1. FIBERLINK DATA ENCRYPTION IS HARD TO DO
Best practices for successfully deploying and managing
data encryption on laptops
Delivering Mobility as a Service
2. White Paper > Data Encryption
Contents
DATA ENCRYPTION IS HARD TO DO.............................................................................1
The GAO Report on Federal Agency Encryption Efforts..............................................................................1
What Can Be Done?........................................................................................................................................2
BEST PRACTICES FOR DEPLOYING DATA ENCRYPTION................................3
Determining the Objectives and Selecting the Technology...........................................................................3
Planning the Project and Designing the Solution............................................................................................5
Preparing and Configuring the Software.......................................................................................................7
Rolling out the Data Encryption Solution........................................................................................................8
A MANAGEMENT AND REPORTING PLATFORM FOR DATA ENCRYPTION.............9
Status and Activation Reports........................................................................................................................9
Policy Enforcement and Remediation...........................................................................................................10
More on Mobility Management Platforms....................................................................................................11
Delivering Mobility as a Service ii
3. White Paper > Data Encryption
Data Encryption is Hard To Do
Data encryption has become a "must-have" technology
for businesses, government agencies, healthcare
organizations, and other enterprises. Magazines and web
sites are filled with news stories about stolen laptops
containing thousands, or even millions, of confidential
records (Figure 1). Every organization must assume that a
certain number of laptops will be lost each year. And
data encryption is the best available technology to
prevent the loss of confidential data when laptops and
mobile devices are lost or stolen.
But to paraphrase the old song: "Data Encryption is hard
to do."
First, it can be difficult to deploy successfully.
Second, even when it is appears to have been deployed F i g u r e 1 : H e a d l i n e s a b o u t s t o l e n a n d l o s t l a p t o ps
successfully, many organizations lack the management
tools to ensure that the encryption solution is in fact
functioning properly.
The lack of management tools is important not only from the point of view of maintaining good security, but
also because organizations could potentially fail audits if they cannot prove that their data encryption solution
is performing as planned
THE GAO REPORT ON FEDERAL AGENCY ENCRYPTION
EFFORTS
The challenges of deploying and managing data encryption on remote
devices are illustrated in a recent report from the United States Government
Accountability Office titled "Federal Agency Efforts to Encrypt Sensitive
Information Are Under Way, But Work Remains." (Figure 2)
The GAO auditors found that despite directives dating back to 2006 to
deploy data encryption only 30% of data was actually encrypted: "…the
major agencies collectively reported that they had not yet installed
encryption technology...on about 70 percent of their laptop computers and
handheld devices."
A second finding was noted by Computerworld's Frank Hayes:
"...The GAO also found that, in many cases, even the devices believed to be Figure 2: The GAO report on
e n c r y p t i o n e f f o r ts b y U S
encrypted had problems. Sometimes the encryption wasn't actually installed. federal agencies
Or it wasn't configured correctly. Or it hadn't been turned on."
Two examples of this type of finding are quoted in Figure 3.
1 The GAO report is available at: http://www.gao.gov/new.items/d08525.pdf.
See also: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
2 Frank Hayes, Frankly Speaking: Encrypting end user data is tough to do, Computerworld, August 4, 2008
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=323225&source=NLT_SIT&nlid=91 See
also: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110983
Delivering Mobility as a Service 1
4. White Paper > Data Encryption
"At the National Aeronautics and Space Administration (NASA) location we tested, we confirmed that the
agency's selected FIPS-compliant encryption software had been installed on 27 of 29 laptop computers.
Although the agency asserted that it had installed it on all 29 laptops, officials explained that they did not
have a mechanism to detect whether the encryption product was successfully installed and functioning."
(page 30)
__________________________________________________________________________________________________
"...a component of the Department of Agriculture had not effectively monitored the effectiveness and
continued functioning of encryption products on 5 of the 52 laptop computers that we examined. Agency
officials were unaware that the drives of these devices had not been correctly encrypted…and the agency
had no mechanism in place to monitor whether the installed product was functioning properly." (page 31)
F i g u r e 3 : F r o m t h e G A O r e p o r t : " n o m e c h a n i s m i n p l a c e t o m o n i t o r. . . t h e i n s ta l l e d p r o d u c t "
Evidently even rocket scientists can be challenged by information security.
