Code or Clear? Encryption Requirements (Part 4)

In other posts, I talked about the trend toward more prescriptive encryption requirements in laws and regulations governing certain categories of personal data and other protected information. Here’s an overview of the standards and related products available for safe (and legally defensible) handling of protected data.

Encryption Standards

When legislators, regulators, or judges expressly refer to encryption standards adopted by government agencies or industry standards bodies, they are deferring to the technical expertise found in those organizations. They are also future-proofing their rules and rulings, because the technical bodies will typically amend or supersede their specifications and guidelines as technology changes. This is one way to avoid obsolescence in lawmaking.

It is a somewhat controversial approach, especially when the reference is to a private-sector body such as the Payment Card Industry Security Standards Council, because it seems to give an element of legislative power to unelected groups that could conceivably simply ratify the practices of some of the largest competitors in an industry. Some legislation, such as the HITECH Act and parts of the Nevada personal information security law, avoid that issue by allowing covered entities to choose among any widely accepted techniques, or among standards published by any established standards body.

In the United States, NIST has defined several encryption standards that are incorporated in many vendors’ offerings and frequently stated as contractual requirements in both the public and private sectors. These standards have also become a reference point for other governments and companies outside the US. (Note that for classified military and national intelligence data, the US and other governments often rely on secret, unpublished encryption algorithms.)

Here are the encryption standards most commonly used today in commercial and government applications:

• DES (Data Encryption Standard), employing a 56-bit key, has been widely used since the 1970s, especially for the transmission of sensitive information. DES requires both the sender and receiver of an encrypted file or message to know the same private key. Many companies use “triple DES,” which means that three DES keys are applied in succession to encrypt or decrypt a file or message. DES is gradually being replaced in practice by AES, although triple DES is still very much in use.

• AES (Advanced Encryption Standard) is now commonly used by US federal agencies, the Department of Defense (for sensitive but unclassified material), many state and foreign governments, and many companies. Like DES, AES involves a symmetric algorithm (the same key is used for encryption and decryption), encrypting blocks of data with keys of 128, 192, or 256 bits at a minimum. 256-bit keys are most commonly used by government agencies today, and many companies have followed that lead. In 2001, the US Department of Commerce approved FIPS 197 (which embodies the Rijndael version of AES developed in Belgium), specifying that all sensitive but unclassified government documents should be encrypted with AES. Accordingly, many vendors design their products to conform to FIPS 197, typically with a 256-bit key, and the same products are widely used in the private sector as well as by government. Like DES, AES is a publicly defined standard algorithm that can be used royalty-free.

• An industry-standard alternative for encrypting data in transmission is asymmetric cryptography (where different keys are used to encrypt and decrypt a file or message). This is used in PKI (public key infrastructure systems) and in the proprietary RSA Security products. These are designed to avoid the need to send private keys via the Internet, where they might be intercepted. RSA is used in the most popular web browsers, and secure webmail applications typically use RSA. Quicken, Lotus Notes, and many other software applications that require transferring data over the Internet use RSA. Thus, these are methods that should also satisfy legal requirements for encrypting data transmissions.

Government Laptops and Government Contracting

The US Office of Management and Budget (OMB), the Department of Homeland Security (DHS), the National Institute for Standards and Technology (NIST), and the President’s Identity Theft Task Force have all issued guidance to the effect that sensitive data on laptops should routinely be encrypted, mandating this practice for government laptops and recommending it for the private sector. The Department of Defense (DOD) has issued similar guidance. See NIST 800-53 (requires encryption for removable media under certain circumstances), OMB M-07-16 (similar); FIPS 200 (the NIST Federal Information Processing Standard that makes NIST 800-53 mandatory for federal agencies).

Consequently, some government contracts refer expressly to NIST 800-53 or similar DOD standards and thereby mandate laptop encryption by the contractor if defined categories of data (including those that are most useful for identity theft) may be stored on its laptops. For other contractors, encryption is not expressly mandated but could be considered necessary for “reasonable” security.

