This year's high-profile cases involving the loss of personal information from organizations such as the Veterans Administration, HP, GE, Ford, Starbucks and many others -- large and small -- all have one thing in common: they resulted from the theft of laptops that contained the information. An August 2006 survey of nearly 500 technology companies reported that 81% had lost laptops holding sensitive data. The Privacy Rights Clearing House estimates that between Feb. 15, 2005 and Nov. 3, 2006, the number of personal information records lost from all causes was 97,148,596. These losses are having repercussions, including legislation, terminations and legal action.
Given these problems and the huge risk that they pose for organizations of every type, you can expect that your customers will be moving to protect their data against the potential theft of its host laptop. One promising way to help them achieve this is with the use of full disk encryption (FDE), in which all files stored on the laptop are seamlessly encrypted.
The important words here are all and seamlessly. Earlier systems, such as Microsoft's Encrypting File System (EFS), require the user to mark sensitive files with an encryption attribute to cause them to be encrypted. Thus, EFS depends on the user to take a specific action. FDE encrypts all files without any special action on the user's part. In the best case, the only interaction required from the user is to enter a password when the computer is booted. Because all files on the laptop are encrypted, usually with AES or Triple DES, no data will be compromised if the laptop is stolen.
There are two ways to implement FDE. In the first, encryption is handled entirely in hardware. The Seagate Momentus 5400 FDE.2 drive is an example. The user supplies a password at boot time and the drive uses it to transparently encrypt all data written to the disk; data read from the drive is decrypted on the fly using the same password. Because the crypto functions are performed by the drive's electronics, performance is comparable to a normal drive. A disadvantage of these drives is that loss of the password results in loss of the data.
The second way of implementing FDE is in software. Microsoft's BitLocker software, available in some versions of its Vista OS is one example, but there are many others. Because these systems depend on the CPU to do the encryption, there are some performance penalties, but they generally provide a recovery mechanism for lost passwords.
About the author
Jon Snader is a TCP/IP and VPN expert whose background includes work in networking, security, communications and radio network controllers. He is the author of VPNs Illustrated: Tunnels, VPNs and IPSec and Effective TCP/IP Programming: 44 Tips to Improve Your Network Programs, both published by Addison-Wesley. You can reach him via his Web site or via email. As an expert on SearchNetworkingChannel.com, he's also available to answer your VPN questions.