shows that it knew about the risk, but didn't deploy encryption, there will be flocks of law firms in a feeding frenzy looking for anything which could be construed as gross misconduct or failing to employ due diligence.

* Law enforcement who is tired of chasing ID theft cases will be looking at the company to see if any criminal laws about data retention got broken. (This is mainly the EU.)

* You can do a lot with paying ad guys for PR, but it will cost a lot more to patch up damaged reputation than having meaningful security in the first place.

* The fees a company pays to have data recovery consultants will far, far outweigh the costs of having a security infrastructure. Yes, I have heard many bosses say, "just call Geek Squad", but for an enterprise-level meltdown, one will be looking at a huge tab, especially if business production systems are down.

* In some countries, having a rival company or nation know who is on a business's payroll may put lives at stake, especially if someone is found to be working for an unpopular company in an unstable country.

Re:Encryption drawbacks

[broken_chaos]

From my experience playing with dm-crypt under Linux (on a greater-than three year old laptop, nonetheless), the speed and battery impact is surprisingly negligible for anything that doesn't constantly access the disk. Even with constant disk access, it was often less than a 'full core' of CPU utilisation. The only circumstance I can see full disk encryption, even done entirely in software, being a significant drain on performance is with a single core system or an extremely fast hard drive setup. A number of business-oriented laptops come with dedicated hardware disk encryption these days, such as some of the Lenovo offerings.

Of course, I did tweak the system I used to a fairly significant degree -- for example, most compilation (it was running Gentoo) was done fully in RAM, thanks to tmpfs, as well as using some other laptop-mode tweaks that reduced frequency of writes. It wasn't even that I needed the data on the disk encrypted... I just did it because I could, with few downsides and the upside being some more experience with that sort of security setup (which has come in handy since).

Re:Encryption drawbacks

[bertok]

Using encryption has its drawbacks:
* you must provide a meaningful key management
* you lose speed of your machines for number crunching
* you can easily lose data in the event of hardware corruption
* access to data is a bit harder even for legitimate purposes
* many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
* skills of your systems management must be higher

I know you probably mean well, but every one of those statements is basically false.

- Active Directory + Bitlocker OR AD + Encrypting File System (EFS) both do automatic key management, key escrow, etc...
- Bitlocker has no performance impact, it uses the TPM chip. Also, most CPUs are MUCH faster at encryption than disks are at reading or writing data, so it's not a bottleneck even for software-only systems.
- hardware corruption causes data loss anyway, encryption just ensures that you only ever get valid data. In that respect, it's a little like ZFS -- encryption also provides integrity, as well as security.
- Access to data on encrypted volumes is NOT harder. It's usually transparent. If you have proper backup procedures in place, you need never access data in non-standard ways. Speaking of which, your backups should be encrypted too!
- AD works well with encryption, and has its own built in. It's already reasonably secure for most applications, and doesn't really need further encryption. The only AD related protocol that had issues with ipsec is DNS, but Windows 7 and 2008 R2 now support that as well.
- If you're already deploying Windows Vista or 7 SOEs, adding in Bitlocker trivial, it's basically a checkbox. Deploying ipsec is admittedly a little harder, but it's not exactly rocket science.

I've implemented extensive encryption before, and it wasn't hard, and the users never noticed. From what I've seen, the lack of encryption is not caused by technical issues, but laziness and politics.

Security is one of those things that's not a problem day to day, just like backups. The users don't notice, and nobody complains to the managers about it, so it must not be a problem, right?

You only need security on those rare occasions when there's a hack, or a laptop gets stolen, or some intern sells 10 petabytes of old backup tapes full of customer data on eBay for $35. Of course, when those things happen, it's already too late to implement security. The breach has already occurred. There's no going back in time to tick checkboxes.

In case you're wondering just how common data breaches are, check out this list of the publicly known ones:

http://www.privacyrights.org/ar/ChronDataBreaches.htm

If that doesn't scare you, think about how many more there are that the public didn't find out about. Chances are good that your personal data has been leaked to God-knows-who, probably several times, because of lazy IT admins and inept managers.

Re:Encryption drawbacks

[lukas84]

Microsoft recommends using RODCs and BitLocker in branch office servers in insecure locations.

Re:Encryption drawbacks

[lukas84]

Bitlocker has no performance impact, it uses the TPM chip.

Wrong. While Bitlocker utilizes the TPM to ensure a secure boot and automatic unlocking (if so desired), the TPM chip is NOT used to handle the actual encryption/decryption.

BitLocker in Windows 7 will support the new Core i3/i5 AES extensions for faster encryption, though.

Re:Encryption drawbacks

[KiloByte]

Was that "constant disk access" seek-bound or throughput-bound?

Re:Encryption drawbacks

[bertok]

Bitlocker has no performance impact, it uses the TPM chip.

Wrong. While Bitlocker utilizes the TPM to ensure a secure boot and automatic unlocking (if so desired), the TPM chip is NOT used to handle the actual encryption/decryption.

BitLocker in Windows 7 will support the new Core i3/i5 AES extensions for faster encryption, though.

Good point, apparently there is a 30-40% hit on very low-end netbooks (Intel Atom, etc...), but on modern CPUs it appears to be about 10-15% at most.

I doubt most office workers would notice that, but if you had an SSD, I suppose you'd think twice before turning it on, unless you had a CPU to match!

Re:Encryption drawbacks

[cbhacking]

Where the hell did you get that number from? Test with BitLocker show a loss of between 14% (old single-core CPU with lots of processes running) and under 1% (high-end quad-core system that could easily have devoted two cores to decryption if anything close to that much was needed - the loss in this case was due to the trivial increase in disk latency caused by running it through the decryption routine). Normal performance loss was under 5% on a typical system of about 18 months ago (dual-core, 2.0 to 2.5 GHz, 7200 RPM hard disk) since the disk access latency almost completely hid the CPU cost.

I'm not going to deny that there's a performance impact, but it's nowhere close to one half (or one quarter, depending on your core count) of your CPU. You can get by just fine on a single-core CPU even (seriously, I've seen it used on netbooks), if you're not trying to factor RSA keys at the same time. For typical email/spreadsheet/powerpoint/word processing/demo of beta product type stuff that most business machines get used for, it's an insignificant cost compared to the risk averted.

Re:Encryption drawbacks

[nxtw]

For typical modern hard disk and CPU speeds, it takes about a single whole core to encrypt/decrypt the data at full bandwidth. That's definitely not a negligible loss. Business users may be not trying to run make -j like we do, but they'll still suffer significantly decreased battery life.

I've used full disk encryption for the past four years. Overall, the loss in performance is negligible unless performing I/O heavy tasks such as running virtual machines or loading a full-sized hibernation image. Running VMs was an annoyance on the 945[GP]M and Core Duo laptops I used, which were limited to 2 or 3 GB of RAM and only ran 32-bit software. The decrease in battery life is minimal, especially with lots of RAM. I do build software with make -j on a laptop with full disk encryption and performance is just fine.

Re:Encryption drawbacks

For typical modern hard disk and CPU speeds, it takes about a single whole core to encrypt/decrypt the data at full bandwidth.

I say bollocks. I recently had to install full disk encryption on my approx 7 year old (obviously single core) work laptop, which is pretty slow to start with, and it made *no* noticeable difference to the speed even during disc intensive work like the boot sequence.

Re:Encryption drawbacks

careful there with that whacky unix stuff....
this is slashdot, the windows crowd. You'll get burnt at the stake for it because your obviously talking about something old and dead.
(sarcasm)

As a road warrior I should be using encryption...

