The quantity of electronic data relied upon by both the private and public sectors alike are increasing at a rapid rate.

The ability to carry data when we're going about our daily business, whether on portable hard drives, laptops, or USB sticks, etc, has inarguably revolutionised working practices. No longer constrained by the physical boundaries of the office, people are free to work just about anywhere. However, there has been a price to pay. News reports on data leakage have become a regular feature and caused huge embarrassment to organisations, impacting their image and damaging the relationship with customers. So why is the lesson taking so long to learn?

Many organisations have turned to encryption as a saving grace without fully understanding the problem they face, and as a result have fallen foul. There are a number of software-based solutions that sit at entry level, however it is proven that they can be bypassed relatively easily. A case in point is that of PA Consulting-a single employee was in breach of its well-established information security processes when allowed to bypass the encryption software that would have protected the personal data of 84,000 prisoners in England and Wales when transferred to a memory stick which subsequently went missing. PA Consul­ting lost its £1.5 million contract, and jeopardised their remaining £8 million government contracts

Andy Cordial, MD, Origin Storage

Instead of relying on users to encrypt data before transferring it to a portable device, isn't it better for the external device to have encryption already built in? External hard drives are available that utilise a hardware based encryption chip to seamlessly encrypt and decrypt data using military grade AES/CBC mode encryption.

Like any product, there are variants, so its important to identify what's important when evaluating the various offerings. Key things to look for are:

• If users, for example, are likely to be walking away and returning when using a device, but not wishing to log out every time, it may be considered important to have a quick disconnect feature via the LCD panel so that the external drive disappears from the users' screen and cannot be accessed until the correct PIN is entered.
• Another concern is that the keypad may involuntarily disclose the PIN-either due to marks on the keypad or from shoulder hacking, so a random display facility may be considered essential.
• A further consideration is what happens if an incorrect PIN is used. Potentially if there is no retribution for entering an incorrect code then perseverance could be rewarded and the data breached. It may be deemed important that after a predetermined number of failed attempts, the data is destroyed to ensure its integrity.
• Plugged in via a USB cable, users are presented with a familiar LCD panel on the device itself to enter an up-to 18 digit PIN. Without the decipher code the data is inaccessible.
• Of significant importance may be the need for regular password changes. The firmware should have the facility to be customized to present the user with a message that makes sure that the password is regularly changed and/or registered within the IT department.
• Unlike software-based encryption, this solution is not vulnerable to the same hack programs, decryption software and key loggers which plague other products on the market that make their use unsafe.

We will not have long to wait before we see note­books coming to the market that have encryption built in to the hard drive. A marriage of technologies, the self encrypting disk (SED) is the opal standard established by trusted computing. One example is the new range of laptop drives that will be completely encrypted and will sit internally in notebooks. As a user, the encryption is seamless needing only to enter an additional password when logging in and therefore is impossible to bypass.

I find it difficult to understand how anyone can justify carrying electronic data unsecured in the public domain. People need to be educated as to the many different options available.

However, in my opinion, transparent encryption of not just sensitive but all portable data reduces the risk of the individual either forgetting, or worse bypassing, this safety belt.

Page(s)   1