Laptop Lockdown Checklist: Six Technologies To Watch

ENCRYPTION
What Can They Get Access To?
ENCRYPTION HARDWARE from Seagate Technology, the world's biggest hard-drive maker, offers businesses a new option--securing laptops from the inside out with the first encrypting hard-disk drives. The first Momentus 5400 FDE.2 hard drive with Seagate's DriveTrust technology will be shipped next month in laptops from ASI Computer Technologies. Seagate makes a claim not many security vendors dare--that laptops with Momentus may be exempt from state data breach disclosure laws if the computer is lost.

Seagate's hard drive uses a government-grade security protocol to encrypt all stored data, even temporary files. The encryption can't be turned off, so users can't violate policy. To access the hard drive, users need to type in a password; ASI's laptops offer the additional option of requiring the scan of a biometric fingerprint reader. "If your computer is stolen, a thief may get into the operating system, but they won't get into the hard drive," says Dan Good, VP of new business initiatives at Seagate. "The government and our customers told us that's how they wanted our system designed."

The widespread theft of business laptops has come to light because of state laws that require companies to tell customers if their information may have been compromised. But some states exempt companies if they can prove the data on the stolen (or lost) laptops was encrypted.

But an encrypted hard drive doesn't eliminate all security risks. The encryption on Seagate's Momentus remains unlocked unless a laptop is completely switched off. That means users will have to make sure they don't leave their laptops unattended in hibernation mode, which is a default in Windows Vista.

Seagate is hoping to build momentum around encrypting hard drives, but it will need to partner with larger laptop makers than ASI to make it happen. Hitachi will offer hardware encryption as an option on all its 2.5-inch drives starting this year. Lenovo is evaluating whether it wants to provide encrypting hard drives as an option or a standard in its laptops, and Seagate is likely to have competition soon from other hard-drive makers. "Pretty much all the PC makers will eventually go to market offering these drives," says Stacy Cannady, Lenovo's security product manager. The Trusted Computing Group, formed by top tech vendors to push hardware-centric security options, has a group working on a specification due this year detailing storage's role in improving security. Storage encryption will be part of that spec, likely spurring development of more encrypting storage devices.

ENCRYPTION SOFTWARE is the more common approach to full-disk encryption, provided by vendors such as GuardianEdge Technologies, PGP, and Pointsec Mobile Technologies, which was recently acquired by Check Point Software Technologies. Additionally, Windows Vista's Enterprise and Ultimate editions offer an encryption feature through BitLocker.

Full-disk encryption software encrypts every bit of data, which is similar to what Seagate offers with its encrypting hard drive. One major benefit of the software approach is that a company can install it across different operating systems and laptop models.

Microsoft's BitLocker is designed to protect data on PCs and servers that have been lost or stolen, and those with hard drives that haven't been scrubbed clean of data before being decommissioned. BitLocker encrypts all user and system files, and it includes a feature that encrypts data only if that data hasn't been tampered with by an unauthorized user. One drawback: To use the feature on a laptop without a Trusted Platform Module chip, you must insert a USB flash drive containing the key for decryption before the laptop can boot.

As with smart cards, look to the federal government to push encryption technology in laptops. A June memo from the Office of Management and Budget recommended that all agencies encrypt data on mobile devices unless the data is determined--in writing--to be "nonsensitive." The U.S. Army is mandating that each laptop it uses in the field be outfitted with encryption software from Pointsec, Credant Technologies, and Microsoft's Encrypting File System.

The Veterans Affairs Department has had enough of missing data on laptops. After having an employee's laptop with data on more than 26 veterans or their spouses stolen last May, another laptop went missing in August from a contractor's office, putting data on 38,000 people at risk. Since then, the VA has signed a $3.7 million contract to add encryption technology to 300,000 departmental computers and mobile devices, using GuardianEdge Technologies and Trust Digital encryption software.

Yet "encrypt everything" is an expensive and potentially risky approach. There's the cost of software, training, and support. The extra software and hardware layers also can slow the performance of systems, especially when data packets must be decrypted by firewalls and intrusion-prevention systems to spot intrusions. Most difficult is that decryption keys can be lost or stolen--which leaves the rightful owner of the laptop unable to access sensitive data, just as surely as it would a thief.

The pressure on agencies like the VA to encrypt data is the same that every company is feeling. Laptops will get stolen or lost and put valuable data at risk, but is across-the-board encryption the answer or costly overkill? Most companies could stand to put more effort into securing their laptops against inevitable disappearance. No option is perfect. But neither is just hoping that it won't happen to you.

Illustration by Randy Lyhus