[hwyhobo]

As a road warrior I should be using encryption, right? I would be a perfect candidate for it? And yet there is no way I will encrypt my laptop when I travel. The risk of losing access to the data when something goes wrong is far too dangerous to risk it. I have had problems on the road already, yet I have always managed to recover my data either from my laptop or from backups, but what happens when the decryption mechanism or the OS crashes? Carry another laptop? Carry bootable USB-based decryption tools? Sorry, too many variables, too much potential for trouble.

It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.

(1) As long as it is unencrypted, you can still recover it relatively easily.

My experiences were.

[motherjoe]

The two Global IT outsourcers I worked for had us encrypt for Lotus Notes and Outlook, remote VPN connections, and when we connected to network devices on shared or owned customer space it was always SSH or SFTP.

That said, for much of the older legacy stuff that was deep inside each company's infrastructure it wasn't so much required.

Which is fine.

[pspahn]

At some point, organizations will realize they actually were vulnerable, and will swarm to adopt new security policies.

A lack of security, in this case, ends up creating security... job security.

More then I expected.

[Wizarth]

That is a larger percentage then I expected. I wonder if the statistics were collected by asking people if they used it, and the percentages were more the amount of people who knew they should be.

Re:More then I expected.

[SgtChaireBourne]

That is a larger percentage then I expected. I wonder if the statistics were collected by asking people if they used it, and the percentages were more the amount of people who knew they should be.

It probably is directly proportional to the percentage of businesses leaving Windows behind. The number is growing rapidly, but to avoid harassment of all kinds, including pesky sales drones, they try not to be visible about it.

Re:As a road warrior I should be using encryption.

[motherjoe]

So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)
 

Anonymous Coward

Heh-heh. Which ones?

Re:As a road warrior I should be using encryption.

[upuv]

100% Agree. The simple fact is if I encrypt it here I can't un-encrypt it there. Translation. My hard disk uses version 1.5.3.6.3.222.43..56666.333 of software BLOTZO.supersafe.org and nothing else I own does. My HD goes cactus I'm screwed.

I simply can't trust that I can recover from a failure. Even if I carry the magic secret key to the encryption.

It'll cost "me" more to recover than to have stolen.

P.S. I will go down on assault charges the next time some moron un-plugs my usb drive without safely ejecting it.

That's another problem altogether

[hwyhobo]

So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)

That's another problem altogether - that kind of information should never be carried on one's laptop, period. It should only be accessed through a secure tunnel, and it should reside at HQ. There it should be encrypted.

Re:That's another problem altogether

[motherjoe]

Yes, I was poking a little fun and trying to make the author really think about if the info is worth the risk of going unencrypted.

Referencing.....

http://www.privacyrights.org/ar/ChronDataBreaches.htm

Re:That's another problem altogether

[aclarke]

You're right of course. Should, should should. I don't know what business you're in, and what data is on your hard drive. I know I DO have sensitive information on my laptop, much as I try to remove it. For instance, I once had a customer email me a Microsoft Access database with > 13,000 customer records with credit card, CVV code, and full billing name and address. That clearly violated a number of agreements he had in place with his acquiring bank, but it only takes one file like that that you forget to delete from your inbox, or is still in your trash, or whatever, and losing your laptop can have a catastrophic effect on your credibility.

This is why, in addition to trying to keep sensitive information off my laptop, I ALSO encrypt everything. I'm sure I'm in a different situation than you, and maybe I'm just more paranoid. Perhaps if your laptop is stolen with company data, you can just blame IT for not having a better security policy in place. Since in my case, I'm on the hook, I don't want to be the weak link in the chain.

My encrypted information is also stored in a cloud-based backup (encrypted) and an on-site backup (encrypted). The two backups use different encryption methods. If my laptop dies in the field, I still have access to all my files if necessary and I shouldn't ever lose more than the last few hours of work, maximum.

Re:That's another problem altogether

[Just+Some+Guy]

That's another problem altogether - that kind of information should never be carried on one's laptop, period. It should only be accessed through a secure tunnel, and it should reside at HQ.

My wife's a doctor. She uses an electronic medical records package that runs on a dedicated, non-Internet-connected server back in her office. She also travels to nearby towns to host remote clinics maybe 6-8 times a month. For that, she uses the same software on a laptop that syncs against the server whenever she's in her main office.

The infrastructure you're so certain we should use does not exist here. Most of these clinics are in small towns, population under 1,000, and don't have any Internet access in the buildings she works out of. Instead, we use TrueCrypt full disk encryption on her laptop as the compromise between perfect security and actually being usable.

By the way, a thief stealing her laptop has nothing but a computer they could (at most) format and re-use or sell. A thief stealing your ideal laptop has VPN access into your corporate LAN until it gets reported and the VPN keys are revoked. It seems neither solution is perfect, eh?

Re:As a road warrior I should be using encryption.

[Jeian]

It depends on your job. If you're, say, a marketing consultant, encryption probably isn't all that important. If you work for a credit card processing company (I previously worked in the IT department for one) you absolutely should be using encryption.

that's because

[rastoboy29]

we geeks haven't made it easier to use.

Re:that's because

We geeks haven't made our posts easier to read, either.

Orangutans

Am I the only one who read that initially as: 27% of Orangutans? I thought that was a pretty good number for an ape.

Come on now

[Frogbert]

There is no way it is that high.

Re:As a road warrior I should be using encryption.

[Orlando]

It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.

I would go even further - What is the mathematical probability of someone stealing my [laptop] AND be interested enough in the data on the disk to bother trying to get access to it.

Even without encryption, getting access to the data on a laptop which uses OS password authentication requires some time and knowledge. I would argue that most people who steal laptops would reinstall as soon as they see a login screen. In other words, the hardware is more valuable to them than the data.

Be sure, I'm not saying the risk is zero, but it's pretty low.

Orlando

Re:As a road warrior I should be using encryption.

[jimicus]

100% Agree. The simple fact is if I encrypt it here I can't un-encrypt it there. Translation. My hard disk uses version 1.5.3.6.3.222.43..56666.333 of software BLOTZO.supersafe.org and nothing else I own does. My HD goes cactus I'm screwed.

I simply can't trust that I can recover from a failure. Even if I carry the magic secret key to the encryption.

It'll cost "me" more to recover than to have stolen.

P.S. I will go down on assault charges the next time some moron un-plugs my usb drive without safely ejecting it.

Which is why the correct response to "Oh dear my OS has failed and I now can't recover any of the encrypted data that was on the hard disk" is NOT "I'll have to crack out the bootable USB rescue disk that has never been properly tested and cannot possibly work in all circumstances".

The correct response is "Oh well, that's what the backup is there for".

(How easy it is to enforce your users not storing data on their laptops - or if they must do so guaranteeing they have a working backup facility in place - is another issue altogether).

Disk encryption can be very useful sometimes

[vadim_t]

There's one use for encryption people don't generally discuss: tech service.

I've been running a home server for a long time. Such systems over time accumulate years worth of mail, which will contain private data, website passwords, and so on. I personally feel uncomfortable with sending a disk containing years worth of data to a tech support department when I want to say, get it replaced under warranty. There have been a few stories about underpaid techs looking for music and porn on customers' hard drives. And if the disk is broken I can hardly erase it properly.

So my solution:

For servers, encrypt the disk, and keep the key in an USB drive always plugged into the server. If a disk breaks, I remove the disk, and send it for warranty replacement without worrying about the data.

