On the Horizon
New business initiatives mean new threats. Are you ready?

From January to May of this year, the Identity Theft Resource Center tracked 136 major identity thefts affecting 56 million people. According to the Ponemon Institute, 45 percent of such breaches result from missing laptops. At an average corporate cost of $182 per compromised record, why doesn't every company encrypt laptop data?

"Worldwide, about 20 percent of laptops are encrypted," says Richard Stone, vice president of marketing at mobile security vendor Credant Technologies. "A year ago, one barrier was budget, but most companies have now gotten past that. During the VA incident, envelopes alone to notify those affected cost $11 million. Encrypting that data would certainly have cost less."

Stone believes that many companies do not yet encrypt laptop data because they have not determined exactly what they must do to comply with regulations and make their organization secure. "Measure twice, cut once applies to encryption," he says.

Booting Up
Today, most companies that encrypt laptops start with a mandate. "Ten years ago, our customers made IT-initiated point decisions," says Gerhard Watzinger, CEO of SafeBoot, which also secures mobile devices. "Now, the No. 1 driver is compliance, with corporate-wide rollouts initiated at the board level."

Alexandra Kim, executive director of ISS technology at George Washington University, experienced this firsthand.

"It's an idea we've had for years, but a 2006 board meeting gave us a turbo charge," she says. GWU then created a five-phase plan to encrypt all confidential data with Utimaco SafeGuard. "We segmented the population and did those at the top first. Our first phase covered all users who access confidential data and carry laptops. Our next phase will encrypt all desktops in departments that use confidential data."

Highmark Blue Cross/Blue Shield in Pennsylvania found motivation aplenty to encrypt thousands of laptops and desktops. "We're a DoD (Department of Defense) contractor; we're also bound by HIPAA and SOX," says Chris Kashner, desktop specialist. "We see other companies losing data and didn't want our name in the headlines."

To address those concerns, Highmark deployed GuardianEdge Hard Disk Encryption, first to laptops, then to teleworker desktops. To stop flash drive leakage, Highmark later added Pointsec Media Encryption.

The Right Tool
"Ours is definitely not a one-size-fits-all policy," says Kashner. "We initially chose AES full-disk encryption for laptops because it was bulletproof. We chose [a different platform] for removable media protection because of the vendor's DoD history, centralized control and ability to make use-case exceptions."

San Antonio-based Clarke American Checks combines Computrace LoJack for Laptops with PGP Whole Disk Encryption on about 700 laptops. "Those programs now go out the door with all new laptops," says senior IS auditor Deron Means. Clarke evaluated half a dozen products before settling on PGP. "If all we wanted was disk encryption, any could have done that. But most could not encrypt emailed .zip files or archives--features that were huge for us."

The Hershey Company chose SafeBoot Device Encryp- tion for transparency, ease of use and small footprint.

"Demonstrating audit compliance and integration with our identity management infrastructure was important to me," says Dan Klinger, manager of IS. "Our support center also required delegated roles and central management through one console."

Coverage can also play a big role. "If an employee buys a laptop, we have a standard," says Rob Marti, director of IS at Integris Health in Oklahoma City, "but physicians go out and buy the latest toys; I can't dictate what they'll use. The faster we can support new devices, the better."

Integris chose Credant Mobile Guardian as a common file/folder encryption platform for Windows laptops, Palm PDAs and Windows Mobile 5.

Working Out the Kinks
These companies selected different platforms to meet varied requirements, but all emphasize the importance of pilot programs to work out any kinks.

"My laptop's BIOS had to be flashed before encryption worked," says Means. "Now we have a process of running scandisk and upgrading BIOS before installation."

To avoid problems on older laptops, Means installs software LoJack before encryption. "You may decide to just encrypt newer laptops with chip-based LoJack," he says.

Highmark also started slowly to minimize impact, but found that data could be encrypted reliably without extraordinary measures. "Backups and BIOS updates are fine ideas, but if you're encrypting 4,000 laptops, it's just not feasible," says Kashner. "We didn't do any of those things, and our failure rate was minimal--out of 13,000 desktops, we lost maybe one."

