Laptops

Simple hardware approaches to secure laptops

Users are increasingly buying laptops and netbooks, attracted by their portability and low prices. The inevitable result is more employees bringing personal laptops into the office, where they are used to access and store corporate data. Here are some ways to mitigate the risks of data breaches.

As evidenced by cases of mega data breaches of late, properly securing portable computers is problematic even for bigger organizations. In addition, the advent of low cost laptops and netbooks has resulted in a proliferation of such devices as consumers flock to them. The inevitable result is that these users will demand to be allowed to use these machines to access work-related data and networked systems. Indeed, shipments of laptops have already overtaken that of traditional desktops, further increasing the urgency of this issue.

There is no doubt that some very fancy - and expensive - enterprise-grade solutions exist. But in a time of economic uncertainty, the pertinent question has to do with how a corporation can quickly and easily enhance the security of these personal laptops with a limited budget.

I look at a few easy-to-deploy hardware-based solutions here.

Full disk encryption with Trusted Platform Module

One obvious solution for a company sourcing for new laptops would be to specifically request hardware with full disk encryption (FDE) hard disks that are secured by an on-board Trusted Platform Module (TPM) chip. The combination of hardware-based encryption coupled with a hardware-anchored authentication mechanism makes it an unbeatable combination in terms of security.

It must be pointed out though, that FDE does nothing to mitigate the risk represented by service personnel with temporary access to a system. This is best exemplified by the case of Hong Kong-based actor Edison Chan who had service personnel pinch a whole bunch of scandalous photos showing him being intimate with various actresses when his personal laptop was sent in for servicing. The scandal cut short his acting career in Hong Kong. As such, any FDE-related only makes sense if servicing is done by in-house IT personnel.

However, I must say that it is not all that likely for the security administrator to be fortuitous enough to encounter this "perfect" combination of hardware in a laptop at this point in time, which moves us to the next option.

FDE hard disk drive

Recent developments have seen a major vendor shipping its third generation of FDE hard disk drives that are also sold directly to consumers. The newest Seagate Momentus FDE is unique in that it comes in two modes: one is targeted at the enterprise with a firmware that works with special management software, such as McAfee's ePO to configure and manage drives.

On the other end, there is a BIOS mode, where a BIOS-level password is used to authenticate the user before the computer is started. This opens the door for organizations to easily retrofit Momentus drives into existing laptops. The obvious advantage here is that the encryption is OS-independent, with the hard disk drive writing at full speed.

As such, if budget permits, swapping out the standard hard disk drive in laptops with Seagate's Momentus FDE in BIOS-level protection mode makes perfect sense. In the case of budgetary constraints, or where users are not agreeable to such a move though, the next hardware-based solution would be to get users to rely on encrypted flash drives.

Encrypted flash drives

A more moderate and less invasive approach here would be to issue out personal flash drives with an on-board authentication and encryption. What it means is that all data on these flash drives are encrypted on-the-fly as they are copied in. They will only be "unlocked" and made accessible upon furnishing the correct password.

Now, encrypted flash drives have been around for a while. The IronKey might be one such option for your consideration, though similar devices are now widely available on the market. It is important to note that many cheaper variants might not actually offer hardware-based encryption, or have blatant gaps in their authentication mechanism that effectively nullify their security mechanism.

Obviously, user training will be required, especially since the drive capacities for such specialized flash drives are still relatively low at between 4GB to 8GB.  However, I believe it will be relatively easy to train even novice users to recognize that only data on the encrypted flash drive should be considered secure. Another added advantage would be that users will become more conscious of following backup procedures as well, making it the best compromise between options.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

10 comments
Devin_Stuart
Devin_Stuart

I use a SanDisk Cruzer Enterprise flash drive and it's great, there's 2 factor authentication in one tiny package.

Slamlander
Slamlander

I use pen-drives and install NTFS compressed/encrypted file system on them. The private-key is provided by a combination of Active/Directory + the loclahost security key. That pan-drive will not be readable outside of the domain.

ehorwitz1
ehorwitz1

Interesting idea. Please forgive my ignorance, but how does that work if the user is in a hotel room and wants to work locally on their files? If they're not connected to your network (VPN or whatever), what happens?

Slamlander
Slamlander

I always have my laptop and NEVER log on to a system that I don't own or completely control. I use pen-drives for ad hoc backups.

steve6375
steve6375

Isn't there a security flaw here? Although the hard disk may be strongly encrypted internally and locked for access, all that is required (assuming the whole notebook has been stolen) is to crack the BIOS HDD password. These are usually 6-8 characters (usually only aphanumeric allowed) - so 128-bit or 256-bit HDD encryption is really over the top when you just need to crack the 8 character user password to unlock it. Once unlocked, just keep the power applied and connect it to another computer to pull off all the files.

techrepublic@
techrepublic@

That is my standard disk encryption setup. It is better than just a one password challenge. Password can be brute force guessed or spied on. If someone wants to get my data it has to get the disk, the USB token and the password to unlock it. It ups the difficulty a notch or two.

paulmah
paulmah

Just curious what happens if your lose the USB token, or it stopped working? I'm assuming you have a back-up piece stashed safely away?

techrepublic@
techrepublic@

I have several backups of the USB token just in case the one I use fails. Forgetting the pass phrase worries me more so some of the backups can be unlocked using a special long pass phrase that I can easily remember.

---TK---
---TK---

But how many thief's do you know that even know how to turn on a computer? I mean, what percent of the population can beat that encryption? My guess is about 5% of the world population...

ehorwitz1
ehorwitz1

Laptop security is generally broken down into two categories: physical access and data access. If the thief doesn't have physical access they're less likely to get at your valuable data. Since the article is addressing only data protection (which is the more iimportant aspect of a laptop theft) I'll ignore the question of physical security. I don't know the profile of the "average" or typical laptop theft. Is it a theft of opportunity (laptop left on the front seat of an unlocked car, and soon to be black marketed or headed for a pawn shop) or industrial espionage - someone specifically trying to steal information from the company? An older Gartner informal survey claims only about 10-15% of of laptop thieves intend to sell the data. If the vast majority of thefts are simple hardware theft for resale then the BIOS password option is good enough. But I wonder... Anyone who'd steal a laptop might have friends who would help them get it working. A BIOS password might be a nice, simple challenge? Then what? If you really are concerned about data security, I'd agree the BIOS password for a secured drive is not adequate. For most of us, simply keeping the laptop from getting stolen in the first place is adequate security. Very good article, and well thought out. I'd like to hear more on this including more options for data security.

Editor's Picks