And unfortunately, while 93% and 90% compliance might be satisfactory in some situations, GAO and other
auditors are not likely to be happy with a 7%-10% failure rate on systems that management thought were
already protected (not to mention the 70% of systems that were known not to be encrypted yet).
WHAT CAN BE DONE?
The GAO report provides ample evidence that data encryption is not easy to deploy or manage, even for
highly motivated organizations.
However, there are:
• Best practices that can significantly improve the success rate for rolling out data encryption
technology.
• Management tools that can give administrators visibility into encryption status on mobile devices.
Fiberlink is a "Mobility as a Service" provider that helps customers deploy and manage a wide range of
security and connectivity solutions on laptops and PCs. In this white paper we will discuss deployment best
practices for data encryption developed by our Professional Services organization. Then we will briefly outline
how Fiberlink's MaaS360™ Visibility, Control and Mobile services can help customers report on and manage
encryption solutions on mobile devices.
Delivering Mobility as a Service 2
5. White Paper > Data Encryption
Best Practices for Deploying Data Encryption
Fiberlink's Professional Service organization finds that data encryption deployments are often undermined by
problems such as:
• Incomplete understanding of the capabilities and limitations of the data encryption solutions selected.
• Lack of the right personnel on the implementation team.
• Inadequate planning and testing during the roll-out.
To avoid these we will discuss best practices and pitfalls for four phases of the process:
1. Determining the objectives and selecting a data encryption technology
2. Planning the project and designing the solution
3. Preparing and configuring the software
4. Rolling out the solution.
1. DETERMINING THE OBJECTIVES AND SELECTING THE TECHNOLOGY
Many organizations run into trouble early because they don't explicitly analyze the objectives (and constraints)
of their data encryption project.
What needs to be protected?
An obvious place to start is to clarify exactly what needs to be protected:
• What types of sensitive information are found on laptops? Customer and employee records, financial
information, business plans, research reports, software code?
• In what types of files is this information stored? Spreadsheets, database files, word processing
documents, slide presentations, html files, software executable files?
• Whose laptops need protecting? Key executives, the sales force and field consultants, all employees,
contractors, business partners?
• Who owns the laptops? Your organization, your employees, contractors, business partners?
• Is sensitive information being copied to USB thumb drives and other removable media?
Compliance and Policies
It is also important to understand compliance and corporate policy requirements from the beginning.
Is your organization affected by HIPAA, PCI and other regulations? If so, what are the expected security "best
practices" for your industry?
Widely-accepted federal standards such as FIPS 140-2 address topics like the control, distribution and
management of encryption keys. And data encryption may be one means of enforcing policies of your own
organization concerning what information employees are allowed to access and share.
You may need to create and distribute new corporate policies. Employees need to understand that data
encryption is being implemented to advance justified corporate policies, not to satisfy the paranoid fantasies
of the IT security staff.
Delivering Mobility as a Service 3
6. White Paper > Data Encryption
Limitations
It is also important to understand some of the limitations of data encryption technologies so you don't set
expectations that the technology is a panacea for mobile security threats.
Data encryption protects data on lost and stolen devices, but it does not block employees from emailing
sensitive data to outside parties, or prevent a hacker or file-sharing program from opening and transferring
sensitive files. You should also be deploying complementary technologies like firewalls, zero-day threat
protection packages, and Data Loss Prevention (DLP) products.
File/Folder Encryption Products
There are three major data encryption technologies on the market today, and selecting the right one for your
environment can have a big impact on the success of your project.
Many of the first data encryption products on the market were "file" or "file/folder" systems. These encrypt
files selected by the user, or encrypt all files placed in folders specified by either the user or an administrator.
File/folder encryption solutions are very easy to implement. There are few configuration decisions to be made,
and they do not conflict with patching systems, backup and recovery packages and other system software.
But most file/folder encryption products rely to some extent on user actions like selecting files to encrypt and
saving files to selected folders. Unfortunately, users can rarely be relied upon to follow policies consistently.
These technologies also do not encrypt temporary files and swap space, so copies of sensitive files can be
found on the system in an unencrypted state. Finally, the IT staff can rarely prove to auditors that all sensitive
files on remote systems have in fact been properly encrypted.
Full Disk Encryption (FDE) Products
Full Disk Encryption (FDE) solutions, as their name implies, encrypt the entire contents of a disk or volume.