For laptops, I use Ubuntu's disk encryption. It's even better there as laptops usually don't have RAID, and may break for multiple reasons that I can't personally fix.

Re:Disk encryption can be very useful sometimes

If only Gary Glitter had known that...

Of course, that is one reason why various governments want encryption to be illegal.

Re:Disk encryption can be very useful sometimes

[140Mandak262Jamuna]

For servers, encrypt the disk, and keep the key in an USB drive always plugged into the server. If a disk breaks, I remove the disk, and send it for warranty replacement without worrying about the data.

For laptops, I use Ubuntu's disk encryption. It's even better there as laptops usually don't have RAID, and may break for multiple reasons that I can't personally fix.

Funny, you did not consider not downloading and storing porn in your hard disks.

Re:Disk encryption can be very useful sometimes

[cbhacking]

Indeed, the ability to fairly irrevocably destroy all data on the disk (by removing all recovery keys to the encryption) is one of many advantages to whole-disk encryption. Granted it's less secure than overwriting the platers with random data 17 times and then running a magnet over them for good measure, but it's a preventative measure and as you point out it's something that you can do before a disk dies, to ensure the data is irrecoverable even if you can't write to it anymore but somebody malicious with specilaized recovery hardware gets ahold of it.

Re:Disk encryption can be very useful sometimes

[vadim_t]

Why would I worry about porn? If some tech drone sees there's porn there, big deal.

Now something that worries me a lot more is somebody digging up a credit card number from the browser cache.

Re:Disk encryption can be very useful sometimes

[butlerm]

I never send hard drives in for warranty service or replacement. If they have confidential data on them, I beat them up with a hammer and throw them away. If the drives actually work, and aren't hopelessly old, I put them on a shelf instead.

As far as encrypting data at the block level is concerned, I doubt it will become prevalent until it is a standard feature of every common operating system. Even then there will be many systems that won't use it without hardware encryption support, because it will be too slow.

Re:Disk encryption can be very useful sometimes

[muckracer]

> Why would I worry about porn? If some tech drone sees there's porn
> there, big deal.

Unless the tech drone and his pointy-hair store-supervisor think, she
looks less than 18. Before you know it, a police report has been
filed, questioning ensues and a whole mess in general descends upon
you that you may never quite extricate yourself from again...even if
she was 23 at the time but who's gonna ask her...

A lot of organisations just are not that important

[frinkacheese]

If you run a cleaning company or you're a group of plumbers or perhaps you have a fairly large landscape gardening company then your data just is not that important or a target. So this survey is really quite useless, so what is Agnes Cleaners do not encrypt their thumb drives with their cleaning rota on it? Nobody cares. So whilst all organisations should encrypt just because it is sensible, not all organisations really need to bother because the likelihood of anything happening to their data is so small that it's just not worth the effort of sorting out the idiots who call up the part-time IT admin guy because they have forgotten their encryption key (again).

Re:As a road warrior I should be using encryption.

[IBBoard]

Even without encryption, getting access to the data on a laptop which uses OS password authentication requires some time and knowledge

I'm not exactly sure I'd call "throw a Linux Live disk" or "unscrew the HDD compartment, remove the disk and hook it up to a desktop" things that require much time or very much knowledge.

Chances are that thefts probably are to sell it and that they aren't interested in the data, but companies still shouldn't want to risk it (particularly if they work in a more sensitive environment with customers other than the standard commercial players).

Re:As a road warrior I should be using encryption.

[Bert64]

And if your OS fails to boot, you will need to carry bootable media with you in any case.

There are also hardware encrypted drives, OS independent, no performance hit, no software to become corrupted... The only thing that would stop you getting at your data is a hardware failure, and a hardware failure will break an unencrypted drive just as badly.

Use systems that users dont need to think about...

[jonwil]

There do exist packages that can handle the encryption of at least fixed disks without the user needing to do anything more than the usual login. BitLocker for one (and BitLocker can plug into Active Directory easily)

With the right software, it is possible to protect the fixed disks of all PCs in the enterprise (including laptops that may only connect to the network through a VPN or may be used in places where there is no network access at all such as airplanes) and the only thing the users have to do is to log in just like they normally do. Mobile devices like Blackberries and Windows Mobile devices also have options for encryption that IT can enable. Even email can be encrypted without the users doing anything special using modern versions of Exchange (at least from what I read with Google)

Re:A lot of organisations just are not that import

[grahamlee]

How about Agnes Cleaners' contact database, containing all their customer records?

Re:As a road warrior I should be using encryption.

I also use a laptop often. However, I use TrueCrypt or BitLocker on Windows, and PGP WDE on my Mac. Why? Because if my laptop was stolen, I'd rather have it be "just" a hardware theft that I can get a police report, file a claim on my insurance, and replace my hardware. Without encryption, I would have not just a hardware theft, but a possible theft of:

* License keys to the OS and apps. A volume license key for a popular app is a boon for pirates.

* Personal Documents on the hard disk which can be used for ID theft, or used in combination with burglars to make finely targeted violent crime.

* Work documents. You would be surprised who has extremely company confidential material on personal machines because they need it for a remote presentation to a client. It could be something as simple as a roadmap of unreleased products that a prospective customer wants, but in the hands of competition, it would mean a major competitive loss.

* Passwords stored in a password manager, either the Web browser or another utility. I use different passwords for every Web site I go to, so if one site doesn't get compromised, it won't mean anything else does.

* Cached files. You can glean a lot of information even from deleted files about someone, the people they associate with, their job, and such.

* Identity. How many people put their Quicken files on a protected disk image or TrueCrypt partition, and make sure to unmount it when done balancing the checkbook?

* VPN settings. Even if someone doesn't know my VPN password, they will have account information, IP, and port number, and from this, they could try at the very minimum a brute force attack which either will work, or will have the account get denied. This would look very bad as an employee.

* Identity in another sense. A criminal can take a laptop and then masquerade as another individual to give the police someone to target and arrest.

On the road, I also take measures to contain data loss. I have a custom U3 USB flash drive that has a BartPE image on the CD part. I then have another USB flash drive with two TrueCrypt volumes on it. The first holds an OS image that I made before going on the trip. The second TC volume holds backup copies of my documents. Finally, I use a cloud computing backup service (using a keyfile so the documents leave my machine encrypted), so I am assured of fairly recent backups automatically. For maximum security, I keep a smart card on my keyring which can be used with PGP or TrueCrypt to ensure that if I have the smart card with me, no attacker is going to be able to mount those volumes.

USB flash drives are small, easily encrypted if you use known good software like TrueCrypt, Apple's Disk Image utility, LUKS, or EncFS, and easy to put in some sort of case (even a Ziplock bag) so they don't get lost in a laptop case.

No, it won't

[hwyhobo]

a hardware failure will break an unencrypted drive just as badly.

I have found myself in a situation where my laptop was field-unrecoverable. Yet, since I carry a fairly common model of a Thinkpad, I was able to borrow one from the site I was visiting, and a simple drive swap solved the problem.

Re:No, it won't

[Bert64]

Encryption won't hinder a drive swap, your drive will boot on the new machine and request its password just like it did on your original machine.

Small vs. large businesses

[aclarke]

As someone else pointed out, as you move up in the size of business, you're more likely to encounter encryption and more stringent security policies. There are definitely many exceptions though on both ends of the spectrum.

I'm also a consultant, and personally all the user information on my laptop is encrypted. I don't want to ever have to explain to a client that my laptop was stolen with any of their sensitive data available on it.