"As long as the laptop itself is well managed, we don't have encryption issues," says Integris' Marti. "But on PDAs, we do a hard reset, install Credant, then reinstall applications, because some Mobile 5 devices have issues with releasing memory."

Laptop Blunders Stolen or lost laptops have exposed millions of records. Here are some of the most notable listed by the Privacy Rights Clearinghouse. Nov. 19, 2005 Stolen Boeing laptop with 161,000 records. Dec. 25, 2005 Stolen Ameriprise Financial laptop with 260,000 customer records. May 2006 Theft of Veterans Administration laptop and external hard drive containing records of 28.6 million veterans. June 2006 Stolen Ernst & Young laptop with credit card data of 243,000 hotel.com customers. March 2007 Theft of Los Angeles County Child Support laptops including 243,000 SSNs, names and child support case numbers.

Process, Process
During its pilot, GWU emphasized communication. "I personally called the head of each department before we started," says Kim. Just two problems were encountered and both were aborted without data loss, instilling confidence required for a larger rollout. The pilot also produced a process. "We found that encryption can take two to eight hours," says Kim. "Now we work with departments to pick a time that doesn't impact their business. "

Indeed, everyone interviewed identified people rather than technology as the most essential ingredient.

"Securing data is one thing; retaining the inherent usability of a device is another," says Credant's Stone. "You can't require users to change the way that they work. Don't require the IT organization to change the way that they work either."

According to Watzinger, about 35 percent of SafeBoot's customers use both full disk and file/folder encryption on the same laptop. "When you have an outsourcer administering the CEO's laptop, you need to give him access but stop him from seeing sensitive data," he says.

"After standardizing devices, the biggest thing is having executive management support on who gets encrypted and why, so that you're not fighting that on a daily basis," recommends Marti.

"We put some weight around our laptop protection by making policies heavier," says Clarke American Checks' Means. "Now, if theft is due to negligence, it could cost you your job. One guy had his laptop stolen twice and he no longer works here. After that, it's amazing how few laptops are stolen."

@exb

				Web Services (continued)
				Implement federated identity. Since digital identity is extremely context-specific, SOA's highly distributed approach creates challenges in provisioning and access management. No one system tells you everything about a particular identity; rather, one service makes an assertion about an identity, and the relying services evaluate them. In this light, it's critical to understand both the capabilities and limitations of your enterprise's current provisioning, access management and federation systems. Fortunately, federated identity uses the basic principles of SOA to deliver identity as a service, extending the governance reach of the enterprise's identity management systems. Your challenge is to enable federated identity use cases between service requesters and providers by creating a schema for representing the identity and the services that exchange identity assertions and results for authentication, authorization and auditing. The business benefits from increased integration with customers and partners. Bulletproof service registries. Service registries, which store and manage service interface information and associated policies, have at least two important security considerations. They contain valuable information, such as data schemas, service interface and security policy information that must be protected by access control. Ideally, they should have the highest level of protection, like an OS kernel. Additionally, since the service registry is where the security policy and mechanisms' metadata is described at design time, and executed at runtime, the IT security team should look to it as a key enabling technology to publish and enforce security policy. Secure the middleware. Historically, middleware applications were considered to be "inside" the firewall, isolated from the outside world. SOA integration requirements place much greater reliance on middleware, such as enterprise service buses that enable reliable, asynchronous messaging and orchestration engines that manage interactions across multiple services. They function as decentralized hubs, aggregating enterprise services and data, and connecting key systems. This new role dramatically alters their security requirements and requires a review of your security architecture. The key point is ensuring that messages have sufficient security rights to be routed in the network, while limiting access to the data itself. Think of an envelope holding a letter (the XML message) that requires the correct addressing and postage, but prevents the postal clerk (middleware) from reading its contents. Gunnar Peterson is a managing principal at Arctec Group, which provides IT architectural services. Send your comments on this article to feedback@infosecuritymag.com.

@exe

Information Security Magazine is a part of the TechTarget portfolio of enterprise IT-focused media.
Copyright 2000 - 2008, TechTarget. All Rights Reserved.