This includes the operating system and applications as well as data files. Typically these solutions authenticate
the user at boot time. Unauthorized users without the password cannot gain access to any code or files at all,
making it impossible for them to get around the encryption program.
Full Disk Encryption is a mature technology, and is extremely simple to configure, since the only decision is
what disks or volumes to encrypt. There is no dependency on users (except to remember their passwords). It
also protects the operating system, temporary files and swap space, so sensitive information is encrypted in all
its forms.
However, initially encrypting the hard drive can be a lengthy process. In some cases users will see slower
performance when accessing very large files (although most FDE products have reduced the performance
penalty significantly over the last few years). Encrypting the master boot record can make it hard to coexist
with backup and recovery programs. And the failure of some sectors on the disk drive can make it much more
difficult to recover data.
"Intelligent Encryption" Products
New "Intelligent Encryption" products combine some of the characteristics of File/Folder and Full Disk
Encryption systems.
These hybrid solutions resemble File/Folder products in that they encrypt files selectively and do not encrypt
the operating system or application software. This reduces the time required for the initial encryption and
Delivering Mobility as a Service 4
7. White Paper > Data Encryption
avoids performance issues. In addition, they permit administrators to specify encryption for files of a certain
type (say spreadsheets and database files) and files produced by certain applications (say financial and HR
applications). This approach ensures that all files of these types are encrypted without relying on the user to
save them to specific folders. Finally, hybrid solutions typically do not interfere with backup and recovery,
patch management, or strong authentication products.
However, to ensure that all sensitive information is protected, you need to know what it is and where it
resides. If you do not have a good handle on which files or file types contain confidential information it may be
safer to simply encrypt everything using a FDE product. Also, in some situations there are benefits to having
the extra level of authentication provided with FDE software.
2. PLANNING THE PROJECT AND DESIGNING THE SOLUTION
As with all major IT projects, a solid investment in planning can avoid innumerable headaches in the roll-out
phase.
Document objectives, requirements and constraints
You should document the objectives, requirements and policy issues uncovered so far in the project, and make
sure that these are understood and approved by management and by key executives of the user groups that
will be affected. While data encryption should not be a significant burden on computer users, it will not be
completely transparent either, so everyone needs a clear understanding of why the effort and inconvenience
are justified.
You also need to identify the scope and the constraints of the project, including the time window available, the
budget, and the availability of staff resources. As noted earlier, limits in the budget or staff resources could
give you a reason to select a particular data encryption product or to call in the help of a consultant or a
managed security services provider.
Select the project team
A typical data encryption involves multiple teams across the IT organization. You should select a project team
that includes members from:
• The security group
• The desktop group (or whoever is responsible for laptop hardware and software)
• The network administration group
• Subject matter experts in networking and firewalls.
Identify infrastructure integration tasks
You need to allocate time and resources to integrating your data encryption solution into the rest of the IT
infrastructure. Changes to the infrastructure might include:
• Changes in firewall and proxy server settings.
• Adjustments to endpoint backup and recovery processes.
• Integration with Active Directory and other enterprise directories.
Delivering Mobility as a Service 5
8. White Paper > Data Encryption
Allocate resources to end user and support training
Most data encryption solutions require some changes in the behavior of computer users, so end user
resistance is a serious risk. It is therefore critical that you allocate resources and set schedules for educating
end users. You will also need to train the help desk and IT administration groups so they can fully support the
solution.
Define success criteria
Many planners neglect to define success criteria for their projects. This task is necessary to limit scope creep
during the course of the project and to justify the effort to management at the end.
Decide what to encrypt
If you are implementing a file/folder encryption or intelligent encryption product then deciding what to
encrypt is a critical step. For example, one intelligent product that we deploy allows you to selectively encrypt
data:
• Included in specific file types (for example spreadsheets, databases, or temporary files).
• Written by specific applications that handle sensitive data for example an accounting application.
• Written to specific disk drives or removable media.
• Associated with a specific user (if a system is shared).
Design for verification
It is critical that you be able to verify that the data encryption software is operating correctly at all times.
Then, if a laptop is lost or stolen, you can prove that sensitive data has been encrypted. Therefore:
• During roll-out there should be a way to verify that the data encryption package has been installed
correctly. It is not enough for users to simply report that they have loaded the software on their
machines, or for you to send them the software on CD and tell them to install it.