Re:Small vs. large businesses

[networkBoy]

yes.
I have systems at home that are personal systems. I do not encrypt those. You want my MP3 collection? fine have it. On my dev machine (and its backups, USB keys etc.) I run truecrypt. I use the bootable crypt filesystem etc. The reason for this is that I do consulting work. I do not want to let some of this stuff out for any reason.

Re:A lot of organisations just are not that import

[dltaylor]

Does Agnes Cleaners work for anyone with a medical condition that requires a cleaning support staff? That service may even be paid for in whole or part by a public (Medicare) or private health insurer.

HIPAA!

Ah ah, what about the emails?!

[etenil]

Companies massively use emails, even for very sensitive business information. While I was still sysadmin, I was amazed to see all this mass of unencrypted and even unsigned emails passing through! I did try to make people sensitive to the issue (I wasn't in charge of the outsourced mail part), but only making the white collar people understand the advantages of using something like PGP was a hell... Encrypting stuff on the hard drive is all very nice, but as long as their emails will be transiting in clear form, I'm pretty sure no one will even bother trying to get into their hard drive...

Re:Ah ah, what about the emails?!

[Radtoo]

I myself doubt that wiretapping (even without encryption) is a desirable approach to get at data, as opposed to stealing computer drives. With the drives you get everything that has not been mailed yet as well as everything from years back, all in one go. Most evil doers would not only be interested in current correspondence, no?

It is also an issue of practicality. Drive encryption is very easy and unobtrusive to deploy and manage. The basic variant uses just the same password in the same login screen.

As opposed to that, key management, and other basic usage concerns on PGP or similar are not easy. Average Joe needs to know too way too much about how these things work, and IT Staff / Power users don't get enough flexibility. Your white collar people may have spared you a LOT of annoyances while you still were sysadmin, in fact.

This is why China is beating America hands down

[Colin+Smith]

I would go even further - What is the mathematical probability of someone stealing my [laptop] AND be interested enough in the data on the disk to bother trying to get access to it.

Two words you might want to consider...

"industrial" and "espionage"

Software installed and versions for further hacking attempts on the rest of the infrastructure.
Sales, marketing, pricing information. Release timing information.
Source code in products.

You name it.

The information is almost certainly far more valuable than the hardware, to the right people.

 

Re:This is why China is beating America hands down

I'll add two more words to the discussion...

"risk" and "management"

We spend FAR too much on protecting things that have little value. We pay an army of recycled accountants (who now get paid more as "auditors") to point out all kinds of "risk". Most of this stuff is high-impact stuff with astronomically low probability of happening. Similar to the odds of a terrorist walking into the CEO's office with a nuclear weapon. The "solution" is to put a full body scanner in front of the receptionist's desk. So now we spend a million dollars to [ineffectively] mitigate this "risk" and then waste countless hours as hundreds of employees queue up in front of the scanner every morning. A great deal, if you are the auditor, even better if you sell the scanners. Best of all, there will be some other "risk" to be identified next year to keep the ball rolling. After all, the dumpster is close to the executive parking area, and nobody is done background checks on the garbage truck crew! OMG!

We have built an entire industry of "risk management" that knows how to crank up the paranoia in pursuit of a paycheck. Does anybody think the Y2K industry simply folded up the tent and went home ten years ago? What were the real threats compared to the industry's recommendations? Where are they now? Risk management pays really well. In fact, the people who prevent the delivery of services make far more than the people who provide them.

Some of the most "risk averse" organizations on the planet are still running IE6. Gotta keep those XP patches and McCrappy anti-virus up to date! The next infection is only a click away. How dumb is that?

I always thought outsourcing IT was stupid. It has taken many years, but I finally found an indisputable advantage: The outsourcers are magically exempt from a lot of corporate foolishness. We might do all kinds of things to cripple our own employees, but we can bring in an independent contractor and let him put all our secret stuff on his private MacBook. He proceeds to work unimpeded by corporate policy; that's his value add.

We have met the enemy and they are us.

Re:This is why China is beating America hands down

[tomtomtom]

Hmm. The thing is, in almost all industries where the incentives are sufficient for industrial espionage to be a credible threat, forms of collusion or cartels are almost certainly a greater threat leading to the same outcome.

If you have medical records, state secrets or financial information, then OF COURSE you should be taking these sorts of precautions (and not storing this data on laptops is the first precaution you take). Common thieves stealing bank or credit card details is a credible threat. Journalists paying for the medical records of politically sensitive individuals is a credible threat.

But your competitors paying to steal information on what pricing discounts you offer to your biggest customers? Or where your biggest orders came from? If the customer doesn't tell your competitors directly, you can be 100% certain that the two companies' respective sales forces will chat about it amongst themselves. Same for release timing information.

To use an analogy: People are the "analogue hole" to these sorts of measures' "DRM".

Re:As a road warrior I should be using encryption.

[aclarke]

If you have sensitive customer data on your computer, by law you may be required to notify those customers if the data is lost. Or, you may decide that morally it is the right thing to do. Therefore, you also have to balance the potential bad press your company's announcement will generate based on you losing your laptop, whether or not you know that the people who stole it are going to access the data.

Risk management is more than just the likelihood of your laptop being stolen and your data being accessed by criminals. It's about the significance of each risk as well. Given that for many people, having a laptop stolen and having to disclose that fact is a huge negative, having encryption can mitigate or eliminate that risk.

Re:Use systems that users dont need to think about

[Spazmania]

With the right software, it is possible to protect the fixed disks of all PCs in the enterprise

Unless of course you actually want to use your computer. Then you discover how painfully slow it is. How it happily encrypts your USB drive too, rendering it useless. You take a power point presentation with you and look like a fool in front of your customers because it's encrypted and they can't display it on the projector from you thumb drive.

Seriously, the windows software-based hard disk encryption solutions right now are total POS.

Re:As a road warrior I should be using encryption.

[Radtoo]

but what happens when the decryption mechanism or the OS crashes? [...]

It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.

(1) As long as it is unencrypted, you can still recover it relatively easily.

Well, I'm not sure what encryption solution you might have tried. I for one have been using first TrueCrypt and then LUKS on a laptop. It traveled far and its hard disk drive already had to be replaced twice. There never were any particular pains with encryption.

First and most important of all, backups and encryption do not interfere. So you obviously DO backup such a laptop that may get stolen, lost, or break completely. Certainly, if you use encryption, you want to have the software needed to decrypt an encrypted partition it on your backup or a live DVD, but that's nothing that's hard to get.

Even filewise recovery and forensics is possible on an encrypted partition, too - as long as you have the master encryption header (or similar) backed up, there's little chance for additional problems introduced by having encryption in case of a recovery.

Re:A lot of organisations just are not that import

[TheLink]

Who really cares about contact databases? They're just a bunch of public info - stuff in business cards. Unless Agnes Cleaners is a CIA front company it'll be no big deal.

It's likely that their customers already list themselves on the "Agnes Cleaners Facebook fan page" and post stuff like "hey I'm going to Florida, but I've changed the locks - stupid lock broke, so you can find the key under the doormat".

Most people don't care about secrecy. And in most cases it doesn't matter, because fortunately most people don't pick a _petty_crook_ career (the smart amoral/evil people pick careers which allow them to _legally_ take lots of money from stupid people).

If the contact databases got destroyed or became inaccessible it could affect their business. Agnes Cleaners might care about that. But they don't need crypto for that - just decent backups.

CheckPoint...

[bomek]

If all encryption software are like those from checkpoint, i understand those numbers...

