FIBERLINK. Best practices for successfully deploying and managing data encryption on laptops. Delivering Mobility as a Service

Transcription

1 FIBERLINK DATA ENCRYPTION IS HARD TO DO Best practices for successfully deploying and managing data encryption on laptops Delivering Mobility as a Service

2 Contents DATA ENCRYPTION IS HARD TO DO...1 The GAO Report on Federal Agency Encryption Efforts...1 What Can Be Done?...2 BEST PRACTICES FOR DEPLOYING DATA ENCRYPTION...3 Determining the Objectives and Selecting the Technology...3 Planning the Project and Designing the Solution...5 Preparing and Configuring the Software...7 Rolling out the Data Encryption Solution...8 A MANAGEMENT AND REPORTING PLATFORM FOR DATA ENCRYPTION...9 Status and Activation Reports...9 Policy Enforcement and Remediation...10 More on Mobility Management Platforms...11 Delivering Mobility as a Service ii

3 Data Encryption is Hard To Do Data encryption has become a "must-have" technology for businesses, government agencies, healthcare organizations, and other enterprises. Magazines and web sites are filled with news stories about stolen laptops containing thousands, or even millions, of confidential records (Figure 1). Every organization must assume that a certain number of laptops will be lost each year. And data encryption is the best available technology to prevent the loss of confidential data when laptops and mobile devices are lost or stolen. But to paraphrase the old song: "Data Encryption is hard to do." First, it can be difficult to deploy successfully. Second, even when it is appears to have been deployed successfully, many organizations lack the management tools to ensure that the encryption solution is in fact functioning properly. Figure 1: Headlines about stolen and lost laptops The lack of management tools is important not only from the point of view of maintaining good security, but also because organizations could potentially fail audits if they cannot prove that their data encryption solution is performing as planned THE GAO REPORT ON FEDERAL AGENCY ENCRYPTION EFFORTS The challenges of deploying and managing data encryption on remote devices are illustrated in a recent report from the United States Government Accountability Office titled "Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, But Work Remains." (Figure 2) The GAO auditors found that despite directives dating back to 2006 to deploy data encryption only 30% of data was actually encrypted: " the major agencies collectively reported that they had not yet installed encryption technology...on about 70 percent of their laptop computers and handheld devices." A second finding was noted by Computerworld's Frank Hayes: "...The GAO also found that, in many cases, even the devices believed to be encrypted had problems. Sometimes the encryption wasn't actually installed. Or it wasn't configured correctly. Or it hadn't been turned on." Figure 2: The GAO report on encryption efforts by US federal agencies Two examples of this type of finding are quoted in Figure 3. 1 The GAO report is available at: See also: 2 Frank Hayes, Frankly Speaking: Encrypting end user data is tough to do, Computerworld, August 4, See also: Delivering Mobility as a Service 1

4 "At the National Aeronautics and Space Administration (NASA) location we tested, we confirmed that the agency's selected FIPS-compliant encryption software had been installed on 27 of 29 laptop computers. Although the agency asserted that it had installed it on all 29 laptops, officials explained that they did not have a mechanism to detect whether the encryption product was successfully installed and functioning." (page 30) "...a component of the Department of Agriculture had not effectively monitored the effectiveness and continued functioning of encryption products on 5 of the 52 laptop computers that we examined. Agency officials were unaware that the drives of these devices had not been correctly encrypted and the agency had no mechanism in place to monitor whether the installed product was functioning properly." (page 31) Figure 3: From the GAO report: "no mechanism in place to monitor...the installed product" Evidently even rocket scientists can be challenged by information security. And unfortunately, while 93% and 90% compliance might be satisfactory in some situations, GAO and other auditors are not likely to be happy with a 7%-10% failure rate on systems that management thought were already protected (not to mention the 70% of systems that were known not to be encrypted yet). WHAT CAN BE DONE? The GAO report provides ample evidence that data encryption is not easy to deploy or manage, even for highly motivated organizations. However, there are: Best practices that can significantly improve the success rate for rolling out data encryption technology. Management tools that can give administrators visibility into encryption status on mobile devices. Fiberlink is a "Mobility as a Service" provider that helps customers deploy and manage a wide range of security and connectivity solutions on laptops and PCs. In this white paper we will discuss deployment best practices for data encryption developed by our Professional Services organization. Then we will briefly outline how Fiberlink's MaaS360 Visibility, Control and Mobile services can help customers report on and manage encryption solutions on mobile devices. Delivering Mobility as a Service 2

