Data Protection for the Rest of Us
In past two months at least 17 computers containing personal data on a million or more individuals were lost or stolen, according to the Privacy Rights Clearinghouse. These episodes received little attention because they have become so common that they are no longer news. But each occurrence exposed an organization to liability. And in countless other unreported cases, computers containing invaluable confidential business data fell into the wrong hands.
The technology needed to prevent these losses has been around for some time. But it has been hard to set up and manage, and this has limited use mainly to the federal government and industries with stringent security needs, such as health care and finance. The game is changing with the availability of easier-to-use tools, particularly disk drives with encryption hardware built in.
Security experts believe the only safe way to protect data from determined snoops is with encryption based on tamper-proof hardware. Such hardware has been offered on some IBM (IBM) or Lenovo ThinkPad models since 2001, and today the technology, known as the Trusted Platform Module, is available on most laptops designed for corporate and government accounts. Yet just because it's there doesn't mean it's used—and most of the time it isn't.
I tried a system that makes data protection radically easier. It was a Latitude D830 notebook from Dell (DELL), the first company to offer this feature. The notebook was quipped with Windows XP, a Seagate (STX) 120-gigabyte Full Drive Encryption (FDE) hard disk, and software from Wave Systems (WAVX). The FDE drives, available on Latitude D630 and D830 models, add $120 to the cost.
Setting up the drive encryption takes about five minutes the first time you use the computer. Basically, it consists of setting administrator and user passwords, which can be the same. During the setup, you get a chance to save the passwords to a thumb drive. Do it. And make sure to store the key in a secure place, such as a safe. Once the drive is encrypted, there is—by design—no way to retrieve the information that has been stored on it without the key. Security is based on the Advanced Encryption Standard (AES), which the U.S. government uses for nonclassified communications and recommends for securing commercial data. It is possible, but unlikely, that the National Security Agency knows how to crack AES, but it's a safe bet no one else does.
The data encryption is essentially invisible to the user. Because the encryption and decryption of data are handled by the drive hardware, not the main processor, there is little or no impact on performance. I noticed only two differences from a standard Windows PC. One is that you have to log in twice—the first time, simply to gain access to the drive before the laptop boots Windows. The other difference, a mild annoyance, is that for security reasons, the software disables Windows' suspend mode, which lets you resume work almost instantly after a temporary shutdown. Instead, your notebook will hibernate when you close the lid or let it sit for too long while running on batteries, and it will take a bit longer for you to resume work.
Although Dell is offering the encrypted drives on laptops marketed primarily to large enterprises, the drives are simple enough for individuals or small businesses without IT departments to use. I expect Dell and other manufacturers will start offering this feature on a range of products, including PCs geared to small businesses.
If you have a computer that's equipped with Trusted Platform Module hardware and that runs the Ultimate or Enterprise version of Windows Vista, you can use a different feature, called BitLocker, that encrypts all or part of a drive. It is, however, considerably more difficult to set up than the system I have described.
As technology improves, excuses for not encrypting hard-drive contents are rapidly disappearing. If you have data whose loss would be costly or embarrassing—and who doesn't?—it's time to make sure that information is safe.