Langa Letter: Easy Encryption - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
Commentary
3/4/2003
02:07 PM
Fred Langa
Fred Langa
Commentary
50%
50%

Langa Letter: Easy Encryption

Fred Langa looks at the universe of products that help you protect sensitive files and data from prying eyes and hackers.

A recent change in federal privacy laws is causing huge numbers of IT departments to examine the steps they take to keep data secure. Although the specific law affects organizations that store or process medical records--hospitals, insurance companies, human-resource departments, and so on--the change actually touches on an even larger issue, that of keeping any kind of private information truly private, as this reader letter suggests:

Fred, I do medical research and am being asked for recommendations about keeping medical data secure. As you probably know, a new set of regulations took effect on April 16 pertaining to privacy of medical records. These are the so-called "HIPAA standards http://www.hhs.gov/ocr/hipaa/ " I'm glad that the new regulations are inspiring people to pay closer attention to this topic and would like to respond to their questions. Very frequently, researchers use portable media (notebook computers, mainly, but also Zip disks and PDA's) to transport their data, and most statistical-analysis software doesn't claim to offer even a modicum of security. So I'm asking for advice. Specifically, what measures do you and your readers recommend to secure sensitive data that resides on a notebook computer? There are several software products that encrypt individual files and create encrypted virtual drives. Which of these products do you recommend, if any? --Paul Falzer

Any form of encryption--file-, folder-, partition-, or disk-level--can substantially improve your data security by helping to ensure that only you (or those you authorize) can access the protected data. But picking both the right type of encryption, and then picking the right tool, takes a little digging: As with most things technoid, there's no absolute right or wrong answer. What's right for one circumstance may not be optimal in another. File Versus Disk Encryption
For example, I personally prefer file- or folder-level encryption tools to whole-disk solutions. Although I have a number of sensitive business records on my system that need high-level protection, most of what's on my hard drive isn't worth worrying about. For me, a tool that encrypts everything on a hard drive would simply waste time and CPU cycles in processing these nonprivate files. I prefer to pick and choose exactly what gets encrypted and when.

I also prefer file- or folder-level encryption because, unlike whole-disk methods, a single failure in the encryption system cannot take out the entire PC. For example, a whole-disk encryption tool may encrypt system files, and also may require that special low-level drivers be loaded at boot time. (This is especially the case with "virtual disk" systems that create an encrypted file that must be mounted, like a disk drive, for use.) A problem with either of these kinds of whole-disk encryption systems might render all your files inaccessible. In contrast, file- or folder-level encryption can be constrained only to data that really needs protection, leaving boot- and system-level files untouched. This way, a problem in the encryption system will at least leave your PC able to boot and run, so you can perform whatever backup, restoration, or repair is needed to recover the damaged files.

Another drawback to disk-level protection is that it usually operates in an "all or nothing" mode: Once you've unlocked the encrypted disk, all files on the disk are open and available for use. This means that anyone with access to the PC, either physically or electronically, also may have access to everything on the disk, just as if it were never encrypted.

In contrast, more granular encryption, such as at the file level, prevents this problem because opening any one encrypted file leaves the others untouched: Anyone with physical or electronic access to a PC can access only files that have been unlocked, leaving the others secure.

File-level encryption also makes it easy to move, E-mail, or copy the data without compromising its security: The encrypted file remains encrypted until the decryption tool is explicitly invoked. Disk-level tools (and some folder-level tools), especially those that try to be ultra user-friendly and "transparent" to use, may automatically decrypt files when moved, copied, or emailed. I much prefer a form of encryption that requires a deliberate action before the data is decrypted.

The tool I use most is File2File, a free Windows utility by Cryptomathic. Like many current encryption tools, it uses AES, the "Advanced Encryption Standard" with a 128-bit key. Assuming you use a good passphrase--no less than seven characters long, containing at least one number and one symbol character (e.g., punctuation), not containing your name or user name or any simple variation thereof, and not a common word or name (nothing found in a dictionary)--128-bit AES provides reasonable security for most routine needs. (For more information on generating secure passwords. see the resources at Passphrase FAQs or see the section called "Passwords And Availability" on page two of XP Professional's "Remote Control".) Cryptomathic also offers many other security tools, including more advanced E-security suites and toolboxes.

But those are my preferences--yours may be different, and you may need more or less security. Let's take a look at some specific options, up to "military-strength" ciphers:

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll