Andy Cordial, Origin Storage: Encryption is the equivalent of a seat belt for data
September 2009 by Andy Cordial, Managing Director at Origin Storage
The first thing most of us do when we get into a car is put on a seatbelt, whether we’re driving or just along for the ride – it’s so important that it’s the law in the UK. We don’t plan to have an accident but, just in case we do, we’re protected. So why don’t we give our data the same courtesy?
The quantity of electronic data relied upon by both the private and public sectors alike are increasing at a rapid rate. Before we go further let’s just clarify what is meant by data – anything stored electronically : there’s the usual documents, email and databases etc., but also another growth area is surveillance monitoring and the resulting video, audio and data streams all contribute to these data banks which need to be stored and managed carefully.
The ability to carry data when we’re going about our daily business, whether on portable hard drives, laptops, or USB sticks, etc., has inarguably revolutionised working practices. No longer constrained by the physical boundaries of the office, people are free to work just about anywhere - at home, in the pub, on the train or in the air, at a client’s premises, even McDonalds offers wi-fi access. However, there has been a price to pay. News reports on data leakage have become a regular feature and causes huge embarrassment to organisations, impacting their image and damaging the relationship with customers. So why is the lesson taking so long to learn?
Many organisations have turned to encryption as a saving grace without fully understanding the problem they face, and as a result have fallen foul. There are a number of software based solutions that sit at entry level however it is proven that they can be bypassed relatively easily. A case in point is that of PA Consulting - a single employee was in breach of its well-established information security processes when allowed to bypass the encryption software that would have protected the personal data of 84,000 prisoners in England and Wales when transferred to a memory stick which subsequently went missing. PA Consulting lost its £1.5 million contract, and jeopardised their remaining £8 million Government contracts
Instead of relying on users to encrypt data before transferring it to a portable device, isn’t it better for the external device to have encryption already built in? External hard drives are available that utilise a hardware based encryption chip to seamlessly encrypt and decrypt data using military grade AES / CBC mode encryption.
Like any product, there are variants, so its important to identify what’s important when evaluating the various offerings, key things to look for are:
1. If users, for example, are likely to be walking away and returning when using a device, but not wishing to log out every time, it may be considered important to have a quick disconnect feature via the LCD panel so that the external drive disappears from the users screen and cannot be accessed until the correct PIN is entered.
2. Another concern is that the keypad may involuntarily disclose the PIN – either due to marks on the keypad or from shoulder hacking, so a random display facility may be considered essential.
3. A further consideration is what happens if an incorrect PIN is used. Potentially if there is no retribution for entering an incorrect code then perseverance could be rewarded and the data breached. It may be deemed important that after a predetermined number of failed attempts the data is destroyed to ensure its integrity.
4. Plugged in via a USB cable, users are presented with a familiar LCD panel on the device itself to enter an up-to 18 digit PIN and without the decipher code the data is inaccessible.
5. Of significant importance may be the need for regular password changes. The firmware should have the facility to be customised to present the user with a message that makes sure that the password is regularly changed and/or registered within the IT department.
6. Unlike software based encryption, this solution is not vulnerable to the same hack programs, decryption software and key loggers which plague other products on the market that make their use un-safe.
The ability to work whenever and wherever we want has significant benefits, especially in today’s 24/7 culture, so it is only fair that when data is involved it is done so responsibly and securely. Since 1965 it has been compulsory for cars in the UK to be manufactured with seat belts although it took 18 years before it become compulsory for them to be used in the front of vehicles and a further eight in the rear – how many preventable deaths resulted in this intervening time? Now you could argue that no-one would die from unsecured data, but individuals could be affected in the event of an accident resulting in a breach, and in fact have – TV presenter Jeremy Clarkson inadvertently proved what can be done with limited personal information in the wrong hands when he lost money after publishing his bank details in a newspaper in January 2008 ( )!
We will not have long to wait before we see notebooks coming to the market that have encryption built in to the hard drive. A marriage of technologies, the SED (Self Encrypting Disk) is the opal standard established by trusted computing. One example is the new range of laptop drives that will be completely encrypted and will sit internally in its notebooks. As a user the encryption is seamless needing only to enter an additional password when logging in and therefore is impossible to bypass.
I find it difficult to understand how anyone can justify carrying electronic data unsecured in the public domain. People need to be educated as to the many different options available however, in my opinion, transparent encryption of not just sensitive but all portable data reduces the risk of the individual either forgetting, or worse bypassing, this safety belt. The next time you decide to carry data out of the safe confines of the corporate environment, remember to buckle it up.