The virtual safe: A user-focused approach to data encryption

Transcription

1 The virtual safe: A user-focused approach to data encryption Steganos GmbH,

2 The hard disk: a snapshot of our lives The personal computer has never been more personal. We routinely trust it with private correspondence, diary entries, s, all sorts of addresses, the household budget and holiday photographs. We use it to shop, seek health advice, and manage our savings, while the more creative among us use it to write poetry, compose music or paint pictures. It could be said that our hard drive provides a unique portrait of our most private personal lives. And when computers are lost or stolen, people feel that privacy has been violated. Insurance companies can recompense people for the loss of their hardware, but nothing can be done to ease the worry about who is reading our personal information. And as identity theft competes to become Europe s fastest-growing crime, the loss of such data can have serious financial implications far outweighing any embarrassment caused by last year s holiday photos. Of course, businesses face stiff penalties for losing customer data. Far worse than any fines imposed, however, is the damage to a company s reputation if it cannot adequately protect the information that customers entrust to it. Business today requires data to move, sometimes on laptops or USB keys between buildings, but by using encryption companies can ensure data remains secure, wherever it goes. Encryption: an impenetrable defence against data loss Encryption is more than password protection: it means that the data itself is scrambled and can only be deciphered by an authorised user who has the correct encryption key (either a password or a physical device). If encrypted data falls into the wrong hands, that data will still be protected as long as the encryption key remains secret. The US Department of Defense considers the Advanced Encryption Standard (AES) with 256-bit keys to be good enough to protect Top Secret data, and AES is now available to everyone through a range of affordable off-the-shelf products. Full-disk encryption Some businesses have responded to the threat of data leakage by introducing full-disk encryption. This protects all files on a specified drive, automatically decrypting data as is it loaded from the drive and encrypting it as it is saved. Products that enable full-disk encryption include BitLocker, incorporated in some versions of Windows Vista, and FileVault, a feature of Apple s Mac OS X operating system. However, recent research 1 has found that full-disk encryption systems are flawed. Researchers have managed to recover encryption keys from memory by powering the machine off and on again, and 1 Lest We Remember: Cold Boot Attacks on Encryption Keys, by J. Alex Halderman et al, 21 February See Steganos GmbH,

3 booting software that copies the memory before it is overwritten. Researchers have also shown that DRAM chips can be chilled to increase the length of time they store data after the power is switched off. This enables the chips to be removed to another machine, where the temporary data held in them - including encryption keys - can be recovered. Computers are particularly vulnerable when the screens are locked or the computer is asleep, because they are likely to be unattended and the encryption key will be stored in memory. The researchers note that BitLocker loads encryption keys into RAM when the machine is booted, making them potentially vulnerable even before the user has been authenticated using a user ID and password. Another problem is that, as the name suggests, full-disk encryption encrypts the entire disk, so it slows down the computer s operation. All disk access must go through the encryption routine, including the reading and writing of any temporary and operating system files. This can result in a frustrating user experience, and could have a significant impact on productivity if deployed across an entire business. Full-disk encryption depends on two false assumptions: firstly, that all data on a computer should enjoy the same level of encryption and that users are prepared to trade PC performance for this; and secondly, that somebody with legitimate access to a computer is authorised to access all data on it. The approach is focused on hardware, instead of on data or the user. File-based encryption Instead of encrypting the whole disk, a more selective approach is required. File-based encryption software enables users to choose exactly which files should be encrypted, so no time is lost needlessly scrambling trivial data. The computer performs at full speed, and the encryption operation is separated from the process of creating and editing files. File- and folder-based encryption software can be used with other targeted tools to remove traces of work or web activity, such as temporary files and website cookies. Dedicated software can be used to encrypt browser favourites and , ensuring that comprehensive protection is available for sensitive data without every disk access needing to be encrypted. By securing data at the file level, it is easier to determine different access privileges for users. People can share the same machine without having equal access to all the data on it - particularly valuable in a small business or family environment where computers are shared and sensitive data needs to be restricted (whether that is payroll data at work or Christmas shopping lists at home). File-based encryption is device-independent too, which means any backup of the data will also be encrypted without the need for additional hardware or software. Any copies of the data in transit - for example, on USB keys - will be as well protected in the event of loss as the master file on the PC. Research shows that when users are prompted to enter a password to access specific data, they are more likely to understand and respect the confidentiality of that data. While disk-based encryption works invisibly in the background, file- based encryption prompts users to provide the encryption key when data is accessed that requires higher security. As a result, users can more easily understand Steganos GmbH,

