Update: How do you prevent data theft?
With hardly a month going by without data loss being reported in the press, and with the ICO getting tougher with fines, the question of “How do you prevent data loss?” has been asked many times. But, as yet, it does not seem to have been answered by the government.
Unsurprisingly the answer is both simple and free. Encryption.
- Encryption will prevent data being lost in the post from being accessed.
- Encryption will also stop access to the data on stolen laptops.
- Encyrption will protect backup tapes in transport
- Encryption will stop hackers accessing records if they gain access to a server, and should an entire server be lost it will protect the data then as well.
It will not stop theft or misuse of data from staff within a company (which is a separate issue and needs to be addresses seperately) but it will stop all of the of lost data records being accessed.
Cryptography : Its all Greek to me
Cryptography is the practice and study of hiding information. Encryption is the actual process of converting the readable information into unreadable text, that can be stored/transported safely, but can only be read by somebody with the correct key or password.
Whole libraries have be written on the subject of encryption, and the subject is truly fascinating. It varies in level of complexity from the Caesar Cipher to Quantum Encryption – but all of this is entirely irrelevant because encryption is now simple. Very Simple.
Easy to use, off the shelf, products are available that will ensure that data is encrypted up to government standards. This technology is all pretty much click and go software.
Miscrosoft XP comes with an encryption capability, EFS, as standard, it just needs to be activated. Microsoft Vista comes with the increased security of Bit Locker. This means that every government laptop and desktop could have encryption on them, tomorrow, with no additional costs. The user just has to use move the cursor over the folder they wish to encrypt, “right click” the mouse, click advanced and tick encrypt. Three clicks to security! (of a kind). The MS Guide on how to use EFS.
If this is too complicated for the user, should they really be handling such critical data?
Many technical people will argue about the issues of key management and security of Microsoft products as a whole, and they have a point. So perhaps the government should consider additional entire disk encryption. This does exactly what is says on the label.
These are products which encrypt entire hard drives, the decryption only occurs once the correct credentials have been given. This means that if the hard drive is taken out of the computer, or the person attempting to access the data does not have the correct credentials (user name and password), then the data it is completely unreadable.
These products are simple to install and even easier use. There is single password to enter during start up, and if this is not entered the computer can not be used. The added beauty of whole disk encryption is that the user does not chose what to encrypt and what not to encrypt, everything is encrypted all of the time.
Companies like PGP also offer additional encryption for email, file servers, and even mobile devices, e.g a blackberry. The simplicity of the these products is that encryption is almost transparent to the end user.
The downside to products like PGP and Safeboot is they do have to be paid for. On a Goverment scale $200 extra per computer suddenly becomes very expensive, though no doubt cheaper than the cost of the investigating of the data losses that keep occurring combined with the cost the actual data loss.
However, if the price is too expensive then the there is free ware version of disk encryption called TrueCrypt. This can secure all the data on a hard drive to the same level as PGP or Safeboot for free. Again, this product is simple to use and install. Even if it was hard to install that is what the IT support teams are there for.
TrueCrypt can also encrypt USB devices, which would be great for shipping all of the data around. In short modern encryption programs are: Simple, easy to use, and cheap (sometimes free).
Therefore there is no reason that all government laptops could not have some encryption on them tomorrow, and full encryption on their laptops, by next month.
The issue of protecting data from internal theft is more complicated, and encryption alone will not assist with this. Data Loss Prevention, DLP, technologies, policies, and systems need to be installed and enforced, though this is highly unlikley to ever be 100% succesfull, it can radically reduce the probability of an incident occuring.
This issue will be addressed later on this site.