Encryption – the double-edged sword
Way back in the mid-90s my wife worked for Digital Equipment Corp (DEC). Not many of my readers may remember DEC – a computing powerhouse during their heyday. In any case, my wife left DEC in 1998. Almost 8 years later in 2006 – she received a communication from Hewlett Packard (HP) about employee data they had lost. It turns out HP was reaching out to all current and former employees to make amends.
As it turns out, soon after my wife left DEC, they were acquired by Compaq – another company many of our readers may not know or remember. Compaq was a PC manufacturer who used to compete with IBM during the initial days of the Personal Computer and later on with newcomers like DELL. Compaq was later acquired by HP – which brings us to why HP was compelled to send my wife a communication.
An employee of Fidelity Investments – which administered retirement plans for HP employees, had lost their work laptop. They had left the laptop in a car, unattended, while the employee hopped out to grab dinner at a restaurant. When the employee returned – the laptop was gone, and along with it, the personal details of HP’s employees – current and former.
HP was compelled to write to every one of their employees, current and former, and confess to the loss of their data. And as a means to protect against identity theft, HP offered every one of them free credit monitoring services for 2 years. Must have cost them quite a bundle!
Benefits and Types of Encryption
The benefits of Encryption
We tend to write about data protection and backups here a lot – but we would be remiss to not discuss encryption – another fundamental way to protect data. Where backups protect against “data loss”, encryption can protect against “data leaks” and ensure data privacy.
The Fidelity/HP situation was completely avoidable – and most large enterprises will never get themselves in that type of tangle anymore. Most enterprise laptops today run Full Disk Encryption (FDE) software – which protects the laptop when the data is at rest. This means that unless an authorized user authenticates themselves into the laptop, the data on the laptop’s disks are encrypted using a strong algorithm like AES-256 or similar. So, a stolen laptop won’t do the thief much good – since they can’t read or access any of the data.
Types of Encryption
Encryption, at least for the purposes of protecting laptop data, comes in 2 important forms.
There is Full Disk Encryption of the type we discussed above. Good examples are Windows BitLocker, Symantec’s PGP, or McAfee’s SafeBoot product. These operate by encrypting the data at a volume (or file system level). Full Disk Encryption offers several advantages. It is a “set and forgets” type of software. Once it is installed and operational – there are little administrators or end-users have to do. It works automatically. It eliminates human error because it doesn’t depend on the user to decide what to encrypt and what not to. It just encrypts everything.
Full Disk Encryption won’t help much if someone gains access to your laptop after you’ve logged in.
FDE solutions are quickly replacing ‘remote wipe’ technologies that were in vouge, as a means to protect against lost laptops. Remote wipe didn’t work most of the time anyway because it relies for the most part on the stolen laptop reappearing on the network (and most smart thieves don’t allow that to happen). And why go through the trouble of ‘wiping’ a computer remotely when the data on it is already rendered inaccessible?
But, Full Disk Encryption won’t help much if someone gains access to your laptop after you’ve logged in. Once a user authenticates into the laptop, the volumes are decrypted and available for use. Due to this all-or-nothing approach to encryption, full disk encryption arguably offers limited compliance with regulations such as GDPR, PCI-DSS or HIPAA.
FFE in some ways is more secure because it can protect against situations where an intruder gains access to a laptop that’s already authenticated into.
Another types of encryption is File & Folder Encryption (FFE). In this types of Encryption, users can selectively decide which files and folders to encrypt, and unlock them when needed, using a passphrase. FFE in some ways is more secure because it can protect against situations where an intruder gains access to a laptop that’s already authenticated into. Without a passphrase, such an intruder may still not be able to access sensitive data.
But FFE has its own disadvantages. It places a significant burden on the user to decide what to encrypt and what not to. It is less automatic, which increases the chances of human negligence or error. Also, it protects only file contents. It cannot protect filenames and folder paths – which will still be visible to a potential attacker.
When Encryption goes rogue
Encryption can cut both ways though. The same technology which has the potential to benefit you so much, can also cause you serious harm. Ransomware is a case in point – where encryption technology is used by attackers to work AGAINST you. Once your data is encrypted by ransomware, your laptop is practically ‘bricked’.
Sometimes FDE solutions can unintentionally result in ‘bricked’ laptops too. One possibility is a user who’s forgotten their authentication credentials or password. Another is buggy FDE software. A third and common reason is a hard disk or OS that gets corrupted. Typically, it is possible to recover from such a scenario by booting into the OS using a ‘recovery’ route – but FDE will simply not allow that – essentially rendering your laptop bricked.
Back Full Circle – you still need backups
The best way to protect yourself when encryption goes rogue is – you guessed it – “backups”. Reliable and safe backups are important when you are using FDE, even more so. FDE solutions are a great way to protect against data leaks – and you should definitely implement something along the lines of Windows BitLocker. But be sure to supplement it with a reliable endpoint backup solution like Parablu’s BluVault.
To know more about BluVault, and other solutions we build at Parablu, write to us at firstname.lastname@example.org and learn more.