How do you prevent data loss?

Update: How do you prevent data theft?

With hardly a month going by without data loss being reported in the press, and with the ICO getting tougher with fines, the question of “How do you prevent data loss?” has been asked many times. But, as yet, it does not seem to have been answered by the government.

Unsurprisingly the answer is both simple and free. Encryption.

  • Encryption will prevent data being lost in the post from being accessed.
  • Encryption will also stop access to the data on stolen laptops.
  • Encyrption will protect backup tapes in transport
  • Encryption will stop hackers accessing records if they gain access to a server, and should an entire server be lost it will protect the data then as well.

It will not stop theft or misuse of data from staff within a company (which is a separate issue and needs to be addresses seperately) but it will stop all of the of lost data records being accessed.

Cryptography : Its all Greek to me

Cryptography is the practice and study of hiding information. Encryption is the actual process of converting the readable information into unreadable text, that can be stored/transported safely, but can only be read by somebody with the correct key or password.

Whole libraries have be written on the subject of encryption, and the subject is truly fascinating. It varies in level of complexity from the Caesar Cipher to Quantum Encryption – but all of this is entirely irrelevant because encryption is now simple. Very Simple.

Easy to use, off the shelf, products are available that will ensure that data is encrypted up to government standards. This technology is all pretty much click and go software.

Miscrosoft XP comes with an encryption capability, EFS,  as standard, it just needs to be activated. Microsoft Vista comes with the increased security of Bit Locker. This means that every government laptop and desktop could have encryption on them, tomorrow, with no additional costs.  The user just has to use move the cursor over the folder they wish to encrypt, “right click” the mouse, click advanced and tick encrypt. Three clicks to security! (of a kind). The MS Guide on how to use EFS.

If this is too complicated for the user, should they really be handling such critical data?

Many technical people will argue about the issues of key management and security of Microsoft products as a whole, and they have a point. So perhaps the government should consider additional entire disk encryption. This does exactly what is says on the label.

These are products which encrypt entire hard drives, the decryption only occurs once the correct credentials have been given. This means that if the hard drive is taken out of the computer, or the person attempting to access the data does not have the correct credentials (user name and password), then the data it is completely unreadable.

There are several products out there that can do this, SafeBoot, PGP, and Guardian Edge to name just three.

These products are simple to install and even easier use. There is single password to enter during start up, and if this is not entered the computer can not be used. The added beauty of whole disk encryption is that the user does not chose what to encrypt and what not to encrypt, everything is encrypted all of the time.

Companies like PGP also offer additional encryption for email, file servers, and even mobile devices, e.g a blackberry.  The simplicity of the these products is that encryption is almost transparent to the end user.

The downside to products like PGP and Safeboot is they do have to be paid for.  On a Goverment scale $200 extra per computer suddenly becomes very expensive, though no doubt cheaper than the cost of the investigating of the data losses that keep occurring combined with the cost the actual data loss.

However, if the price is too expensive then the there is free ware version of disk encryption called TrueCrypt. This can secure all the data on a hard drive to the same level as PGP or Safeboot for free. Again, this product is simple to use and install. Even if it was hard to install that is what the IT support teams are there for.

TrueCrypt can also encrypt USB devices, which would be great for shipping all of the data around. In short modern encryption programs are: Simple, easy to use, and cheap (sometimes free).

Therefore there is no reason that all government laptops could not have some encryption on them tomorrow, and full encryption on their laptops, by next month.

The issue of protecting data from internal theft is more complicated, and encryption alone will not assist with this. Data Loss Prevention, DLP, technologies, policies, and systems need to be installed and enforced, though this is highly unlikley to ever be 100% succesfull, it can radically reduce the probability of an incident occuring.

This issue will be addressed later on this site.

Data Theft is now covered in this article

Advertisements

10 Responses to “How do you prevent data loss?”

  1. Medicare: Data Loss « Data - Where is it? Says:

    […] could this have been stopped? Explore posts in the same categories: Data […]

  2. University of Utah: Data Loss « Data - Where is it? Says:

    […] by Perpetual Storage, they can not be held 100% responsible for the data loss. If the data had been encrypted this would never have been an […]

  3. Data Not Lost: Medical Data « Data - Where is it? Says:

    […] Data Not Lost: Medical Data In a shocking change to the government standard practice of losing information faster than the collapse of the UK housing market, we are happy to report that data has actually not been lost by a government department, due to the cunning use of encryption. […]

  4. Data Loss: Foreign Office « Data - Where is it? Says:

    […] numerous examples of data loss within the government, virtually all of which could be prevented by encryption,. However the FCO examples appear to be more fundamental IT security issues rather than the typical […]

  5. Data Loss: 33,000 childrens details « Data - Where is it? Says:

    […] again, like virtually every other case of data loss, the data could have been secured by encryption. Possibly related posts: (automatically generated)We know what is lost, but how much is stolen? | […]

  6. Data Loss: MI6 « Data – Where is it? Says:

    […] data loss happens, and loss of media will almost certainly always happen but its effects can be reduced or stopped. Using encryption, for example stops the loss being damaging. If encryption cannot be used by MI6, […]

  7. Data Theft: RAF « Data – Where is it? Says:

    […] is not the first time the MoD has lost data, nor failed to use encryption. Possibly related posts: (automatically generated)Data Theft: RAF | Where is My Data?Data Loss: MoD […]

  8. Data Loss: 109,000 Pension Details « Data – Where is it? Says:

    […] event has just come to light and the laptop was not, of course, encrypted. And all the usual details were lost in the theft of the laptop; names, addresses, dates of birth, […]

  9. Gytha Says:

    Holy shiitzn, this is so cool thank you.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: