Tips for implementing encryption on stored data

The long view of security strategies for your network.

One of my graduate students wrote to me recently about the rash of data losses on unencrypted laptop computers and backup media and asked how I would promulgate policy to cope with the problem. Here’s how I would approach the organizational behavior change needed to ensure that sensitive data on all storage media in the organization is protected.

(a) Establish and implement a company-wide policy forcing encryption of all sensitive folders on company computers, servers and removable media. The policy can use whole-disk encryption (e.g., Encryption Anywhere Hard Disk from GuardianEdge or PGP Corp.'s PGP Whole Disk Encryption products) or it can focus on partition- or folder-specific encryption. Regardless of which technique or product is used, the organization must plan for key escrow to permit data recovery if an employee forgets a key, quits in anger or is fired. Appropriate products include centralized key management and key-recovery features. Policies must take into account the likelihood that keys and even the encryption software will change over time; therefore, archive managers must manage backups so that data can be recovered and rewritten under the new encryption procedures as they change.

(b) In your IT or IT-security newsletters, publicize the news about the losses of control over unencrypted data on laptop computers, isolated hard drives and tapes. Some employees who do not understand or believe that encryption is important will resist change and may even obstruct progress towards the new procedures. Setting the stage for policy development and implementation helps to smooth the way for change.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

One of my graduate students wrote to me recently about the rash of data losses on unencrypted laptop computers and backup media and asked how I would promulgate policy to cope with the problem. Here’s how I would approach the organizational behavior change needed to ensure that sensitive data on all storage media in the organization is protected.

(a) Establish and implement a company-wide policy forcing encryption of all sensitive folders on company computers, servers and removable media. The policy can use whole-disk encryption (e.g., Encryption Anywhere Hard Disk from GuardianEdge or PGP Corp.'s PGP Whole Disk Encryption products) or it can focus on partition- or folder-specific encryption. Regardless of which technique or product is used, the organization must plan for key escrow to permit data recovery if an employee forgets a key, quits in anger or is fired. Appropriate products include centralized key management and key-recovery features. Policies must take into account the likelihood that keys and even the encryption software will change over time; therefore, archive managers must manage backups so that data can be recovered and rewritten under the new encryption procedures as they change.

(b) In your IT or IT-security newsletters, publicize the news about the losses of control over unencrypted data on laptop computers, isolated hard drives and tapes. Some employees who do not understand or believe that encryption is important will resist change and may even obstruct progress towards the new procedures. Setting the stage for policy development and implementation helps to smooth the way for change.

(c) Provide extensive awareness, training and education over the next few months for all staff on how and why to follow the encryption procedures for their disks and removable media; be sure to have the employees work on scenarios of what might happen to THEIR group if confidential data were released through loss or theft. Have the technical support staff test the product thoroughly and work on problems likely to occur with the product. You can save a lot of time by recording narrated PowerPoint files that can help users with step-by-step illustrations of what to do with the products; be sure to include screen shots. I often create animations using overlays of screen shots so that users can follow the operations click-by-click.

(d) Begin a gentle process of random audits with praise and reward for those found to be following the encryption guidelines and gentle reminders to those violating the policy. Praise works better than punishment in modifying behavior. Establish friendly competitions among groups to see which can be first to achieve 100% compliance with the encryption regime.

(e) Tighten the screws gradually by announcing the steady increase in penalties for violating the policy; over the next months, bring them to their managers for discussions of the importance of the policy and the future penalties for noncompliance.

(f) After enough time has passed (say, a few months) to ensure almost complete compliance with the policy, suspend or eventually fire anyone found to be violating this policy during random audits of laptops. However, you will have to be prepared to deal with top executives who violate the policy, so you might want to be careful about promulgating draconian penalties that you don’t plan to enforce uniformly.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.