Re:Use systems that users dont need to think about

[jonwil]

Does BitLocker have the limitations you refer to?

Re:A lot of organisations just are not that import

[frinkacheese]

Good point, Sheila's Cleaners may get their contact database and steal all their business. This is why we should all hire a "Independent Mac and iPhone contractor, specialising in security issues." to make sure that we don't get pwned like this.

Now I have tried Sheila's cleaners and they are just not as good. For one, they didn't clean the table under the tablecloth and then they didn't iron my boxers.

Re:Use systems that users dont need to think about

[omglolbah]

Bitlocker is as far as I can tell not available for windows XP which makes it unavailable to most corporate users.

With the slow speed of migration from windows xp bitlocker is hardly something available to most.

Small office setup

[freedumb2000]

I have no idea if this is at all a best-practice (nost likely not), but I still feel like sharing how encryption is used in our 2-person office.

I set up disk encryption (with dm-crypt) for the linux server data drives and their backup drives only. The (Windows) desktop clients are dumb machines in the sense that no data stored localy, except installed applications. All work is done on files on the server directly.

My main worry is that someone walks away with the server machine and/or the backup drives and has access to all company relevant data of the past 20 years.

The server is unlocked with a keyfile stored on a USB flash drive, which is stored in a safe. The only time it is needed is when the server gets rebooted (practically never). The keyfiles for the external backup drives are stored on the local encrypted server partion. They get read every time the backup drives are switched and mounted. All drives aditionally share a common master keyphrase, in case the USB flash drive dies.

I am aware that this scheme has it's holes, unencrypted temporary data on the Windows host being the most obvious. What worries me most though is unencryped e-mail transfer and no tamper-safe documents formats. PDF would be great as common all-purpose distributable document format, but it's protection is a joke. I'll be happy to hear comments on how to improve my setup, but keep in mind we are small shop and won't be investing in dedicated appliances or any of that nature.

Re:Small office setup

[adosch]

I have no idea if this is at all a best-practice (nost likely not), but I still feel like sharing how encryption is used in our 2-person office.

2-person office, *NOT* an IT organization. Of course doing that is going to work for you because you only have one other person besides yourself to get on board, get up-to-speed, get their stuff together, and know what they are doing. Not an entire team, organization, department, etc. comprised of hundreds and hundreds of people. Apples to oranges IMHO.

My main worry is that someone walks away with the server machine and/or the backup drives and has access to all company relevant data of the past 20 years.

The server is unlocked with a keyfile stored on a USB flash drive, which is stored in a safe. The only time it is needed is when the server gets rebooted (practically never). The keyfiles for the external backup drives are stored on the local encrypted server partion. They get read every time the backup drives are switched and mounted. All drives aditionally share a common master keyphrase, in case the USB flash drive dies.

...so you have this grand plan in place for all this implemented server-side encryption, but there's a high potential for someone to physically walk out the door with your server? Are we still talking about security here? Sounds like you've clearly adopted the "obscurity" method.

Re:That's what happens when using Windows.

[timmarhy]

RDP supports 128bit encryption. you fail.

No corporate data on my computer

[gnasher719]

Seriously, what makes you think there would be any corporate data on my home computer when I work from home? Allowing anything like that is just insane. No sane organisation would ever allow that. (Obviously the UK government is no sane organisation by that definition).

Re:Use systems that users dont need to think about

[lukas84]

While Bitlocker certainly slows down my laptop a bit (i did benchmarks, about 10%), i can't complain about it being slow.

ThinkPad W500, 4GB RAM, Windows 7 Enterprise x64, OCZ Vertex 120GB with TRIM Firmware.

Our end users mostly have ThinkPads T500, 4GB RAM, Windows 7 Enterprise x64 with the normal 7200 RPM hard drives. They also don't complain about their laptop is slow.

For USB sticks, we do not mandate them to be encrypted. This, of course, shifts all the blame in case of data loss to the end user. Which is fine by me.

While everyone is arguing over drive encryption...

[barzok]

thousands of businesses are using plain FTP and email to throw unencrypted files around to & from other companies daily.

Re:That's what happens when using Windows.

[lukas84]

In fact, RDP since Windows XP/2003 can use SSL/TLS, but i believe it default to a 56bit RC5 cipher without configuration and/or group policies in effect.

SSL/TLS was made the default with WS08/Vista.

And how many of that 27% are using it effectively?

[Chris+Mattern]

I've seen disk encryption set ups where you never have to supply an outside key or password to start up the computer--it's all self contained. Meaning that all the information necessary for decryption is being kept on the disk. Yeah, that's secure.

Re:As a road warrior I should be using encryption.

[Orlando]

I'm not exactly sure I'd call "throw a Linux Live disk" or "unscrew the HDD compartment, remove the disk and hook it up to a desktop" things that require much time or very much knowledge.

You wouldn't call it much knowledge, but you're reading Slashdot, right? The vast majority of laptop thieves wouldn't know or care how to do this.

Re:And how many of that 27% are using it effective

[lukas84]

No, it's kept in the TPM.

While this isn't perfect, such a scheme will prevent anyone except targeted industrial espionage from accessing the information. If you're a small company with no special IP, this is a good-enough approach that keeps support costs low.

Up to...

[imakemusic]

The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users.

And my left arm is made of up to 75% cheese.

Is it just me, or is that line a little misleading?

Why not leave the hard disk in the datacenter?

[An+dochasac]

The amount of data in typical business documents and email now vastly exceeds the amount of data you need to push out to a thin client to provide a good user experience. Why not leave the hard drive and all of the data they contain in your home office and only take home the keyboard and screen to display it with (which DOES use an encrypted channel back to the data center). That's what my company does and if a Sun Ray thin client or Gobi laptop ever goes missing, so be it, pull another one off the shelf and keep typing where you left off.

Re:Why not leave the hard disk in the datacenter?

[langelgjm]

I like this quote from your link:

"And, because a Sun Ray Client doesn't contain a disk drive or any means of persistent data storage, it's an unattractive target for theft."

And how do they think the average thief is going to know that it doesn't contain a disk drive? Probably be better off spray-painting it hot pink, that might make it an unattractive target.

Re:Why not leave the hard disk in the datacenter?

[An+dochasac]

"And, because a Sun Ray Client doesn't contain a disk drive or any means of persistent data storage, it's an unattractive target for theft."

And how do they think the average thief is going to know that it doesn't contain a disk drive? Probably be better off spray-painting it hot pink, that might make it an unattractive target.

Yes, unfortunately the Sun Ray Client laptops I've used have a similar form factor and weight to fat client laptops. A Sun Ray 2 doesn't look much like a PC, though it does look like a Wii which might make it a target for thieves. Either we need a dumb thief "How to tell if you're stealing a PC?" education program or we need to accept that there will be thieves and make sure they only get away with the hardware, not the data or software.

Re:As a road warrior I should be using encryption.

So, your data is so important that you cannot deal with losing access to it, but not so important that you won't encrypt it.

You must be in sales. Why are you reading slashdot?

And thats the difference

"in the consulting space"

Sorry, I didnt read anything after that.

Re:As a road warrior I should be using encryption.

[Hognoxious]

The vast majority of laptop thieves wouldn't know or care how to do this.

But they might know a fence who does.

There's always the possibility (remote, but not zero) of someone "stealing to order" if they're targeting a specific organization.

