Following on yesterday’s post about laptop thefts at Bord Gais, here’s another case that again shows encryption across an entire company or organization is no easy matter. The Health Service Executive (HSE) office in Ireland has been victim to a break-in, and fifteen laptops were stolen. Thankfully, thirteen of the laptops featured drive encryption (something similar to AlertBoot).
Two Laptops Not Encrypted
Of course, if only 13 out of 15 are encrypted, it means two laptops are unencrypted. Of the remaining, there was no sensitive information stored on one of the devices. The other, however, contained financial information of citizens “who had contacted community welfare officers.” [irishtimes.com]
The HSE has been a victim of data breaches prior to this incident. They had a data breach in September 2008 and a second one a mere two weeks later, which prompted the HSE to review their data security practices.
It looks like the HSE had promised to encrypt all of their laptops, which the above clearly shows is not the case.
Also, it looks like they should have taken a look at their physical security as well: apparently, ten offices were broken into, but the police are not sure how.
Deploying Encryption Across An Entire Company
As I pointed out in yesterday’s post, deploying encryption across an entire company is not an easy task. This is even more so if the selected encryption software is not optimized for deployment across multiple computers.
Consider a free encryption software package you can find on the internet that’s not optimized as for mass deployments. You’d have to have an IT guy visit every computer at your company.
He’d have to install the encryption software (let’s assume that there’s no way to stop the encryption process once it’s installed, so he doesn’t actually have to stick around for full disk encryption to finish its job), make a copy of the encryption key, note which computer was encrypted, and come back later to verify the encryption status.
I’ve done this for one computer before (a friend’s), and even if you get the hang of it, it takes about 10 minutes, from start to finish.
Now, I’d tack another 10 minutes to walking around, turning on computers, turning on monitors, etc. for a total of 20 minutes per computer that needs encryption. This assumes our IT guy won’t face the problems of company laptops that were taken home, people who ask him to come back because they’re busy on a project and need the computer, going to another floor or building or county, etc.–the real world issues that delay security roll-outs.
This means a guy can encrypt maybe three computers an hour. Assume he works 8 hours a day with a one-hour break, and he can encrypt about 21 computers a day. If the company has 500 computers, it will take him a month–again, assuming things go right (they never do).
Note that he probably has other responsibilities, so he can’t actually use all 7 hours just for encrypting stuff.
However, if an encryption software suite designed for mass deployment is used, the time required to protect all computers is cut down significantly. AlertBoot, for example, uses the internet to distribute encryption software. The enduser of the computer can easily initialize the encryption process, meaning IT personnel don’t have to literally visit each computer.
Instead, IT can monitor the encryption status of computers, and follow up with those particular employees who can’t carry out the instructions. Plus, because everything is centralized, running reports to find out who’s not in compliance; managing different encryption keys; and restricting access due to changes in employee status are easy to carry out.
Related Articles and Sites: