Mobile devices and security: Plug the leaks, then encrypt

Encryption of laptops and other mobile storage devices is no longer an option. However, there is a right way (keep job) and wrong way (dust off resume) to implement encryption. Encryption should be a follow-up control to plugging data leaks.

Mobile devices are running into organizations faster than ants to a picnic. There are two security challenges associated with this onslaught: access and data leakage. This week, we’ll look at data leakage and the business challenges associated with protecting wandering information.

Data leakage

The fundamental issue underlying protecting information on mobile devices is data leakage. If users didn’t copy sensitive information to their phones, laptops, thumb drives, and other devices with abandon, controlling for breaches would be much simpler.

My definition of data leakage is simple; it is the moving/copying of information from a place of acceptable trust to one of lesser or absent trust. In other words, placing data in a location with insufficient controls to adequately protect it.

Figure A depicts many of the ways users have found to leak data.  If we want effectively to keep our information from spreading into the wide unknown, we have to take steps to plug some of these leaks.

Figure A

Policies are a great start. Many organizations still haven’t updated acceptable use policies to include appropriate mobile device use. Of course, a monitoring solution should check to see if users actually read and adhere to the applicable policies. In addition, use of technology to prevent unwanted behavior is another risk mitigation control. This is where DLP (data loss prevention) and e-discovery solutions can help.

DLP controls are placed at two layers: network and host. The network layer is used to detect movement of data of interest across the network. However, the best way to prevent the kinds of leaks shown in Figure A is to use host-based DLP.

Host-based solutions block data from being moved to local storage, encrypt as necessary when local storage is allowed, and allow the administrator to monitor and restrict use of mobile storage; they also can block it altogether. If a user doesn’t absolutely need mobile data, don’t let him or her copy anything to CD, DVD, USB drive, etc.  And the argument about having to work at home often isn’t valid, especially if human resources (HR) has taken up the standard that working at home violates state employment guidelines for things like overtime pay.

Another method of controlling access to mobile storage via a desktop is with Active Directory group policy.  The necessary .adm file is available for free from Microsoft. Instructions on how to use it are contained in the document, Guide to Preventing Information Leaks , Section 3: Restricting the Use of Removable Storage Devices. The document also contains information on containing leaks to many of the locations shown in Figure A.

e-Discovery solutions can locate sensitive data in shares or private folders across the enterprise.  Many vendors have added alerting or auto-moving capabilities when sensitive information is found in low-trust locations.  See Prepare for E-Discovery Requests for more information on using e-discovery solutions to detect data leakage.

Creating a data leakage prevention strategy starts with answering the following questions (Olzak, 2010, :

  • Does the organization prohibit storage of files on desktops?  Does it redirect file saves to network storage devices (e.g. file servers and network attached storage)?  If Windows is used on the desktop, is the My Documents folder redirected to network storage?
  • Do reporting or data warehousing solutions allow the distribution of sensitive data to end-user devices?  Do they have to?  Is there another way to provide this information (e.g. Web portal)?
  • Does the organization encrypt sensitive data stored on mobile storage devices, including laptops?
  • Does the organization have a solution in place to monitor for and alert on instances where sensitive data is moved to or stored in areas where security controls are not adequate?
  • Do policies exist to govern the safe use of printers and faxes?
  • Does the organization provide secure receptacles for discarded paper forms, reports, and other hardcopy formats containing sensitive data?  Is secure disposal governed by policy and enforced by management?
  • Does the organization have a process for disposing of electronic or optical media?  Is secure disposal governed by policy and enforced by management?
  • Does the organization “manage by spreadsheet”, keeping large amounts of sensitive data in shared or distributed files that are not backed up or safeguarded from theft?
  • Is email monitored for content, alerting on potential sharing of sensitive data via insecure media?

However, the Microsoft document, and common sense, recognizes that no matter what we do, users will find a way to get data onto mobile storage. This is where encryption can help.

Encryption as a follow-up control

First, let’s be clear. Encryption is a follow-up control to those used to prevent leakage. The security axiom that you only have to protect what you have is still alive and well. So encryption is a solution to protect information that absolutely must, without a doubt, have to reside on a laptop, USB drive, etc.

There are two ways to encrypt data in a storage device: by folder/file or by encrypting the entire device. Using the folder/file approach often relies on user behavior to place the information in the proper location on the partially protected device or on encrypting the file copied. Relying on user behavior is never a good idea.

If you implement host-based DLP, consider selecting a product that automatically encrypts sensitive information it finds in local storage or moving to a mobile storage device connected to the host.

My preferred method is encryption of the entire device, enforced with pre-boot authentication (PBA) when protecting laptops. Windows 7 Enterprise has made this pretty easy to enforce with Bitlocker to Go. However, large companies typically need a better way to control full-disk encryption for laptops.

Security managers should consider the following challenges when selecting the company’s laptop encryption solution:

  • Key management. If you want your user to access encrypted information when a password is forgotten, or if you want to access critical information on a laptop after a user leaves the company, centralized key management is very, very important.
  • Password reset management. In a perfect world, users never forget their passwords.  However, I haven’t found that world yet. So it is important to ensure any encryption solution you select provides a way to help users reset their passwords no matter where they, and their laptops, happen to be at the moment. This is often accomplished by exchanging codes provided by both the inaccessible laptop and the encryption support application.
  • Performance. Test your applications with any potential encryption solution. The best way to do this is via a limited pilot. There is always a performance hit with full-disk encryption.  However, it shouldn’t cause your users to send you hate mail.
  • Cost. In addition to acquisition and implementation costs, there are often hidden soft costs associated with enterprise encryption. Before purchasing, talk with other users of the solution.  How many FTEs (full-time employees) does it take to manage and support the software and underlying infrastructure?
  • Password policies. Finally, ensure the solution under consideration supports password policies like those you enforce with Active Directory or other authentication mechanism. In fact, a change to either the PBA password or the AD password should change the other. Remember that one of the biggest weaknesses in full-disk encryption is weak passwords. It doesn’t matter how strong your encryption is if the attacker guesses the password. Strong passwords supporting a laptop biometrics scanner can build a high wall between the data and an attacker.

The final word

Encrypting laptops and other mobile storage is not an option anymore.  So I’m not suggesting that you don’t need encryption if you implement anti-leakage controls.  However, the risk of losing data is significantly mitigated if there is less information exposed.

When you do encrypt, be sure to involve all stakeholders, including business users. Encrypting mobile devices can introduce another level of complexity into the lives of otherwise happy employees.  Make sure to minimize the complexity with an eye on maintaining the business.

By Tom Olzak

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...