Advertisment

Encryption-A Seat Belt For Data

author-image
DQC News Bureau
Updated On
New Update

The quantity of electronic data relied upon by both the private and public

sectors alike are increasing at a rapid rate.

Advertisment

The ability to carry data when we're going about our daily business, whether

on portable hard drives, laptops, or USB sticks, etc, has inarguably

revolutionised working practices. No longer constrained by the physical

boundaries of the office, people are free to work just about anywhere. However,

there has been a price to pay. News reports on data leakage have become a

regular feature and caused huge embarrassment to organisations, impacting their

image and damaging the relationship with customers. So why is the lesson taking

so long to learn?

Many organisations have turned to encryption as a saving grace without fully

understanding the problem they face, and as a result have fallen foul. There are

a number of software-based solutions that sit at entry level, however it is

proven that they can be bypassed relatively easily. A case in point is that of

PA Consulting-a single employee was in breach of its well-established

information security processes when allowed to bypass the encryption software

that would have protected the personal data of 84,000 prisoners in England and

Wales when transferred to a memory stick which subsequently went missing. PA

Consul­ting lost its £1.5 million contract, and jeopardised their remaining £8

million government contracts

Andy Cordial, MD, Origin Storage
Advertisment

Instead of relying on users to encrypt data before transferring it to a

portable device, isn't it better for the external device to have encryption

already built in? External hard drives are available that utilise a hardware

based encryption chip to seamlessly encrypt and decrypt data using military

grade AES/CBC mode encryption.

Like any product, there are variants, so its important to identify what's

important when evaluating the various offerings. Key things to look for are:

  • If users, for example, are likely to be walking away and returning when

    using a device, but not wishing to log out every time, it may be considered

    important to have a quick disconnect feature via the LCD panel so that the

    external drive disappears from the users' screen and cannot be accessed until

    the correct PIN is entered.
  • Another concern is that the keypad may involuntarily disclose the

    PIN-either due to marks on the keypad or from shoulder hacking, so a random

    display facility may be considered essential.
  • A further consideration is what happens if an incorrect PIN is used.

    Potentially if there is no retribution for entering an incorrect code then

    perseverance could be rewarded and the data breached. It may be deemed

    important that after a predetermined number of failed attempts, the data is

    destroyed to ensure its integrity.
  • Plugged in via a USB cable, users are presented with a familiar LCD panel

    on the device itself to enter an up-to 18 digit PIN. Without the decipher code

    the data is inaccessible.
  • Of significant importance may be the need for regular password changes.

    The firmware should have the facility to be customized to present the user

    with a message that makes sure that the password is regularly changed and/or

    registered within the IT department.
  • Unlike software-based encryption, this solution is not vulnerable to the

    same hack programs, decryption software and key loggers which plague other

    products on the market that make their use unsafe.
Advertisment

We will not have long to wait before we see note­books coming to the market

that have encryption built in to the hard drive. A marriage of technologies, the

self encrypting disk (SED) is the opal standard established by trusted

computing. One example is the new range of laptop drives that will be completely

encrypted and will sit internally in notebooks. As a user, the encryption is

seamless needing only to enter an additional password when logging in and

therefore is impossible to bypass.

I find it difficult to understand how anyone can justify carrying electronic

data unsecured in the public domain. People need to be educated as to the many

different options available.

However, in my opinion, transparent encryption of not just sensitive but all

portable data reduces the risk of the individual either forgetting, or worse

bypassing, this safety belt.

Advertisment