Commercial Options

There are, of course, many products available for encrypting data on servers, networks, firewalls, VPNs, and data center storage media, offered by a range of specialized software and firmware vendors as well as by industry giants such as IBM, CA, and Vanguard. Given the heightened risks and expectations with respect to certain categories of personal information, enterprises should review their strategy for securing such information on their premises and in the hands of outsourced data processing and data storage vendors, including those offering cloud computing or SaaS (software as a service) functions, to see if there is a role for encryption of data at rest as well as data in transit and in mobile devices. Some enterprises have relied on the fact that their databases are maintained in a proprietary format that would be difficult to read, but there are some knowledgeable and determined hackers and thieves out there – some of them may even be current or former employees of the enterprise.

More often than not, however, the dangerous and highly publicized loss or theft of personal information including SSNs, payment card details, and medical and insurance information arises from careless use of laptops and other portable devices outside the physical premises and the controlled network. The lost or stolen laptop (or other portable drive) represents a growing threat to an organization’s reputation, compliance, and litigation risk management, as illustrated by the long list of recent laptop security incidents. (See, e.g., the Chronology of Data Breaches maintained by the nonprofit Privacy Rights Clearinghouse.)

Even the strictest policies against downloading risky data will not entirely avoid the scenario where an employee, contractor, auditor, or consultant admits to losing a laptop or flash drive loaded with protected personal information (or trade secrets, confidential commercial information, or even national secrets). It’s too easy to find such data in a spreadsheet or word processing document, or as an email attachment. It is prudent, therefore, to review the organization’s practices concerning encryption on laptops and netbooks, smartphones, USB drives, and other portable media.
The good news is that there are many acceptable options to address this problem. Some of them are free or relatively inexpensive. Some are essentially automatic and not dependent on the discipline or technical expertise of an individual employee.

Here are some of the common solutions to the challenge of portable security:

• File encryption, using password-protection tools built into Microsoft Office and other software applications in which the data reside. The advantage is that these tools are already available to nearly everyone with a computer. In the current version of Microsoft Word, for example, the user only needs to hit the Office Button, then Prepare, and then Encrypt, which prompts the user for a password. Alternatively, for older versions of Word, the user locates the file requiring encryption via MyComputer, right clicks on the file, selects Properties, then Advanced, then Encrypt contents to secure data, then Apply, and finally OK. The file name will change to green font, showing that the file is encrypted; other users will not be able to access the data, particularly if the laptop owner has used a strong administrative password (some additional information can be found here).

There are some limitations and problems with this technique. Typically, it requires some training and periodic reminders to encourage all personnel to recognize which files should be encrypted and to take that action. The encryption is relatively strong, but users often choose weak passwords that are easy for them to memorize (and thus easier for hackers to guess or to break with an automated “brute-force attack”). Passwords must be memorized or stored securely (e.g., with encrypted password-keeper software such as Password Safe, Roboform, SurfSecret, Turbo Passwords, Password Manager XP, Password Agent, or Norton 360 Identity Safe). One problem for companies is the employee who forgets a password, separates from the company, or dies or becomes incapacitated without communicating the passwords to a supervisor. Consequently, some companies provide the passwords centrally and store a copy of them.

• Software disk encryption. Microsoft XP, Vista, and Windows 7 operating systems (as well as Apple’s operating system and most commercial versions of Linux) allow users to set a password for accessing the operating system itself in the boot process. This makes it inconvenient for casual snoops to access data on the laptop, but it does not protect the data itself from being extracted and read by any hacker with a degree of technical sophistication.

There are several commercial products, however, that can be set to encrypt all the contents of a hard drive (or all files with selected file extensions, such as .docx or .pst). The user typically chooses a single decryption key. (As with file encryption, the company needs to consider whether it manages those keys in the event that the consultants forget them, although this is normally done for company-issued rather than personal laptops.) Modern products encrypt files on the fly and do not suffer from the disadvantages of earlier versions – great expense and slower processing speeds. These products are typically based on AES 256 encryption.

