Fred Langa looks at the universe of products that help you protect sensitive files and data from prying eyes and hackers.
A recent change in federal privacy laws is causing huge numbers of IT departments to examine the steps they take to keep data secure. Although the specific law affects organizations that store or process medical records--hospitals, insurance companies, human-resource departments, and so on--the change actually touches on an even larger issue, that of keeping any kind of private information truly private, as this reader letter suggests:
Fred, I do medical research and am being asked for recommendations about keeping medical data secure. As you probably know, a new set of regulations took effect on April 16 pertaining to privacy of medical records. These are the so-called "HIPAA standards http://www.hhs.gov/ocr/hipaa/ " I'm glad that the new regulations are inspiring people to pay closer attention to this topic and would like to respond to their questions. Very frequently, researchers use portable media (notebook computers, mainly, but also Zip disks and PDA's) to transport their data, and most statistical-analysis software doesn't claim to offer even a modicum of security. So I'm asking for advice. Specifically, what measures do you and your readers recommend to secure sensitive data that resides on a notebook computer? There are several software products that encrypt individual files and create encrypted virtual drives. Which of these products do you recommend, if any? --Paul Falzer
Any form of encryption--file-, folder-, partition-, or disk-level--can substantially improve your data security by helping to ensure that only you (or those you authorize) can access the protected data. But picking both the right type of encryption, and then picking the right tool, takes a little digging: As with most things technoid, there's no absolute right or wrong answer. What's right for one circumstance may not be optimal in another.
File Versus Disk Encryption
For example, I personally prefer file- or folder-level encryption tools to whole-disk solutions. Although I have a number of sensitive business records on my system that need high-level protection, most of what's on my hard drive isn't worth worrying about. For me, a tool that encrypts everything on a hard drive would simply waste time and CPU cycles in processing these nonprivate files. I prefer to pick and choose exactly what gets encrypted and when.
I also prefer file- or folder-level encryption because, unlike whole-disk methods, a single failure in the encryption system cannot take out the entire PC. For example, a whole-disk encryption tool may encrypt system files, and also may require that special low-level drivers be loaded at boot time. (This is especially the case with "virtual disk" systems that create an encrypted file that must be mounted, like a disk drive, for use.) A problem with either of these kinds of whole-disk encryption systems might render all your files inaccessible. In contrast, file- or folder-level encryption can be constrained only to data that really needs protection, leaving boot- and system-level files untouched. This way, a problem in the encryption system will at least leave your PC able to boot and run, so you can perform whatever backup, restoration, or repair is needed to recover the damaged files.
Another drawback to disk-level protection is that it usually operates in an "all or nothing" mode: Once you've unlocked the encrypted disk, all files on the disk are open and available for use. This means that anyone with access to the PC, either physically or electronically, also may have access to everything on the disk, just as if it were never encrypted.
In contrast, more granular encryption, such as at the file level, prevents this problem because opening any one encrypted file leaves the others untouched: Anyone with physical or electronic access to a PC can access only files that have been unlocked, leaving the others secure.
File-level encryption also makes it easy to move, E-mail, or copy the data without compromising its security: The encrypted file remains encrypted until the decryption tool is explicitly invoked. Disk-level tools (and some folder-level tools), especially those that try to be ultra user-friendly and "transparent" to use, may automatically decrypt files when moved, copied, or emailed. I much prefer a form of encryption that requires a deliberate action before the data is decrypted.
The tool I use most is File2File, a free Windows utility by Cryptomathic. Like many current encryption tools, it uses AES, the "Advanced Encryption Standard" with a 128-bit key. Assuming you use a good passphrase--no less than seven characters long, containing at least one number and one symbol character (e.g., punctuation), not containing your name or user name or any simple variation thereof, and not a common word or name (nothing found in a dictionary)--128-bit AES provides reasonable security for most routine needs. (For more information on generating secure passwords. see the resources at Passphrase FAQs or see the section called "Passwords And Availability" on page two of XP Professional's "Remote Control".) Cryptomathic also offers many other security tools, including more advanced E-security suites and toolboxes.
But those are my preferences--yours may be different, and you may need more or less security. Let's take a look at some specific options, up to "military-strength" ciphers:
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?