• You should to be able to perform regular "health checks" to make sure the software is operational
and no one has tried to tamper with it.
• You should be able to verify when laptops were updated and that they are on the latest version of the
data encryption product.
This information should be captured and stored in a central, auditable log.
In many environments these capabilities are mandatory. The FIPS 140-2 standard specifically requires user-
independent verification that the software is operational. The Federal Trade Commission's "Safeguards"
document states that companies must "check with software vendors regularly to get and install patches that
resolve software vulnerabilities."
And frankly, you may get into just as much trouble for not being able to prove that the data on a lost or stolen
laptop is protected as for failing to protect it in the first place.
These verification capabilities may be provided by the data encryption software that you selected, but they
can also be provided, or provided better, by a mobility management platform (which will be discussed later in
this white paper).
Delivering Mobility as a Service 6
9. White Paper > Data Encryption
Design for Minimal User Impact
You should design the solution to have the minimum interaction with end users apart from displaying
warning messages and alerts. Little or no action from end users should be required to implement or
update the solution, and users should not be able to change any encryption parameters or the way in
which data encryption is applied to attached devices. Users must not be able to uninstall the software by
using the Windows Control Panel or deleting program files. Also, users must not be able to prevent the
encryption software from executing by using the Windows Services Manager or Task Manager features.
3. PREPARING AND CONFIGURING THE SOFTWARE
Prepare the Infrastructure
At this stage in the process you make changes to the infrastructure so that your data encryption solution
can be integrated into it. This may include changes in firewall and proxy server settings, adjustments to
backup processes, and integration with an enterprise directory.
Many data encryption products work best on defragmented disk drives, so a best practice before
encryption is to run the defragmenter on disks to clean up bad sectors. You should also delete all
temporary Internet files on the laptops, since you won't want to encrypt them.
Finally, you should identify the corporate images of your laptops and reduce them to the smallest number
possible. You will find it much easier to administer your environment if there are relatively few variation in
the images.
Configure the Data Encryption System
If you are implementing the solution yourself you will need to purchase, install and configure an encryption
server. You will also need to configure the data encryption clients to encrypt files and drives based on the
designs you created earlier.
If you are using a "Mobility as a Service" provider like Fiberlink you will not need to install the server or
server software, but you will want to work with them to develop and implement your encryption policies.
Run an alpha test
We strongly recommend running an "alpha test." This means deploying the solution on a limited number
of laptops belonging to the IT staff. Often this uncovers critical issues like incompatibilities between the
data encryption package and other software being used in the organization (for example the backup and
recovery application).
Delivering Mobility as a Service 7
10. White Paper > Data Encryption
4. ROLLING OUT THE DATA ENCRYPTION SOLUTION
The last phase of the process is to deploy the solution.
As mentioned earlier, it is critical to train end users and support staff so that they understand the
justification for the project and know what to expect.
Start the roll-out itself with a "beta test" of 10-30 non-IT employees using standard corporate images. This
testing will uncover not only any remaining technical problems, but also issues related to user
understanding and acceptance. Document the lessons learned and make changes accordingly.
When the "beta test" is complete, you should roll out the solution to the rest of the organization in
phases. This can be on a department-by-department basis. If you are deploying a file/folder encryption or
hybrid encryption solution, then another approach we like is to start by encrypting only a few critical files
or types of files, and then ramp up to encrypting all of the targeted files.
You should schedule checkpoints throughout the deployment phase to document the status of the process
and make mid-course corrections.
At the end of the roll-out you should update the requirements documents and process plans to include
new information gathered and lessons learned. These will help you when it is time to expand or upgrade
the data encryption solution.
Finally, you should provide a written report to management that describes the results of the process and
compares them with the success criteria you determined at the beginning of the process.
Although the processes described here involve a lot of work, it is good to keep in mind that a well-
managed data encryption implementation is much less painful than notifying thousands of customers or
employees that their personal data has been exposed because someone lost a laptop.
Delivering Mobility as a Service 8
11. White Paper > Data Encryption
A Management and Reporting Platform for Data
Encryption
As noted earlier, rolling out data encryption is only half the battle. Administrators need tools to monitor
the deployment of encryption across the organization, to document the status or health of the software on
mobile and remote systems, to identify and remediate problems.
