/dqc/media/agency_attachments/3bO5lX4bneNNijz3HbB7.jpg)
Follow UsThe quantity of electronic data relied upon by both the private and public
sectors alike are increasing at a rapid rate.
The ability to carry data when we're going about our daily business, whether
on portable hard drives, laptops, or USB sticks, etc, has inarguably
revolutionised working practices. No longer constrained by the physical
boundaries of the office, people are free to work just about anywhere. However,
there has been a price to pay. News reports on data leakage have become a
regular feature and caused huge embarrassment to organisations, impacting their
image and damaging the relationship with customers. So why is the lesson taking
so long to learn?
Many organisations have turned to encryption as a saving grace without fully
understanding the problem they face, and as a result have fallen foul. There are
a number of software-based solutions that sit at entry level, however it is
proven that they can be bypassed relatively easily. A case in point is that of
PA Consulting-a single employee was in breach of its well-established
information security processes when allowed to bypass the encryption software
that would have protected the personal data of 84,000 prisoners in England and
Wales when transferred to a memory stick which subsequently went missing. PA
ConsulÂting lost its £1.5 million contract, and jeopardised their remaining £8
million government contracts
/dqc/media/post_attachments/da616d4bc09b1d0c4430c92916eb61bcf005831656ef1950c47741632ba3857f.jpg) |
| Andy Cordial, MD, Origin Storage |
Instead of relying on users to encrypt data before transferring it to a
portable device, isn't it better for the external device to have encryption
already built in? External hard drives are available that utilise a hardware
based encryption chip to seamlessly encrypt and decrypt data using military
grade AES/CBC mode encryption.
Like any product, there are variants, so its important to identify what's
important when evaluating the various offerings. Key things to look for are:
- If users, for example, are likely to be walking away and returning when
using a device, but not wishing to log out every time, it may be considered
important to have a quick disconnect feature via the LCD panel so that the
external drive disappears from the users' screen and cannot be accessed until
the correct PIN is entered. - Another concern is that the keypad may involuntarily disclose the
PIN-either due to marks on the keypad or from shoulder hacking, so a random
display facility may be considered essential. - A further consideration is what happens if an incorrect PIN is used.
Potentially if there is no retribution for entering an incorrect code then
perseverance could be rewarded and the data breached. It may be deemed
important that after a predetermined number of failed attempts, the data is
destroyed to ensure its integrity. - Plugged in via a USB cable, users are presented with a familiar LCD panel
on the device itself to enter an up-to 18 digit PIN. Without the decipher code
the data is inaccessible. - Of significant importance may be the need for regular password changes.
The firmware should have the facility to be customized to present the user
with a message that makes sure that the password is regularly changed and/or
registered within the IT department. - Unlike software-based encryption, this solution is not vulnerable to the
same hack programs, decryption software and key loggers which plague other
products on the market that make their use unsafe.
We will not have long to wait before we see noteÂbooks coming to the market
that have encryption built in to the hard drive. A marriage of technologies, the
self encrypting disk (SED) is the opal standard established by trusted
computing. One example is the new range of laptop drives that will be completely
encrypted and will sit internally in notebooks. As a user, the encryption is
seamless needing only to enter an additional password when logging in and
therefore is impossible to bypass.
/dqc/media/post_attachments/82de9aee1bbd391e4e6dfc6bde4e85aa367a088aa71ad4092ed9f241953047b0.jpg) |
I find it difficult to understand how anyone can justify carrying electronic
data unsecured in the public domain. People need to be educated as to the many
different options available.
However, in my opinion, transparent encryption of not just sensitive but all
portable data reduces the risk of the individual either forgetting, or worse
bypassing, this safety belt.