Leading software encryption products on the market today include Windows BitLocker, which comes with at least some versions of Microsoft’s Vista and Windows 7 operating systems, TrueCrypt , Dekart Private Disk, DriveCrypt, FreeOFTE, PGP Desktop Professional, UItimaco SafeGuard, and 7-Zip (open source software that allows a user to create encrypted archives). Prices range from free (BitLocker, TrueCrypt, FreeOFTE, 7-Zip) to $200 per device (PGP). It’s worthwhile checking recent reviews for comparisons of functionality and ease of use.

Encrypted files can also be stored on a USB drive, and some USB devices are sold with their own encryption software pre-installed. Again, users must take the trouble to activate and employ these features.

• Hardware-based encryption. There are some security and functional advantages to using full-disk encryption (FDE) solutions (some manufacturers call this “whole-disk encryption”). These are hardware-based and therefore less capable of being bypassed or compromised through an attack on the operating system, mother board, input-output channels, or the encryption application software itself. Both Seagate and Fujitsu offer laptop hard drives with automatic FDE (the user selects a password or employs a USB token or other device to start the computer, and the system then automatically encrypts every bit of data that is entered or downloaded). IBM, Dell, HP, and other manufacturers offer FDE options for popular models of business laptops. FDE drives typically cost more than drives without that feature (perhaps an additional $50-100), but they require no training or discipline on the part of the user other than to remember a password (or use a USB token) when they start the computer.

Many business laptops and servers are already shipped with a TPM (Trusted Platform Module), a chip based on industry standards to generate keys and digital certificates and to store and interact with encryption keys, USB tokens with authentication credentials, or other security devices. The TPM has to be turned on, however, and many users are unaware of it. Here are the instructions. For example, the TPM can be used as a very secure way to store and access the decryption key for a laptop with FDE.

Wave Systems, Secude, and others produce software that can augment FDE and TPMs for laptop security. The software is typically installed on both the laptop and the server. Functions include, for example, auditing the laptop’s status (to ensure that the operating system and key applications are updated and not altered), creating an audit trail of remote server access by the laptop, storing laptop keys on the company server, and allowing the company to remotely disable a laptop that has been reported lost or stolen, when a user next attempts to connect to the company’s server. These functions make sense for company-issued laptops that may store or access sensitive data; they may not be practical or acceptable for a personal laptop, home computer, or smartphone that is owned by an employee or consultant of the enterprise.

Yet another option is to purchase a small external hard drive with FDE capabilities and use that, rather than the laptop itself, to store sensitive data. Such devices are available from Dell, HP, Apple, Buffalo, Fujitsu, Paragon, Aegis, and others.

Mobile Encryption as a Shield

IT departments have better control over what happens on their own premises, behind the firewall, with computers and terminals plugged in at desks and data centers. Anything portable is more problematic -- but mobility is the wave of the future.

An effective security program requires frequently updated risk analyses (which should expressly include the categories of data subject to legal controls), written policies, and user training, as well as wise purchasing decisions and proper implementation. Automated and monitored encryption solutions, such as some of those mentioned above, can reduce the element of human error in portable computing. And techniques based on government or industry standards, or at least on provable common and best practices, will be easier to defend in a regulatory investigation, a contract dispute, a court of law, or before the court of public opinion if (when?) something does go wrong.

Encryption on portable devices as well as in communications means that sensitive data may never be compromised, even if lost or hacked. It means consumers and employees, as well as the enterprise and its business partners, are better protected against real harm. It means the enterprise may not be obliged to make an embarrassing public report of a data loss. And the lawyers and CEOs are happy, because even if the encryption is overcome by a dishonest employee or a particularly brilliant hacker, the enterprise retains a plausible defense against civil liability and administrative or criminal sanctions.