5 Best Practices for Deploying Data Encryption Fiberlink's Professional Service organization finds that data encryption deployments are often undermined by problems such as: Incomplete understanding of the capabilities and limitations of the data encryption solutions selected. Lack of the right personnel on the implementation team. Inadequate planning and testing during the roll-out. To avoid these we will discuss best practices and pitfalls for four phases of the process: 1. Determining the objectives and selecting a data encryption technology 2. Planning the project and designing the solution 3. Preparing and configuring the software 4. Rolling out the solution. 1. DETERMINING THE OBJECTIVES AND SELECTING THE TECHNOLOGY Many organizations run into trouble early because they don't explicitly analyze the objectives (and constraints) of their data encryption project. What needs to be protected? An obvious place to start is to clarify exactly what needs to be protected: What types of sensitive information are found on laptops? Customer and employee records, financial information, business plans, research reports, software code? In what types of files is this information stored? Spreadsheets, database files, word processing documents, slide presentations, html files, software executable files? Whose laptops need protecting? Key executives, the sales force and field consultants, all employees, contractors, business partners? Who owns the laptops? Your organization, your employees, contractors, business partners? Is sensitive information being copied to USB thumb drives and other removable media? Compliance and Policies It is also important to understand compliance and corporate policy requirements from the beginning. Is your organization affected by HIPAA, PCI and other regulations? If so, what are the expected security "best practices" for your industry? Widely-accepted federal standards such as FIPS address topics like the control, distribution and management of encryption keys. And data encryption may be one means of enforcing policies of your own organization concerning what information employees are allowed to access and share. You may need to create and distribute new corporate policies. Employees need to understand that data encryption is being implemented to advance justified corporate policies, not to satisfy the paranoid fantasies of the IT security staff. Delivering Mobility as a Service 3

6 Limitations It is also important to understand some of the limitations of data encryption technologies so you don't set expectations that the technology is a panacea for mobile security threats. Data encryption protects data on lost and stolen devices, but it does not block employees from ing sensitive data to outside parties, or prevent a hacker or file-sharing program from opening and transferring sensitive files. You should also be deploying complementary technologies like firewalls, zero-day threat protection packages, and Data Loss Prevention (DLP) products. File/Folder Encryption Products There are three major data encryption technologies on the market today, and selecting the right one for your environment can have a big impact on the success of your project. Many of the first data encryption products on the market were "file" or "file/folder" systems. These encrypt files selected by the user, or encrypt all files placed in folders specified by either the user or an administrator. File/folder encryption solutions are very easy to implement. There are few configuration decisions to be made, and they do not conflict with patching systems, backup and recovery packages and other system software. But most file/folder encryption products rely to some extent on user actions like selecting files to encrypt and saving files to selected folders. Unfortunately, users can rarely be relied upon to follow policies consistently. These technologies also do not encrypt temporary files and swap space, so copies of sensitive files can be found on the system in an unencrypted state. Finally, the IT staff can rarely prove to auditors that all sensitive files on remote systems have in fact been properly encrypted. Full Disk Encryption (FDE) Products Full Disk Encryption (FDE) solutions, as their name implies, encrypt the entire contents of a disk or volume. This includes the operating system and applications as well as data files. Typically these solutions authenticate the user at boot time. Unauthorized users without the password cannot gain access to any code or files at all, making it impossible for them to get around the encryption program. Full Disk Encryption is a mature technology, and is extremely simple to configure, since the only decision is what disks or volumes to encrypt. There is no dependency on users (except to remember their passwords). It also protects the operating system, temporary files and swap space, so sensitive information is encrypted in all its forms. However, initially encrypting the hard drive can be a lengthy process. In some cases users will see slower performance when accessing very large files (although most FDE products have reduced the performance penalty significantly over the last few years). Encrypting the master boot record can make it hard to coexist with backup and recovery programs. And the failure of some sectors on the disk drive can make it much more difficult to recover data. "Intelligent Encryption" Products New "Intelligent Encryption" products combine some of the characteristics of File/Folder and Full Disk Encryption systems. These hybrid solutions resemble File/Folder products in that they encrypt files selectively and do not encrypt the operating system or application software. This reduces the time required for the initial encryption and Delivering Mobility as a Service 4