Encryption

[Ivan+Stepaniuk]

Ncvxm fmnwo octef gaiwv gwrsl s

Re:Use systems that users dont need to think about

Wow, glad to see you've actually used it before making up stuff about it. We use BitLocker on all of our corporate machines (where legal - we still have a couple of countries where we can't legally turn it on yet). It doesn't actually encrypt USB drives the way you say. The Vista version can't encrypt thumb drives (although it can encrypt spinning disk removable drives - you just have to force it to as it won't do it automatically). The Windows 7 version will encrypt thumb drives if you tell it to or if your policy requires it. There is also a reader app right on the key to get access to the files from Windows XP and up. So the drive isn't useless. Now, before you say "I can't read the power point on my customer's Linux machine" - how is that Microsoft's fault? You encrypted it, you hopefully knew the software requirements of the reader.

As another said below - it isn't slow either. It's right in the ballpark for competing solutions and typically comes in at about 5% to 10% (10% is on disks spinning at 5,400 RPM on older notebooks - we spec'ed all of our notebooks with 7,200 RPM drives and you don't get a 10% hit with those).

Re:Use systems that users dont need to think about

[cbhacking]

No, it doesn't, he's either an idiot or a troll.

BitLocker's ecnrypt/decrypt delay is almost entirely hidden in disk latency. The CPU can do encryption far faster than the disk can do I/O, so unless another program was heavily leaning on the CPU while you're accessing the disk, you won't even notice the slowdown.

BitLocker in Windows 7 or Server 2008 R2 supports encryption of removable drives, but doesn't make it mandatory and certainly doesn't do it automatically. You (IT) *can* make it mandatory using Group Policy, but even then you don't have to use the encryption - un-encrypted volumes are simply mounted read-only, so you're not going to be encrypting your client's presentation by accident just because you plug it into your computer. However, one of the coolest tricks is BitLocker To Go, where when a removable drive is encrypted, BitLocker creates a small second partition on the device that is *not* encrypted, and stores there a Windows binary capable of decrypting the drive (on versions of Windows that don't support BitLocker). Obviously you need a key, which depending on how the drive was encrypted in the first place might require that the computer be currently connected to a domain (or it might require a password, or smart card, or any of a number of other things).

In any case, accidentally encrypting a flashdrive requires such a phenomenal degree of stupidity that I'd be amazed such a person could plug a flashdrive in correctly. A lot of people don't even see it since it's only avaialble on higher-end editions of Windows, but BitLocker in Win7 is extremely user-friendly and the interface is not at all ambiguous.

Re:Use systems that users dont need to think about

[cbhacking]

This is true, although many businesses are upgrading to Win7 and some already upgraded to Vista, both of which support BitLocker (7 moreso than Vista). What's more, a laptop that is intended to carry sensitive data and leave the premises may well have a higher edition of Windows installed specifically to enable BitLocker, even if it also then needs a virtual XP install in order to access some horribly legacy IE6-only ActiveX corporate intranet site.

Precisely

California (and possibly other jurisdictions) have burdensome disclosure and remediation requirements when unencrypted data is lost. If the data is encrypted, most of these regulations have exemptions that assume nobody can break the encryption. This will be fine, until somebody Googles Joanna Rutkowska "evil maid".

I work for an employer who has nearly nothing sensitive on anyone's PC, but we encrypt hard drives anyway. We take advantage of the disclosure loopholes, cheerfully ignoring the possibility of USB sticks. I honesty think the whole thing is an attempt to stop somebody from booting a Linux livecd and gutting Windows security entirely.

Re:Use systems that users dont need to think about

[lorenlal]

I work in a place where we have to encrypt anything that leaves the front door. We used a third-party encryption tool which I won't name. There was a noticeable slowdown after performing the encryption on our laptop drives, and the interface to encrypt removable media was painful... But it did work for XP.

Now that we've got some work done on the Windows 7 front, BitLocker makes much less of an impact performance wise... I assumed that it was because the TPM was involved because I didn't even notice the 5% hit that's being reported here. There is one thing to worry about:

If your users know what they're doing, and they have administrative permissions, policies are only a registry key away from being broken. Make sure you're keeping on eye on their "compliance."

Same Problem

[TheNinjaroach]

that kind of information should never be carried on one's laptop, period.

I completely agree with you, which is why I think this article is bunk. It shouldn't matter if your company uses encryption on laptops or not, because if your data is too valuable to lose then it's too valuable to be stored on a laptop.

VPN -> Citrix -> Data.

Re:As a road warrior I should be using encryption.

[bill_mcgonigle]

but what happens when the decryption mechanism or the OS crashes?

It sounds like you haven't tried it and don't really understand the mechanisms (understandable).

The answer is you carry a rescue disc/USB, same as always if you want to be able to deal with eventualities on the road. /boot needs to be unencrypted anyway, so you can keep a rescue kit there as well.

I don't think I've ever heard of anybody losing their data because LUKS failed. The filesystems you put on top of the encryption layer, sure, they're as fragile or stable as ever, but the encryption is transparent to them. Layers are useful sometimes.

Re:As a road warrior I should be using encryption.

I have a bad experiences with encryption software - safeboot.
One of my user's laptop have a corrupted windows system file that prevent windows from booting up. I tried to recover using windows xp recovery CD but the recovery console cannot recognise the hard disk because it is encrypted. I tried to use safeboot recovery CD but after getting past the safeboot login screen, the system freeze because the windows system file is corrupted.
The only solution is to reformat the hard disk.
Personally, I feel that encrypting the folder that contains the confidential data is OK. However, encrypting the whole hard disk is stupid idea.
Just like more persons know a secret, the more chances that the secret will be leak. There shouldn't be any backup copies of confidential data because the risk of information leak increase when the number of copies increase.

What about support and performance issues?

[cbope]

I work in a medium sized technology company. A couple of years back, the company decided to implement whole disk encryption in all laptops for people who travel. The encryption key was stored in the BIOS on the Dell Latitudes we used. Looking back, it was a pretty big disaster on a several points:

1. Many people lost work stored on their laptops when the disk became unreadable because the encryption could not be "unlocked", probably because a bit got flipped in a sensitive area of the disk. Of course they should have had backups, but the disk had not failed; it was rendered unreadable by the encryption itself not because the disk itself was trashed or damaged. In several cases the persons were traveling when this happened and they were left without a working laptop until they returned home.

2. Most of the laptops were equipped with small, fairly slow hard drives and modest single-core CPU's. Encrypting/decrypting all data to/from the hard disk just added overheard and the machines were even slower than before the encryption was installed. Of course, faster drives and CPU's could have been used but like everything in the modern IT world they were bought "on a limited budget".

3. As I remember, there was no way to easily recover data if the laptop itself failed and the drive was installed into a different laptop, because the encryption key to unlock the encryption was in the BIOS of the dead laptop. Maybe there was a proper recovery solution but at least our IT department didn't know how to do it. Several people lost weeks or months worth of data due to this.

I was one of the lucky ones as a pilot user for workstation-class laptops, and mine was delivered before they started encrypting the laptops. Every time IT asked for the laptop to install the encryption software, I told them I was too busy to surrender the laptop for several hours. In the end, I never got it installed. In the mean time as laptops have been replaced more recently, they are not encrypted. I have a USB hard drive with a TrueCrypt folder on it for sensitive documents/files that I carry with me always. If for some reason, I can't access to my TrueCrypt folder, then at least I still have my laptop for email/web/vpn and I can continue with basic work. I travel a lot and if I were to lose use of my laptop during a business trip it would be a disaster.

Re:What about support and performance issues?

