Deciphering laptop encryption

During the past two weeks, I started up a disk encryption project, one of the technology initiatives under my company's intellectual asset protection program.

Our goal with the disk encryption effort is to prevent the loss of intellectual property stemming from the theft of a laptop. On several occasions, executives' laptops have gone missing or been stolen. One of those missing laptops contained intellectual property and sensitive data, including information on a pending acquisition, product strategy and road maps. Luckily, it was recovered.

Should something like that happen again, we want the data on the laptop's hard drive to be illegible, which means we have to encrypt the entire hard drive. I assembled a team of representatives from our help desk, Windows engineering and Web applications groups and my information security team. After the initial project meeting, which familiarised everyone with the scope of the project and the state of the technology, we considered three products: Microsoft’s Encryption File System (EFS), PGP’s Whole Disk and Pointsec Mobile Technologies' Pointsec for PC.

EFS was attractive in that it comes built into Windows and is therefore basically free. Plus, Microsoft is a large company and we already have a relationship with it, so its viability and support structure aren't unknowns. But we wanted a product that would encrypt the entire hard drive and not just individual files, require no change in the way users utilized their laptops and be compatible across all of our platforms.

So, as appealing as EFS was, it was quickly eliminated, mostly because it can't encrypt the entire volume. Besides that, there are some issues regarding sharing files between Windows XP and Windows 2000, and there's a good chance that files could end up in areas of the drive that aren't encrypted. It's true that we could get around that last problem by using group policies to control the configuration of users' laptops, but the project team had decided against group policies. Finally, EFS doesn't support Linux, which would leave out many of our engineers.

On to PGP. I like PGP, and we use it for e-mail encryption. Almost every security professional I know has a PGP key, and I thought we could integrate that technology with the whole-disk encryption. Unfortunately, the PGP full-disk encryption offering is new, and the project team felt more comfortable with a product that has been around a while and has a history of large deployments.

This left us with Pointsec for PC, which does in fact meet all of our requirements. It also has offerings for the Palm OS and Pocket PC operating systems and for some of our smart phones. Pointsec for PC uses a preconfigured agent that, when installed on a user's laptop, will seamlessly encrypt the entire hard drive and then modify the master boot record (MBR) so that a user must authenticate to the software embedded in the MBR before being allowed access to the PC.

As you probably know, the MBR is the information in the first sector of a hard drive that identifies where the operating system is located so that it can be booted into memory. Modifying the MBR is risky; if the hard disk is encrypted and the MBR becomes corrupted, the data on the drive is essentially gone. This is a risk that will have to be dealt with through proper backups.

Users, however, will still use their enterprise credentials and authenticate only one time. The software within the MBR will pass the authentication credentials through to the operating system log-in. Once authenticated, the user should see no noticeable degradation in service. The idea is that we'll configure the agent and place it on one of our intranet Web pages. Users who need or simply want to use full-disk encryption will contact the IT department and acquire the software and appropriate instructions.

As with any global deployment, we need to define a help desk support model. Pointsec accomplishes this with a Web-based tool that lets help desk administrators access a single management system to assist users in the event that they are locked out of a mobile device.

One of the concerns was what to do when employees leave the company or when a laptop has to be reviewed as part of an investigation or other legal/HR matter. Pointsec (as well as the other products mentioned) offers a key-escrow functionality that includes the concept of a "god key" that enables the laptop to be decrypted by a trusted authority. In our company, that trusted authority will most likely be me.

The next step in the project is to start a proof of concept to allow the team to become comfortable with the technology and to give us the opportunity to test the software against our extremely dynamic environment.

Unlike in financial services, health care and some other regulated industry, our users have all sorts of what I like to call funky applications installed on their laptops. For example, some engineers and developers have various debugging tools and employ multiboot environments, all of which will have to be tested at length. In addition, we are a global company, so we have to ensure that the product can be used on laptops with language packs or an operating system in another language.

But I'm fairly confident that we will have a successful deployment and will soon be providing this disk encryption software to address the current and future needs of the company.