7 avoids performance issues. In addition, they permit administrators to specify encryption for files of a certain type (say spreadsheets and database files) and files produced by certain applications (say financial and HR applications). This approach ensures that all files of these types are encrypted without relying on the user to save them to specific folders. Finally, hybrid solutions typically do not interfere with backup and recovery, patch management, or strong authentication products. However, to ensure that all sensitive information is protected, you need to know what it is and where it resides. If you do not have a good handle on which files or file types contain confidential information it may be safer to simply encrypt everything using a FDE product. Also, in some situations there are benefits to having the extra level of authentication provided with FDE software. 2. PLANNING THE PROJECT AND DESIGNING THE SOLUTION As with all major IT projects, a solid investment in planning can avoid innumerable headaches in the roll-out phase. Document objectives, requirements and constraints You should document the objectives, requirements and policy issues uncovered so far in the project, and make sure that these are understood and approved by management and by key executives of the user groups that will be affected. While data encryption should not be a significant burden on computer users, it will not be completely transparent either, so everyone needs a clear understanding of why the effort and inconvenience are justified. You also need to identify the scope and the constraints of the project, including the time window available, the budget, and the availability of staff resources. As noted earlier, limits in the budget or staff resources could give you a reason to select a particular data encryption product or to call in the help of a consultant or a managed security services provider. Select the project team A typical data encryption involves multiple teams across the IT organization. You should select a project team that includes members from: The security group The desktop group (or whoever is responsible for laptop hardware and software) The network administration group Subject matter experts in networking and firewalls. Identify infrastructure integration tasks You need to allocate time and resources to integrating your data encryption solution into the rest of the IT infrastructure. Changes to the infrastructure might include: Changes in firewall and proxy server settings. Adjustments to endpoint backup and recovery processes. Integration with Active Directory and other enterprise directories. Delivering Mobility as a Service 5

8 Allocate resources to end user and support training Most data encryption solutions require some changes in the behavior of computer users, so end user resistance is a serious risk. It is therefore critical that you allocate resources and set schedules for educating end users. You will also need to train the help desk and IT administration groups so they can fully support the solution. Define success criteria Many planners neglect to define success criteria for their projects. This task is necessary to limit scope creep during the course of the project and to justify the effort to management at the end. Decide what to encrypt If you are implementing a file/folder encryption or intelligent encryption product then deciding what to encrypt is a critical step. For example, one intelligent product that we deploy allows you to selectively encrypt data: Included in specific file types (for example spreadsheets, databases, or temporary files). Written by specific applications that handle sensitive data for example an accounting application. Written to specific disk drives or removable media. Associated with a specific user (if a system is shared). Design for verification It is critical that you be able to verify that the data encryption software is operating correctly at all times. Then, if a laptop is lost or stolen, you can prove that sensitive data has been encrypted. Therefore: During roll-out there should be a way to verify that the data encryption package has been installed correctly. It is not enough for users to simply report that they have loaded the software on their machines, or for you to send them the software on CD and tell them to install it. You should to be able to perform regular "health checks" to make sure the software is operational and no one has tried to tamper with it. You should be able to verify when laptops were updated and that they are on the latest version of the data encryption product. This information should be captured and stored in a central, auditable log. In many environments these capabilities are mandatory. The FIPS standard specifically requires userindependent verification that the software is operational. The Federal Trade Commission's "Safeguards" document states that companies must "check with software vendors regularly to get and install patches that resolve software vulnerabilities." And frankly, you may get into just as much trouble for not being able to prove that the data on a lost or stolen laptop is protected as for failing to protect it in the first place. These verification capabilities may be provided by the data encryption software that you selected, but they can also be provided, or provided better, by a mobility management platform (which will be discussed later in this white paper). Delivering Mobility as a Service 6

9 Design for Minimal User Impact You should design the solution to have the minimum interaction with end users apart from displaying warning messages and alerts. Little or no action from end users should be required to implement or update the solution, and users should not be able to change any encryption parameters or the way in which data encryption is applied to attached devices. Users must not be able to uninstall the software by using the Windows Control Panel or deleting program files. Also, users must not be able to prevent the encryption software from executing by using the Windows Services Manager or Task Manager features. 3. PREPARING AND CONFIGURING THE SOFTWARE Prepare the Infrastructure At this stage in the process you make changes to the infrastructure so that your data encryption solution can be integrated into it. This may include changes in firewall and proxy server settings, adjustments to backup processes, and integration with an enterprise directory. Many data encryption products work best on defragmented disk drives, so a best practice before encryption is to run the defragmenter on disks to clean up bad sectors. You should also delete all temporary Internet files on the laptops, since you won't want to encrypt them. Finally, you should identify the corporate images of your laptops and reduce them to the smallest number possible. You will find it much easier to administer your environment if there are relatively few variation in the images. Configure the Data Encryption System If you are implementing the solution yourself you will need to purchase, install and configure an encryption server. You will also need to configure the data encryption clients to encrypt files and drives based on the designs you created earlier. If you are using a "Mobility as a Service" provider like Fiberlink you will not need to install the server or server software, but you will want to work with them to develop and implement your encryption policies. Run an alpha test We strongly recommend running an "alpha test." This means deploying the solution on a limited number of laptops belonging to the IT staff. Often this uncovers critical issues like incompatibilities between the data encryption package and other software being used in the organization (for example the backup and recovery application). Delivering Mobility as a Service 7