[TomXP411]

I just installed TC last week so I could encrypt my USB hard drives. (I discovered TC from another article here on /.) I like TrueCrypt, because it solves the major problems people are using as excuses not to encrypt their systems: I can use a keyfile combined with a passphrase as my encryption key. Since the keyfile can be ANYTHING, I could easily set up some random MP3 or image file available on some web site, or I could store the keyfile on my Dropbox or Google Docs account. Furthermore, TC is simple enough to install, and I can even store it on the same physical drive as the encrypted data - thanks to the way TC manages file stores. I do have a genuine need for encryption, and my company requires it for mobile users. When travelling with a setup like this, I could back up my entire laptop drive to an encrypted external USB drive using VMWare converter. I could pack the backup drive in my luggage, and even if my laptop got stolen at the airport or was damaged during the trip, I have my entire system on a virtual machine, ready to go! I just install VMWare Player and TrueCrypt on another machine and plug in the drive. No muss, no fuss. Incidentally, my long-term goal is to work 100% inside of virtual machines, only using the host system to run the hypervisor... that should solve my security and portability issues.

encryption is worthless

What's the cost in losses from lost data that resides on lost disks? It's not as if the threat agent that steals the laptop from the backseat of my car is going around looking for data. I'm thinking they're going to sell that shit and buy some crack. They certainly aren't going to sit around and sift through looking for data regarding Mergers and Acquisitions for Fortune 50 companies, and even if they did, how the hell is a thieving underachiever going to turn that into crack? I bet the losses from lost data (that would be protected through encryption) aren't even close to the losses from key management, password resets, accidental encryption and the cost of the software itself.

Of those 27%

[TejWC]

I wonder what percent of them wrote their password on a post-it note attached to their laptop.

Re:Of those 27%

[bschorr]

That would probably be the percentage who mistakenly think that randomness is more important than length when it comes to passwords.

I see orgs all the time who think that "X7Y^i!6" is an awesome password. They force their users to create passwords they can never remember, despite the fact that they're only 6 or 7 characters long.

In fact they're far better off using pass PHRASES that the user can remember and are longer, and setting an intelligent account lockout policy. The phrases don't need to be written down on a post-it and they're more secure anyhow.

Re:As a road warrior I should be using encryption.

Why? You storing sensitive information on a laptop? Thats just retarded. You should know better having worked for a credit card processing company IT department. (aka desktop support since obviously you aren't security minded)

We use it, and it sucks

[onyx00]

I work at a Fortune 100 company and we recently (1 year ago) deployed disk encryption to all laptops. It sucks honestly. You can't do image backups anymore, not to mention backups are questionable because you don't always know how the backup is being done (low level copy, file copy, etc.). Furthermore, it SLOWS compiles, etc. way way down. When you are hitting the disk a ton to compile, the encryption takes a huge toll. And finally, if something does wrong on the disk, well your data it at the hands of an IT guy they hired last week. Even worse, they won't give IT-contractors the keys to fix encryption issues, so only a limited staff can deal with disk encryption issues encountered.

SMTP and STARTTLS

thousands of businesses are using plain FTP and email to throw unencrypted files around to & from other companies daily.

I'd be curious to see the results of a survey to see how many SMTP servers are advertising STARTTLS.

$WORK uses MessageLabs for spam filtering et al. and their servers advertise STARTTLS; then our corporate relays also advertise it, so all mail for $WORK is "safe" for a good portion of it's travel over the public Internet.

Sadly none of the 'big three' e-mail providers advertise STARTTLS on their MX hosts: Gmail, Hotmail, Yahoo.com.

Re:SMTP and STARTTLS

[muckracer]

> I'd be curious to see the results of a survey to see how many SMTP
> servers are advertising STARTTLS.

I'd be curious to see how many mail user clients are advertising
STARTPGP...
Does even one Linux distro support PGP/GPG out-of-the-box in a way,
that's basically akin to opportunistic encryption or at least makes
setting up key pairs a normal step in the regular e-mail setup that
every user has to do anyway?

Re:As a road warrior I should be using encryption.

[Orlando]

There's always the possibility..

Indeed, see my previous post. It then comes down to probability that the laptop is stolen compared to the hassle of encrypting the drive. And in most cases, it is not worth the hassle.

27%? In the land of Fairy Town maybe...

[DarthVain]

27% might actually use encryption someplace. Probably it is more like 1% that use encryption properly.

I don't know how many times I will see a laptop sitting on a desk, all encrypted up, all tight and secure and shit, and happily backing up to an external unencrypted hard drive each night that is sitting right next to it on the desk.

Perfect example of how statistic lie, and how IT policy is so easily circumvented. It also shows how much stupid/silly IT policy is created, that only marginally does what it is designed to do because it was created in a vacuum.

Re:Use systems that users dont need to think about

[networkBoy]

I beg to differ.
We use PGP whole disk encryption and let me tell you, you notice the difference between two machines, one with crypto, one without. That said, it's the company's machine. If they want it to be slower but more secure that's their call.

Also, on normal tasks this difference may be nominal, but if you're doing a backup and/or virus scan, and doing something else that requires CPU you will bog badly.
-nB

Encryption Gone Wrong

[Inanis]

I work in a company where encryption is standard on all laptops. One day someone in IT that worked out of a remote office pushed a change to the encryption server. He thought he was testing a change in DEV. He was very, very wrong. The change he made prevented all the laptops from booting up. This affected everyone with a laptop worldwide. Talk about a cluster fuck. Everyone in IT from the Help Desk reps to Developers were dispatched to fix every single laptop in the company. It took almost a week to get everyone back to normal.

Now, there is of course about a million and one things that could have been done to prevent this - better admin controls, better configuration of the encryption server and a better change management process just to name a few. Unfortunately the fact of the matter is this great system that was supposed to protect the corporation brought it to its knees for days.

I’m not saying encryption is a bad thing, But this was slapped it in placed by an arbitrary “mandatory deadline” without understanding the first thing about how to deploy this correctly. If they had taken the time to understand it first this probably wouldn’t have happened.

We still use it. Users still complain about it. Nothing has been done to prevent this from happening again other than the guy that mistakenly pushed the change getting canned.

Weighing up the risks.

[Geeky]

In many cases, the real risk of someone accessing data is much less than the risk of losing encrypted data because you lose the means to decrypt it. I've seen users who've encrypted their own disks go to support when they forget the passphrase and insist that support decrypt it for them... er, no, sorry, you're screwed.

Or let's say you get a hard drive failure and lose data that isn't backed up (it happens, even if you think you're careful). With an unencrypted disk, depending on the failure, you have an outside chance of retrieving files because even a partial file might be usable. With an encrypted drive, you're screwed again. It's going to be all or nothing - at least at the file level, and possibly the entire drive.

Taking the balance of risk, performance and all the rest (sensitive data should only be stored centrally anyway), encrypting local drives seems like overkill.

Re:That's what happens when using Windows.

I don't know how many times I will see a laptop sitting on a desk, all encrypted up, all tight and secure and shit, and happily backing up to an external unencrypted hard drive each night that is sitting right next to it on the desk.

This isn't necessarily unreasonable if the main threat by far is theft of laptop in transit/out of the office (I beleive that accounts for about 98% of laptop thefts in my company). As long as the backupo drive stays in the office.

Re:As a road warrior I should be using encryption.

[bschorr]

Our company has a really cool product that we sell to our customers for recovering data in the case of a drive failure. It's called a "backup".

It's been in the papers, you should check it out. ;-)

Re:As a road warrior I should be using encryption.

[bschorr]

No backups of confidential data? You're kidding, right?

