The largest single type of security breach is the stolen or lost laptop, according to the Open Security Foundation, yet these computers are among the least protected of all IT assets. The costs of a data breach can be huge, including the loss of trade secrets, marketing plans, and other competitive information that could have long-term business damage, plus the immediate costs of having to notify people if their personal information was possibly at risk from the breach. Particularly in a recession, enterprise management can't afford to take these risks lightly.
There is a way for IT to protect those laptops and the confidential information they contain: encryption. Without the combination of password security and encryption, any halfway-competent hacker has no problem siphoning hard drive contents and putting it to nefarious use.
Perhaps the most important advantage of full disk encryption, though -- beyond the peace of mind it gives your business's lawyers -- is the "safe harbor" immunity that accrues under many data privacy regulations. For example, credit card disclosure rules don't apply to encrypted data, and even California's strict data-disclosure statute makes an exception for encrypted records -- provided you can prove they're encrypted. That's trivial with full disk encryption but not so easy with partial encryption techniques, which depend on user education for safe operation.
A key challenge for IT in deploying encryption on its laptops is the sheer number of encryption options available. Some Windows Vista editions, as well as the forthcoming Windows 7, support Microsoft's built-in BitLocker encryption, and numerous third-party encryption products cover the range of mobile operating systems from XP through Windows 7, Linux, and Mac OS X. Encryption granularity is widely variable as well, ranging from protecting individual files to encrypting virtual disks to deploying fully armored, hardware-based full disk encryption. Prices range from free to moderately expensive.
If you've put off laptop data security due to perceived technical shortcomings or high costs, you need to take another look at the field -- before you lose another laptop.
The maximum encryption protection possible: TPM
Ideally, you'll deploy the full-metal-jacket approach to laptop data protection: full disk encryption using the Trusted Platform Module (TPM) technology. If you can afford the cost, waste no time with inferior methods. All you need is a laptop containing a TPM security coprocessor and, optionally, an encryption-enabled hard drive from one of the major hard drive manufacturers.
The TPM is a chip soldered on to the laptop's motherboard, providing hardware-based device authentication, tamper detection, and encryption key storage. The TPM generates encryption keys, keeping half of the key information to itself, making it impossible to recover data from an encrypted hard drive apart from the computer in which it was originally installed. Even if an attacker gets the user's part of the encryption key or disk password, the TPM-protected drive's contents can't be read when connected to another computer. Further, the TPM generates a unique digital signature from the motherboard in which it's embedded, foiling attempts to move the TPM chip itself to another machine.
TPM-enabled full disk encryption, especially hardware-based implementations of it, provides one other key benefit to enterprises: data erasure upon laptop decommissioning or repurposing. A common bugaboo in the enterprise is the accidental disclosure of data when seemingly worthless outdated laptops are discarded or sold, or transferred to another employee. Erasing sensitive information in such situations is not trivial, and even removing and physically mangling a laptop's hard drive is no guarantee against disclosure. However, because TPM has absolute control over the encryption keys -- remember, half of the key information is stored with the TPM itself -- you can simply tell TPM to forget its keys, and the hard drive is instantly reformatted and effectively rendered nonrecoverable. Disk sectors aren't zeroed, but no computationally feasible method exists today to decrypt the residue.
A great many enterprise-class laptops manufactured in the last two to three years shipped with embedded TPM chips; Apple's Macs are a key exception, as none since 2006 include a TPM chip. But the TPM chips must be explicitly enabled to use them as the authentication mechanism for encryption.
If your laptops have a TPM chip, don't try enabling it without carefully following the vendor's instructions -- otherwise, you could accidentally wipe out the laptop's hard drive. Before enabling the TPM chip in a laptop, you must first take ownership of it, a process that establishes user and management-level passwords and generates the initial set of encryption keys. The management password lets IT administration monitor the inventory of TPM devices, recover lost user passwords, and keep track of usage.
A TPM works with the laptop's resident operating system to encrypt either the entire hard drive or most of it, depending on the OS encryption implementation. (Microsoft's BitLocker, for example, requires a small, unencrypted initial-boot partition). Alternatively, a TPM can interoperate with encryption-enabled hard drives to perform encryption entirely outside of, and transparent to, the operating system.
The TPM technology isn't perfect, but it provides very solid protection in the most common incident, where a laptop is lost or stolen and the user has not left it logged in. If the laptop is powered off, TPM protection is absolute. Most implementations use 256-bit AES encryption, which is considered uncrackable for the foreseeable future. Powering up the device requires entering pre-boot credentials in the form of a password, a PIN, a smartcard, biometric data, a one-time-password token, or any combination of these. If the lost laptop is powered on (but not logged in), or just powered off, an attacker would have to use extraordinary procedures to recover the encryption keys from live memory.
However, if a lost device is powered up and logged in, a TPM provides zero protection. An interloper can simply dump the data off the hard drive in the clear using ordinary file copies. Thus, it's essential that TPM-protected systems have noncircumventable log-in timeouts using administrator-protected settings.