Being told that one of your employees just lost their laptop can instantaneously wake you up to the reality that your data is not safe, and you just may have been compromised. If you are like me, losing a laptop gives me the same feeling as if my personal computer suffered a hard drive failure. My thoughts immediately revolve around the data that was residing on that drive, and did I have a current backup, or any backup at all. Next, I think about the consequences of unauthorized access to the data and it being used for wrongful purposes.
An organization's thought process is much like this personal scenario. The immediate questions asked are: Whose laptop has gone missing? And what data did they possess? Secondly, questions surrounding the restoration of the data through a backup are discussed in order to get the employee's productivity backup to a desired level.
Now the adventure begins. Was the laptop encrypted? Do I need to disclose the loss of data to the outside world and what would the repercussions be to me and my organization if I did?
Upon the loss of a notebook, a typical organization asks the following questions.
How did the notebook go missing, and is there anything we can do to stop it from happening again?
Organizations now start to analyze their security practices and processes. They try to determine if they need to buy any software or hardware to protect their data - such as encryption, and they look at reviewing their existing security measures. If the organization subscribes to ISO 27000 standards, they now turn to ISO 27001 which formally defines the mandatory requirements for the overall management and control framework regarding an organization's security risks. They will also review their ISO 27002 standards, in relation to ISO 27001, to establish a code of practice and guidelines in protecting sensitive data within their enterprise.
Was the notebook encrypted?
Given the amount of attention that privacy and security regulations around the world have brought to data breaches, the above question is probably one of the first questions to be asked. The reason for this question begins with the exemption clauses under most data breach notification conditions existing within privacy and security regulations. In most cases if you encrypt the media upon which the data resides in adherence to exemption clauses, then you will not be required to disclose a potentially embarrassing data loss. The number of enterprises complying with these regulations may surprise you. In recent surveys, approximately 38% of organizations employ encryption to protect sensitive data on their laptops, and out of those only 44% are able to prove that their laptops are encrypted. The lesson learnt here is that organizations should take the encryption of their laptops just as seriously as they take the backup of the same data. An organization would not ever think about not formulating a comprehensive data backup plan, and so should it too formulate a comprehensive data encryption plan to secure sensitive data regardless of where it may reside including laptops, USB flash drives, external storage drives, SD Cards, and CD/DVDs.
Is there any way to find out where that laptop is now?
In some cases, organizations want to know if they can track the location of the missing laptop in question. They do so, not necessarily to recover the laptop, but to determine if there are any other measures that they need to take into consideration to further protect themselves. For example, did the recently fired employee take a laptop home and is holding it ransom for severance? Did the contract worker that was in last month take a notebook? Did an employee steal it? Each one of these above conditions may provoke a different set of responses and measures that an organization may want to execute in order to protect itself legally and protect the data that may be exposed. An encrypted notebook taken by an unauthorized individual may have its sensitive data copied to other devices before discovered and returned, therefore enterprises may want to think about measures here to protect themselves even if the laptop was to be recovered.
What else can be done to the laptop now that it is not in our possession?
To answer this question, I turn to recent technology released by Intel® in its latest platform release code named Calpella. Intel®'s Anti Theft Technology now enables some encryption ISV vendors to issue a poison pill to a laptop that has been identified as lost or stolen. This poison pill can be issued to a laptop whether or not it is connected to the internet / LAN and performs two primary functions. It disables the platform and performs an encryption data disable. The first function disables the platform to deter thefts from happening in the first place. A nice new shiny laptop is always a target, just like car stereos used to be before anti-theft mechanisms were introduced. The second function further protects the sensitive data on the laptop. By performing an encryption data disable, a would-be-thief would not be able to gain access to an encrypted laptop even if they were in possession of the pre-boot authentication method - password, smartcard, USB token, etc. Because stolen laptops are usually in a carrying case, that sometimes contains a password written on a piece of paper, or a smartcard tucked into one of its pockets, or a USB token necessary to gain access to the laptop, the ability to deny a user access - even if they had the correct credentials - is very useful.
It is generally accepted that the real value in a laptop is the data, not the hardware, for most organizations. With new security technologies including Intel's Anti-Theft Technology and self encrypting drives (SEDs), the ubiquitous protection of data through encryption is around the corner. Evidence of this can be found with hard drive manufacturers who state that they will be shipping only SEDs compliant with the Trusted Computer Groups' Opal standard within three to five years. And indeed, it will only be a matter of time before the encryption of data is a normal practice just like backing up data.
Joseph Belsanti is the Vice President of Marketing at WinMagic Inc., a leading global provider of full-disk encryption solutions protecting data on laptops, USB thumb drives, and CD/DVDs. In addition to data security solutions, he has been marketing and selling in the fields of IP Address Management (IPAM), and E-services (CRM, E-procurement, Web Services and E-business).