4 which files are restricted. By focusing on the data, file-based encryption enables greater control over which files are protected and which are not. That in turn allows users to strike the optimal balance between security and computer performance. It does, however, require a considerable amount of manual intervention in the encry ption process from users who will often have higher priorities, particularly in the work environment. The Virtual Safe: A user-focused approach to comprehensive encryption The virtual safe, as used in the Steganos Safe suite of encryption utilities, combines the best of diskbased and file-based encryption, without demanding any of the compromises. It is focused on what users require: an easy way to encrypt all data relating to specific activities or jobs, without the consequences of the poor performance associated with encrypting everything unnecessarily. The virtual safe uses the familiar metaphor of a bank vault: once files have been placed in the safe, they are protected from unauthorised access. Users can work on their files within the safe, however, with files being automatically decrypted when required and re-encrypted again when the user has finished working with them. Temporary files, from which remnants of a document might otherwise be salvaged, are also encrypted. Once the user has opened the safe, he or she can work on the files within it without having to repeatedly enter security credentials for each file. As with a physical safe or bank vault, users can use a physical key to unlock a virtual safe. Rather than having to remember a password, users can store the encryption key on a USB stick, ActiveSync-enabled SmartPhone, PDA, memory card, digital camera, or ipod. This gives users confidence that they can use strong encryption keys, which might otherwise prove difficult to remember. The benefits of encryption are undermined when users pick easily guessable passwords to protect data. The vulnerabilities associated with full-disk encryption are not present in Steganos Safe. The key is not stored on the machine until it is entered by the user. If a safe or the Steganos Safe application is closed manually or automatically, the keys are erased and overwritten in memory. To avoid passwords being extracted when the PC is locked, sleeping or hibernating, Steganos Safe includes an option to automatically close the safe if any of those events occur. Legitimate access to the machine does not imply the user is authorised to access the safe contents. Users are required to enter the key whenever they want to access data in a safe, so the safe provides an additional layer of security beyond using an ID and password to log on. The protection of data stored in a safe is not limited to a particular device: backups will be as well protected as the source data, without any need for special backup or additional encryption software. Users who share the same machine can share access to a safe, or set up separate encrypted safes on the drive for protecting their work. Steganos Safe includes Steganos Portable Safe for transporting data securely on USB keys. While many file-based encryption products will require the full encryption software application to be installed on any machine where the data is to be decrypted, Steganos Portable Safe stores all software necessary for extracting data on the USB key. Steganos GmbH,

5 For sensitive environments, such as the accounts department at a small business, it is possible to use Steganos Application Safe to encrypt all data created by a specific application, including temporary files. This provides a compromise between full-disk encryption and file-based encryption, which ensures all files of a specific type are automatically protected. While some files will inevitably end up being unnecessarily encrypted, they will be limited to potentially sensitive applications and will not include trivial operating system elements. Conclusion Encryption is an essential tool for protecting privacy in an age when so much of our lives is stored digitally - and when the storage medium could fall into the wrong hands at any time. The virtual safe provides the ease of use of full-disk encryption without any of the accompanying security or data portability flaws, but with the speed and flexibility of file-based encryption. Steganos provides a full range of PC security and encryption software, ranging from the freeware Steganos Safe One, through the consumer application Steganos Safe, to the business suites Steganos Safe Professional and Steganos ApplicationSafe. For more information on all these encryption products, and free trial versions, visit About Steganos Since 1996, Steganos has been providing highly secure and user friendly solutions that secure static data and online communications. More than two million users worldwide already depend on Steganos software. Innovations such as the world s first commercial steganography software (which hides data in pictures and music), or the first encryption software to use the Advanced Encryption Standard (AES), have made Steganos one of the market leaders for consumer encryption software. Steganos products are regularly recognized with national and international press awards and the Steganos brand is synonymous with protecting sensitive data. Steganos GmbH Wildunger Straße Frankfurt Germany Phone: +49 (69) Fax: +49 (69) info@steganos.com Web: Steganos GmbH,