WinMagic’s SecureDoc Full-Disk Encryption Solution Prevents
The U.S. Federal Bureau of Investigation (FBI) estimates 53 per cent of information technology (IT) network penetration is due to data derived from stolen notebook computers.
And consultants estimate organizations typically lose between five and eight per cent of their notebooks per year.While these computers have undoubtedly provided greater network access for users, their portability poses significant security challenges. And as the escalation of incidents of theft underscores, the price of replacing hardware and software is far outweighed by the loss and damage that can result from unauthorized access to sensitive data.In recent years, government organizations have taken proactive steps to ensure stolen or lost notebook computers do not provide such access. One example is Alberta Finance, a ministry of the Province of Alberta.
Employing approximately 500 people and tasked with developing and implementing the government’s fiscal framework and financial policies, Alberta Finance provides tax and revenue administration, investment and risk management to foster and regulate capital and insurance markets in the province. With the number of remote users requiring access to confidential financial data on the rise, the ministry has sought to ensure a lost or stolen notebook computer could not be used to gain unauthorized access to its data.”Alberta Finance knew its current controls provided the necessary system security in the workplace, but this combination would not protect data on a lost or stolen notebook,” says Leslie Bibkewich, a security analyst for the ministry. “Obviously, it is impossible to guarantee notebook computers are not lost or stolen, so the ministry set out to ensure these mobile devices could not provide unauthorized access to business data.”File versus full-disk encryptionAlberta Finance began researching available technologies and soon determined encryption technology offered the best solution to its mobile security issues.
“From the outset, it was clear full-disk encryption would provide significantly greater protection than technologies that only encrypted certain files,” says Bibkewich. “As file encryption simply did not secure the entire hard drive, it would still be possible to access unencrypted copies of documents in temp files, recycle bins, etc. But by encrypting the entire hard drive, no data would be left unencrypted.”Alberta Finance began a month-long evaluation of offerings from various technology providers. Each product was tested to determine which would provide the best combination of security, ease of administration, ease of use, ease of integration and affordability.
After narrowing down the field, Bibkewich learned the Alberta Corporate Service Centre, which provides services for all of Alberta’s ministries, had already undergone a similar evaluation process and had recommended one of the options as its encryption solution.”As Alberta Finance shares some services with the Alberta Corporate Service Centre, it seemed sensible, from an integration perspective, to use that encryption product,” says Bibkewich. “It simply makes sense for all ministries to use the same technology.”The chosen product, Toronto-based WinMagic’s SecureDoc, is based on the Public-Key Cryptography Standards (PKCS) and features the Advanced Encryption Standard (AES) 256-bit encryption algorithm. It lets organizations encrypt an entire hard disk at pre-boot, ensuring the user’s log-on process remains simple.The full-disk encryption software can also be configured to work with smart cards, tokens or biometric devices at pre-boot, providing users with multi-factor, positively authenticated system access.
It is designed to integrate with an existing public key infrastructure (PKI) certificate and public and private keys. It can also create its own pair of public and private keys on a smart card.SecureDoc has achieved government validations for Common Criteria and Federal Information Processing Standards (FIPS) 140-1 Level 2, among others. Its Fortezza-based version is certified by the U.S.
National Security Agency (NSA) to safeguard secret government information. The software is also validated for the Communications-Electronics Security Group (CESG) Assisted Products Scheme (CAPS) in the U.K., enabling implementations within the country’s government departments and ministries.From pilot to installationIn March 2004, following the initial evaluation, Bibkewich began a month-long, seven-person pilot project to ensure the encryption technology was sufficiently simple to administer and use.
“I was part of the pilot with six auditors,” says Bibkewich. “It proved simple to install and administer the software and the lack of feedback I received from the auditors, who spend a lot of time working outside the office, confirmed it was user-friendly. Before the operating system (OS) loads, users simply enter their passwords to authenticate themselves and they can work as normal.”The pilot also confirmed the technology could integrate with Alberta Finance’s existing security applications, including its client-side firewall.In January 2005, after the pilot was successfully completed, the ministry began a gradual rollout to 150 users, 40 of which are auditors.
“I simply install the software on users’ notebook computers and give them a 10-minute tutorial about log-on and password protocols and they are ready to go,” says Bibkewich. “And apart from the odd user forgetting a password, that’s the last I hear from them.”Risk-free remote accessRecognizing its users benefit from the ability to work remotely, Alberta Finance knew it needed to improve notebook computer security to ensure its overall security could not be compromised. By installing full-disk encryption software, the ministry has been able to provide simple remote access for its staff, while simultaneously ensuring data cannot be accessed from a lost or stolen computer.”It has met Alberta Finance’s notebook security needs, integrated well with existing applications, proved easy to administer and been well-received by users,” says Bibkewich.