Since confidential data tends to be among the most mission-critical data (in most organizations) I'd argue that it's the data MOST in need of backing up. The backups can (and should) be encrypted and stored in a physically secure location. But backups are essential.

If you don't back it up then you don't deserve to have it.

We're from the gov't and we're here to help...

[bschorr]

Anybody else notice the irony of having a thread about how few people encrypt their mobile devices just a couple of stories below a story about the government seizing laptops?

Re:As a road warrior I should be using encryption.

[Dusty101]

Hear hear. I've already had problems with corrupted Keychains on my Mac (OS 10.5) twice in the last year. The only way I was able to recover my encrypted list of passwords was by restoring from backup. There are few things more annoying than trying to access a deliberately-encrypted file and getting nothing but a notification window that reports "Access to this file is restricted". In light of this, there's no way I'm going to trust FileVault.

Re:As a road warrior I should be using encryption.

[Jeian]

Computer/network ops, actually.

Yes, it is retarded, but you can't easily keep people (especially people who have to handle that kind of data) from doing it anyway.

Re:Use systems that users dont need to think about

[Spazmania]

I don't know. Is BitLocker the one in use at the US EPA? Because that one has had a crippling effect on the portion of their scientists and managers that actually use the computers. Or at least used to...

Re:As a road warrior I should be using encryption.

This is the same argument made a decade ago by the "road warrior" who prefers paper over a PC. They could be heard saying something like this:

"The risk of losing access to the data when something goes wrong is far too dangerous to risk it. I have had problems on the road already, yet I have always managed to recover my data either from my file cabinet or from photocopies, but what happens when the software or the OS crashes? Carry another laptop? Carry bootable USB-based software tools? Sorry, too many variables, too much potential for trouble." ...and then conclude with...

"This is why I only bring paper with me when I travel and not a laptop."

I guess what I am saying is that your argument against doing what you know you should... is ignorance. You just don't know what to do because you haven't used it before. If you subscribe to that view, then what are you doing on a PC anyways? And why are you using the Internet for Cripes Sake?

Re:Use systems that users dont need to think about

[omglolbah]

Sadly in my case it has very little to do with legacy applications.

It has to do with anal IT Security staff that want to have 100% control over everything. Even when it breaks stuff and prevents us from doing our job.

For instance using network printers is against corporate IT Security policy unless the printer is owned by the company. So when we visit customer sites and are connected to their network we cant print due to firewall blocks on our laptops that we cant lift... So we must copy files to usb sticks and print from other machines.. yay

If only things made sense it wouldnt be so hard to swallow :-p

Re:Use systems that users dont need to think about

[TemporalBeing]

There do exist packages that can handle the encryption of at least fixed disks without the user needing to do anything more than the usual login. BitLocker for one (and BitLocker can plug into Active Directory easily)

With the right software, it is possible to protect the fixed disks of all PCs in the enterprise (including laptops that may only connect to the network through a VPN or may be used in places where there is no network access at all such as airplanes) and the only thing the users have to do is to log in just like they normally do. Mobile devices like Blackberries and Windows Mobile devices also have options for encryption that IT can enable. Even email can be encrypted without the users doing anything special using modern versions of Exchange (at least from what I read with Google)

One company I worked for rolled out hard drive encryption on all laptops. Help Desk then got overwhelmed because 50% of the laptops failed to take, resulting in an unbootable computer. If you didn't have everything on the computer backed up, then you lost it all b/c they had to reformat the disk. That typical issue was the Master FAT record of the NTFS getting corrupted. I think it took the tech 3 or 4 tries (at about 5-6 hours each) to finally get it working on my laptop - meaning I was without the laptop for several days, and unable to do my work (since I didn't have a desktop to fall back on).

Also, Hard Drive encryption doesn't stop anyone with access to the hard drive except the casual thief. If they really want the data, they'll image the drive and brute force the encryption to get access. (So no, it doesn't stop espionage, just some random Joe who got a stolen laptop from seeing the data.)

Re:While everyone is arguing over drive encryption

[Spykk]

That is starting to go away though. Our last VAN transition required us to move from vanilla FTP to FTPS. Anything that falls under HIPAA, 835 remittance advice for example, can't be legally transmitted unencrypted either.

Re:While everyone is arguing over drive encryption

[ZZartin]

thousands of businesses are using plain FTP and email to throw unencrypted files around to & from other companies daily.

Entirely true and usually the information is just simple things like lists of customer names and addresses. Payment information is pretty much always encrypted due to PCI compliance reasons but simple customer information is not. And really unless you have a very exclusive clientele it really doesn't matter, after all who cares about the name of generic redneck #46576876 living in an apartment somewhere who happened to place an order for product XYZ?

you should start way further back

.... presumably "anonymous coward" works for ckeckpoint's marketing department? there are so many issues that compromise security without letting checkpoint trouser your money.

like sending unencrypted tapes of customer details around. and letting outsourcers sell servers with hard drives containing your customer details.

the list goes on and on, and will not stop going on. the truth is corporate greed will always end up with processes being compromised because there is the possibility of turning a profit

Risk? It's not from hackers!

[mhollis]

Last company my wife worked for fielded a sales force with laptops. their "office" was their home. They sold advertisements. There was no data security.

These sales people knew their territories, knew their jobs and knew how to generate revenue. And they were in New England, where a friend is hard won but, once won, a friend for life. The company, based in Virginia, gave no thought to relationships. They operated under the mistaken impression that their product was king.

So they put my wife out like the cat. Didn't give her severance. She's suing.

And they fired all of their sales staff. One by one. Told them they were not meeting their quotas.

There were no corporate financials on the salespeoples' laptops. There was no sensitive information, save addresses and phone numbers of the advertisers and email addresses of the company yes-men that went along with this deal.

One of the salespeople, who had been with the company some 30 years went to all of his clients and started a new publication and started selling space in it. He has been growing and gaining clients because he treats them right and has a good ad production department. He has the old advertisers he used to have and has new ones who want in. And he's growing in New England.

Oh, and the original company? They're looking for a New England regional sales manager to replace my wife now. They want one with a complete sales team and solid contacts in the market.

Data security? We backed up my wife's entire drive onto our own external hard drive because they wouldn't buy her a backup drive (too cheap). We kept that drive. And at the initial hearing for her lawsuit, the company was repeatedly shocked by the content of their own emails coming back to haunt them.

So in this day and age of corporations firing people for being female, pregnant "too old" or "too unwhite" and getting away with it most of the time, why do they think they need data security again?

Misleading title

Encrypting the hard disk is not the only kind of encryption a remote user can use. There's another encryption technology, called VPN - do you think there'd be a few more companies using this form?

So the title claiming "Only 27% of organisations use encryption" is misleading, even a lie.

BTW: like a number of other remote users, I've VPNed into a corporate system, then connected to virtual machine and worked there - no hard disk encryption used, but the VM's hard drive is a piece of a corporate SAN - I'd rate that as comparatively secure. The only thing that would be protected by any putative HD encryption on the laptop would be the OS and the VPN software.

73% percent of laptops don't have sensitive data

[Logic+Worshipper]

Between VPNs and the number of employees who take laptops home, but don't have access to sensitive data because they don't work on anything sensitive, I'm willing to bet 70% of corporate laptops don't have sensitive data on their hard drive, and the 3% don't have competent IT departments. Not every corporate laptop needs to be encrypted.

Easy Encryption

[Mr.TT]

For those occasions where you need to protect what you share or store online, try ThreadThat.com at https://www.threadthat.com./