10 4. ROLLING OUT THE DATA ENCRYPTION SOLUTION The last phase of the process is to deploy the solution. As mentioned earlier, it is critical to train end users and support staff so that they understand the justification for the project and know what to expect. Start the roll-out itself with a "beta test" of non-it employees using standard corporate images. This testing will uncover not only any remaining technical problems, but also issues related to user understanding and acceptance. Document the lessons learned and make changes accordingly. When the "beta test" is complete, you should roll out the solution to the rest of the organization in phases. This can be on a department-by-department basis. If you are deploying a file/folder encryption or hybrid encryption solution, then another approach we like is to start by encrypting only a few critical files or types of files, and then ramp up to encrypting all of the targeted files. You should schedule checkpoints throughout the deployment phase to document the status of the process and make mid-course corrections. At the end of the roll-out you should update the requirements documents and process plans to include new information gathered and lessons learned. These will help you when it is time to expand or upgrade the data encryption solution. Finally, you should provide a written report to management that describes the results of the process and compares them with the success criteria you determined at the beginning of the process. Although the processes described here involve a lot of work, it is good to keep in mind that a wellmanaged data encryption implementation is much less painful than notifying thousands of customers or employees that their personal data has been exposed because someone lost a laptop. Delivering Mobility as a Service 8

11 A Management and Reporting Platform for Data Encryption As noted earlier, rolling out data encryption is only half the battle. Administrators need tools to monitor the deployment of encryption across the organization, to document the status or health of the software on mobile and remote systems, to identify and remediate problems. Sometimes these tools are provided by the data encryption vendor, but frequently these tools are not reliable when systems are out of the corporate office (as shown by the GAO report excerpts quoted in Figure 3 above). STATUS AND ACTIVATION REPORTS Figure 4 illustrates of the type of reports that can help administrators track the progress of a rollout. These report show information like how many systems have been successfully encrypted, how many have encryption installed but not active, how many systems have no encryption at all, and what different encryption products are being used. Figure 4: Summary reports track the progress of encryption deployments across an organization The information in this report is obviously helpful for initial deployments of data encryption solutions, but it also helps the organization track progress over time and keep on top of events when user populations change (for example because of acquisitions or rolling out encryption to new departments). And versions of this report can be used to show managers and auditors progress over time toward 100% compliance. Figure 5 is an example of an activation report that drills down to individual systems to show exactly which devices have been encrypted and which have not. Delivering Mobility as a Service 9

12 Figure 5: An activation report shows which systems have not been successfully encrypted This type of information allows administrators to go right to the unencrypted systems and troubleshoot the problem. POLICY ENFORCEMENT AND REMEDIATION Finally, if the mobility management platform includes software on the mobile device, the software may be able to remediate some problems. This often means automatically restarting the data encryption software if it has been turned off by the user, or a virus, or some other piece of software on the system. Figure 6 shows a policy enforcement dashboard; the second graph in the left-hand column shows the policy enforcement and remediation actions that have been taken during the last 7 days, which in this example includes 435 automatic "Application Started" actions. Figure 6: This policy enforcement dashboard shows that 435 "Application Started" actions have been taken in the last 7 days Automatic remediation actions can reduce the number of expensive calls to the help desk and reduce the time the IT staff spends diagnosing and fixing problems on remote systems. This can be particularly valuable during the rollout period for a new data encryption product. Delivering Mobility as a Service 10

13 MORE ON MOBILITY MANAGEMENT PLATFORMS Fiberlink is the world's leading provider of "Mobility as a Service." "Mobility as a Service" means enabling productive, secure mobile work by delivering and managing mobilityrelated technologies as hosted services. In practice this means offering a wide range of connectivity and security products, and allowing organizations to use Fiberlink's global web-based infrastructure to deploy and manage them. For example, with Fiberlink's services enterprises can deploy and manage not only data encryption packages, but also anti-virus and patch updates, data loss prevention (DLP), media encryption and port control (USB control), backup and recovery, VPNs and other security technologies. Fiberlink's MaaS360 Visibility, Control and Mobile services provide visibility into laptops and remote devices and help administrators control software and security on those devices. These services are based on the MaaS360 Platform, a unique cloud-based platform that provides a single portal for IT operations and security personnel to monitor and manage laptops and remote systems. Fiberlink also offers connectivity and remote access services, so mobile workers can connect with the Internet and corporate networks anywhere, using one standard user interface for all connection types (including Wi-Fi, 3G mobile data network, corporate WLAN, broadband and dial-up). Enterprises that utilize Fiberlink's Mobility-as-a-Service offerings can speed up the deployment of new mobility-related technologies, reduce the cost of managing those technologies, improve security, increase the satisfaction of mobile workers, and streamline the collection of compliance data for audits. For more information on Fiberlink's MaaS360 Visibility, Control and Mobileservices and Fiberlink's Security Services, please see Fiberlink's home page and related pages on the web site. FOR MORE INFORMATION For more information on Fiberlink s technology and services, contact Fiberlink at: 1787 Sentry Parkway West, Building 18, Suite 200; Blue Bell, PA Phone ; Fax Delivering Mobility as a Service