I also want to improve the
user experience. If I can do
that, as well as potentially
lower my cost of control, self-
encrypting drives might be the answer.
MALCOLM HARKINS, CISO, INTEL
For instance, encryption keys kept in a predictable
place are like house keys left under a welcome mat:
They’re easy prey for intruders.
In December, hacking group Anonymous broke
into SpecialForces.com, a provider of law enforcement
equipment, and stole thousands of customers’ data
and credit card numbers. The data was encrypted,
so the crisis appeared to have been averted. But the
hackers didn’t stop there. They broke into the compa-
ny’s servers and stole the encryption keys. The group
then leaked roughly 14,000 passwords and 8,000
credit card numbers of customers on its website.
“Most of the standardized encryption methods
or algorithms specified by [the National Institute of
Standards and Technology] are good, it’s just how you
implement them and how you do key management,”
says John Kindervag, an analyst at Forrester Research.
While many companies have deployed full-disk
encryption to comply with regulatory mandates or
to avoid public disclosure requirements under state
privacy laws if data is lost or stolen, an alarming
number of companies still don’t take precautions.
More than half of 500 I T professionals surveyed
by Ponemon Institute and Experian Information
Solutions in January said their lost or stolen data
wasn’t encrypted. Lost data most often included
email (cited by 70% of the respondents), credit card
or bank payment information (45%), and Social Security numbers (33%). If the organization was able to
determine the cause of the breach, most often it was
a negligent insider (34%). Some 19% said outsourc-ing data to a third party was to blame, and 16% said
a malicious insider was the main cause.
“Any device that leaves your organization needs to
be protected, and with more than just a password,”
says Gartner analyst Eric Ouellet. “We know you can
jailbreak these things very easily.” Data at rest must
be protected, too, he adds. “Even mislabeling a tape
[in storage] or not being able to find it is a disclosure
event,” unless the data is encrypted.
Semiconductor production equipment maker
Applied Materials faces strict customer and legal
requirements to protect information. The company,
which operates in 25 countries, began rolling out
full-disk and message encryption in late 2010 as part
of a tech refresh of its 13,000 laptops. Today, 78% of
laptops are encrypted, with only a few holdouts.
“The change has been positive all over the world,”
says Matthew Archibald, who serves as both chief
information security officer and chief privacy officer
at the Santa Clara, Calif.-based company. “On the
engineering side, they believe anything slows [the
system] down, so you have to show them that it
doesn’t impact them in any way.”
At Intel, 85% of laptops have full-disk encryption,
but CISO Malcolm Harkins is already assessing the
next big thing — self-encrypting hard drives, which
will address encryption gaps when laptops are in
standby, sleep or hibernate modes.
“As you’re moving to products that are always on/
instant on, if you’ve got a nine-hour battery life and
it’s always on standby, the data is not encrypted,”
Harkins says. “I also want to improve the user experience,” he adds, referring to the fact that encryption
typically requires users to enter passcodes and wait
for systems to reboot. “If I can do that, as well as
potentially lower my cost of control, self-encrypting
drives might be the answer.”