Slashdot Mirror
Only 27% of Organizations Use Encryption
An anonymous reader writes "According to a Check Point survey of 224 IT and security administrators, over 40% of businesses in the last year have more remote users connecting to the corporate network from home or when traveling, compared to 2008. The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users. Yet, regardless of the growth in remote users, just 27% of respondents say their companies currently use hard disk encryption to protect sensitive data on corporate endpoints. In addition, only 9% of businesses surveyed use encryption for removable storage devices, such as USB flash drives. A more mobile workforce carrying large amounts of data on portable devices leaves confidential corporate data vulnerable to loss, theft and interception."
We would do it if we werent undermanned, underfunded, and had competent users.
Support for things is already maxing many people out, now you want to add this?
Please.
I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.
Exactly where does this BS stat come from again?
So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)
That's another problem altogether - that kind of information should never be carried on one's laptop, period. It should only be accessed through a secure tunnel, and it should reside at HQ. There it should be encrypted.
End anonymous moderation and posting on
Depending on the size of the organisation and the purposes for using encryption, key management may not be necessary, though you still need a capable and reliable lost-passphrase-recovery helpdesk which is going to cost.
I think you need to review just how much time you think computers spend reading and preparing data from the hard drive. If you're in the middle of a number-crunching job, it's pretty much negligible. And besides that, most business laptop users (the target users of full-disk encryption) are trying to read e-mail and write Powerpoint slides, they aren't trying to simulate protein folding.
* access to data is a bit harder even for legitimate purposes
Yes, that's the whole point. It's usually only a bit harder (you have to authenticate before the operating system will boot) but in return for that, the confidentiality of your data is protected. Security is about risk management and if the risk of publicising your company's secrets is more significant than the risk of users losing time by forgetting their passwords, then the trade-off is worth making.
Firstly, the kind of encryption they're talking about in the article, as implemented by BitLocker on Windows and third-party products on many operating systems, is transparent to operating system processes.
Oh noes! I pay my systems managers to manage my systems but don't want to pay people who know what they're doing!
If you run a cleaning company or you're a group of plumbers or perhaps you have a fairly large landscape gardening company then your data just is not that important or a target. So this survey is really quite useless, so what is Agnes Cleaners do not encrypt their thumb drives with their cleaning rota on it? Nobody cares. So whilst all organisations should encrypt just because it is sensible, not all organisations really need to bother because the likelihood of anything happening to their data is so small that it's just not worth the effort of sorting out the idiots who call up the part-time IT admin guy because they have forgotten their encryption key (again).
There do exist packages that can handle the encryption of at least fixed disks without the user needing to do anything more than the usual login. BitLocker for one (and BitLocker can plug into Active Directory easily)
With the right software, it is possible to protect the fixed disks of all PCs in the enterprise (including laptops that may only connect to the network through a VPN or may be used in places where there is no network access at all such as airplanes) and the only thing the users have to do is to log in just like they normally do. Mobile devices like Blackberries and Windows Mobile devices also have options for encryption that IT can enable. Even email can be encrypted without the users doing anything special using modern versions of Exchange (at least from what I read with Google)
Using encryption has its drawbacks: .vs. ipsec) doesn't work well with encryption
* you must provide a meaningful key management
* you lose speed of your machines for number crunching
* you can easily lose data in the event of hardware corruption
* access to data is a bit harder even for legitimate purposes
* many systems (for example Active Directory domain controller
* skills of your systems management must be higher
I know you probably mean well, but every one of those statements is basically false.
- Active Directory + Bitlocker OR AD + Encrypting File System (EFS) both do automatic key management, key escrow, etc...
- Bitlocker has no performance impact, it uses the TPM chip. Also, most CPUs are MUCH faster at encryption than disks are at reading or writing data, so it's not a bottleneck even for software-only systems.
- hardware corruption causes data loss anyway, encryption just ensures that you only ever get valid data. In that respect, it's a little like ZFS -- encryption also provides integrity, as well as security.
- Access to data on encrypted volumes is NOT harder. It's usually transparent. If you have proper backup procedures in place, you need never access data in non-standard ways. Speaking of which, your backups should be encrypted too!
- AD works well with encryption, and has its own built in. It's already reasonably secure for most applications, and doesn't really need further encryption. The only AD related protocol that had issues with ipsec is DNS, but Windows 7 and 2008 R2 now support that as well.
- If you're already deploying Windows Vista or 7 SOEs, adding in Bitlocker trivial, it's basically a checkbox. Deploying ipsec is admittedly a little harder, but it's not exactly rocket science.
I've implemented extensive encryption before, and it wasn't hard, and the users never noticed. From what I've seen, the lack of encryption is not caused by technical issues, but laziness and politics.
Security is one of those things that's not a problem day to day, just like backups. The users don't notice, and nobody complains to the managers about it, so it must not be a problem, right?
You only need security on those rare occasions when there's a hack, or a laptop gets stolen, or some intern sells 10 petabytes of old backup tapes full of customer data on eBay for $35. Of course, when those things happen, it's already too late to implement security. The breach has already occurred. There's no going back in time to tick checkboxes.
In case you're wondering just how common data breaches are, check out this list of the publicly known ones:
http://www.privacyrights.org/ar/ChronDataBreaches.htm
If that doesn't scare you, think about how many more there are that the public didn't find out about. Chances are good that your personal data has been leaked to God-knows-who, probably several times, because of lazy IT admins and inept managers.
I wonder what percent of them wrote their password on a post-it note attached to their laptop.