Let's face it: Laptop loss is reaching epidemic proportions. In the just-released 2007 CSI Computer Crime and Security Survey, fully half of respondents say a laptop or mobile device has been stolen from their organizations in the past year.
In response, at least 35 states now require notification when personal information has been compromised. And as the public becomes weary of continual data breaches--everyone has a friend who's been a victim of identity theft--inevitably customers will start scrutinizing the encryption practices of companies they do business with.
The only bright spot: There are encryption exemptions to notification laws, and encryption products have come a long way--thanks in part to the federal government.
What Uncle Sam Is Up To
U.S. Department of Defense CIO John Grimes issued a memorandum in July 2006 stating that all sensitive data stored on mobile devices must be encrypted. In response, the General Services Administration Data At Rest Tiger Team, or DARTT, recently gave its seal of approval to 10 encryption products. In a process that Sean Lyons, director of federal operations for SafeBoot Technology, describes as the most comprehensive framework of evaluation criteria he's seen in a formal request for proposals, DARTT presented vendors with a set of technical requirements classified as critical, important, and desirable. Critical requirements include FIPS 140-2 verification. The ability to remotely erase data from the device is an important criterion. And desirable features include support for Trusted Platform Modules and operating system single sign-on.
To be considered, products had to meet all critical requirements. There was little formal lab testing; DARTT instead relied on reports from government agencies that had already used most of the products under consideration. In June, the GSA selected 10 full-disk and file and folder encryption options plus a USB-connected hardware encryption device for flash RAM. This could create up to a 25-million-seat windfall for contract winners, a tremendous volume that might just drive down prices for the rest of us. Over five years, the value of these purchases could top $79 million, according to the Office of Management and Budget. The downside is that with the government's buying power concentrated among contract winners, other vendors may have a hard time keeping the cash flowing to R&D.
The government had to anoint 10 products for one function because there's no single Ÿber-encryption product. In fact, the only thing worse than losing a laptop full of unencrypted sensitive data is trying to manage an enterprise full of encrypted devices. For now, IT must cobble together systems that solve only parts of the problem. For example, a company may have a BlackBerry Enterprise Server to manage its BlackBerrys and enforce Content Protection, RIM's built-in data encryption, while Windows Mobile devices get some policy management through Exchange 2003 and some from a third-party encryption console. Yet another system might be needed to manage policies and key recovery for a full-disk encryption suite for Windows laptops, while Apple's FileVault tool will lock down everything in the user account, but not apps or system libraries, and it doesn't offer centralized management.
If you're in the process of choosing an encryption system, look at least 18 months down the road at platforms that may need support. The surest way to keep encryption consistent and manageable is to invest in a product that manages encryption of the widest possible swath of mobile devices and enforces a single, consistent set of policies. Last year, we reviewed full-disk encryption systems, and in a sign of how mainstream this technology is becoming, SafeBoot, our Editor's Choice, is in the process of being acquired by McAfee.
(click image for larger view)