Encryption: Why Stop With Laptops?
Over the past few years, it seems like there's one technology that almost everyone is deploying: laptop encryption. All over the industry, in nearly every vertical, it seems like everybody has either just deployed, is deploying, or is about to deploy some type of encryption technology to protect laptop data.
When you think about it, it really isn't all that much of a surprise -- the technology is ubiquitous and low-cost, the rollout can be done piecemeal at a pace comfortable for each individual organization, and there are some pretty solid regulatory and compliance reasons to make this happen. For example, state breach disclosure notification laws provide safe harbor when data's encrypted, data protection mandates like 201 CMR 17 specifically require encryption of portable devices, and some industry regulationw (like PCI) specifically require encryption.
Couple these regulatory drivers with the fact that laptops are a high-visibility target for theft (some estimates suggesting that there are as many as 10,000 laptops stolen per week at airports alone), and you find a climate that strongly favors deployment of laptop encryption technology.
So don't get me wrong; I'm not complaining. I think encryption of laptop data is a great strategy for pretty much any/every organization. However, the reason I'm bringing it up (and what I find most interesting about the trend) is how seldom the same technology deployed for the encryption of laptops is extended to include other areas of the organization. In other words, if you're going to the time and energy to deploy a data protection solution, and that same solution provides technology that will encrypt of data at rest in other contexts (for example, in servers, smartphones, jumpdrives, etc.), why not leverage the technology for the other areas in your enterprise where data could get lost/stolen?
In many cases, the technology itself is low-cost (free or additional per-device costs are small enough that it might as well be) and consequences for loss of critical data is equally disastrous regardless of what type of device the data is on when it gets lost. Still, it's rare that organizations take what they already have and extend it.
It's Not Just Laptops That Go Missing
First of all, laptops are not the only portable devices that get stolen or lost. Many enterprises discount the extremely large number of corporate-owned BlackBerry-type devices as well as personally owned smartphones (e.g. iPhones, Android devices, etc.) that can potentially contain regulated data.
For example, if you allow data such as personally identifiable data, credit card numbers, driver license numbers, etc., to be sent over internal email (many organizations do) and you allow personally owned devices like iPhones to connect to email, you've got a situation where any one of hundreds of devices can expose regulated data. This can trigger incident response procedures, breach disclosure notification, or any number of other unwanted outcomes. Extend the framework to portable storage and not just portable devices, and you start to see the true extent of just how distributed corporate data is and how profound an impact it could have.
Moving beyond the scope of the portable, take a look at the servers and desktops in your environment that contain data of concern -- how likely are they to go missing? For example, if you're a firm that has local branch offices to service individual communities, what do you suppose a burglar would steal if they were to break into a branch office some night? Probably the computer systems the local personnel use to conduct business day-to-day, right? How many of those devices contain regulated data that would be of concern? Probably most of them, if your business is like most. Expand the possibility of theft or loss during transport to servers in your environment as well, and again you can see the huge area of concern that this represents.
What's the Downside?
The first step in trying to address whether it makes sense to expand the scope of encryption technologies is to understand where your data lives currently. Despite what you might think, most organizations don't have a solid understanding of storage and pathways -- even for the most critical devices in their environments. Now that's not to say that they don't understand at a course level (for example, almost every organization will be clued in to whether a data center as a whole contains protected data or not), but at more granular levels -- for example, tracing the flow of production data from point of origin, through the applications/systems it inhabits, to the vendors/partners/end-users it is ultimately shared with -- that's when organizations lose clarity.
So if your organization is like most, determining the need for encryption in a broader scope throughout your enterprise means starting with the data flow, the storage locations of data, and the mechanics of how data is actually exchanged. Organizations starting down the road by deploying data discovery tools or going through a data-flow mapping exercise will most often come rapidly to the realization that protected, critical and confidential data is replicated dozens (in some cases hundreds) of times throughout the organization, that it's stored on a vast array of devices, that it's often exchanged with vendors and partners all over the globe, and that it can potentially be sent via a large number of communications services such as email, IM, fax or other technologies.
Looking at it this way: The default end-state presents quite a bit of opportunity to mitigate risk. If you've already purchased a technology to do encryption of data at rest and you see a need where other areas of the organization can benefit from that technology -- that's a huge win. If you haven't purchased a technology yet but were about to, the win is even bigger because you can architect in the broader scope of the deployment from the get-go. The important thing to realize is that the encryption of data on the laptop is the low-hanging fruit; there's much more opportunity to score major wins by looking beyond just how it can protect the corporate laptops.
Ed Moyle is currently a manager with CTG's information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.