Sometimes these tools are provided by the data encryption vendor, but frequently these tools are not
reliable when systems are out of the corporate office (as shown by the GAO report excerpts quoted in
Figure 3 above).
STATUS AND ACTIVATION REPORTS
Figure 4 illustrates of the type of reports that can help administrators track the progress of a rollout. These
report show information like how many systems have been successfully encrypted, how many have
encryption installed but not active, how many systems have no encryption at all, and what different
encryption products are being used.
F i g u r e 4 : S u m m a r y r e p o r ts t r a c k t h e p r o g r e s s o f e n c r y p t i o n d e p l o y m e n ts a c r o s s a n o r g a n i z a t i o n
The information in this report is obviously helpful for initial deployments of data encryption solutions, but
it also helps the organization track progress over time and keep on top of events when user populations
change (for example because of acquisitions or rolling out encryption to new departments). And versions
of this report can be used to show managers and auditors progress over time toward 100% compliance.
Figure 5 is an example of an activation report that drills down to individual systems to show exactly which
devices have been encrypted and which have not.
Delivering Mobility as a Service 9
12. White Paper > Data Encryption
Figure 5: An activation report shows which systems have not
been successfully encrypted
This type of information allows administrators to go right to the unencrypted systems and troubleshoot
the problem.
POLICY ENFORCEMENT AND REMEDIATION
Finally, if the mobility management platform includes software on the mobile device, the software may be
able to remediate some problems. This often means automatically restarting the data encryption software
if it has been turned off by the user, or a virus, or some other piece of software on the system. Figure 6
shows a policy enforcement dashboard; the second graph in the left-hand column shows the policy
enforcement and remediation actions that have been taken during the last 7 days, which in this example
includes 435 automatic "Application Started" actions.
F i g u r e 6 : T h i s p o l i c y e n f o r c e m e n t d a s h b o a r d s h o w s t h a t 4 3 5 " A p p l i c a t i o n Sta r t e d " a c t i o n s
h a v e b e e n ta k e n i n t h e l a s t 7 d a y s
Automatic remediation actions can reduce the number of expensive calls to the help desk and reduce the
time the IT staff spends diagnosing and fixing problems on remote systems. This can be particularly
valuable during the rollout period for a new data encryption product.
Delivering Mobility as a Service 10
13. White Paper > Data Encryption
MORE ON MOBILITY MANAGEMENT PLATFORMS
Fiberlink is the world's leading provider of "Mobility as a Service."
"Mobility as a Service" means enabling productive, secure mobile work by delivering and managing mobility-
related technologies as hosted services.
In practice this means offering a wide range of connectivity and security products, and allowing organizations
to use Fiberlink's global web-based infrastructure to deploy and manage them.
For example, with Fiberlink's services enterprises can deploy and manage not only data encryption packages,
but also anti-virus and patch updates, data loss prevention (DLP), media encryption and port control (USB
control), backup and recovery, VPNs and other security technologies.
Fiberlink's MaaS360™ Visibility, Control and Mobile services provide visibility into laptops and remote devices
and help administrators control software and security on those devices.
These services are based on the MaaS360™ Platform, a unique cloud-based platform that provides a single
portal for IT operations and security personnel to monitor and manage laptops and remote systems.
Fiberlink also offers connectivity and remote access services, so mobile workers can connect with the Internet
and corporate networks anywhere, using one standard user interface for all connection types (including Wi-Fi,
3G mobile data network, corporate WLAN, broadband and dial-up).
Enterprises that utilize Fiberlink's Mobility-as-a-Service offerings can speed up the deployment of new
mobility-related technologies, reduce the cost of managing those technologies, improve security, increase the
satisfaction of mobile workers, and streamline the collection of compliance data for audits.
For more information on Fiberlink's MaaS360 Visibility, Control and Mobileservices and Fiberlink's Security
Services, please see Fiberlink's home page and related pages on the web site.
FOR MORE INFORMATION
For more information on Fiberlink’s technology and services, contact Fiberlink at:
1787 Sentry Parkway West, Building 18, Suite 200; Blue Bell, PA 19422
Phone 215.664.1600; Fax 215.664.1601
www.fiberlink.com
Delivering Mobility as a Service 11
0823-0709