USA COMPUTERWORLD ARTICLE ON COMPUTER LAPTOP THEFTLost Laptops Sink Data - ComputerworldLost Laptops Sink Data

Opinion by Robert L. Mitchell

JULY 18, 2005 (COMPUTERWORLD) - Lost backup tapes may be the IT security issue du jour, but stolen laptops are a bigger and more intractable problem. Critical business data walks out the door every day on notebook computers. Increasingly, those devices are going missing.

Laptops are easy targets because of their portability. That makes restricting physical access all but impossible. Just recently, for example, two laptops stolen from a human resources service provider put the names and Social Security numbers of Motorola employees at risk [QuickLink a6480]. At Wells Fargo last fall, information on thousands of the bank's borrowers was compromised when three laptops were stolen from a subcontractor [QuickLink 50562]. In both cases, the data wasn't encrypted.

Therein lies another problem. All too often, logical security controls that could protect data simply aren't used. While encryption provides an obvious remedy for securing backup tapes in transit, there are no easy fixes for securing those very personal mobile computing devices -- only trade-offs.

Encryption slows down performance, which may irritate power users. And employees may view biometric devices, smart cards and other access-control mechanisms as burdensome. Unfortunately, the people whose laptops have the most sensitive data tend to be the ones who have the least patience dealing with layered security.

Yet the consequences of inaction are increasingly public, thanks in part to the law known as California SB 1386, which requires companies to notify customers of data breaches within 48 hours. Had Wells Fargo required its subcontractor to encrypt all data, it wouldn't have had to notify customers of the theft.

Any machine that has the potential to hold sensitive data or e-mail should be encrypted. But don't bother with Windows XP's Encrypting File System. "If you know your Windows password, you know the keys to the hard drive. There are a lot of ways to hack that," says Clain Anderson, director of wireless and security at Lenovo.

Full disk encryption works better because it's transparent: Users don't have to be trained -- and trusted -- to save all their data in an encrypted folder. Most approaches use the Triple Data Encryption Standard algorithm to encrypt data, which is very secure. But the encryption keys still must reside on the disk. Some laptops, including some of Lenovo's ThinkPads, store this data on a security chip based on the Trusted Platform Module (TPM) standard.

"That gives you a gatekeeper so your passwords and digital certificates can be protected and aren't just laying around on the hard disk somewhere," says Anderson. If employees forget their password, they're locked out, but a separate administrator password can be configured for support purposes.

Seagate Technology has announced another option: hardware-level disk encryption, which is available with its new Momentus drives. The encryption key resides on a restricted area of the disk, so even if the drive is removed, a thief still can't boot the system or read the disk without the password. Both IBM and Dell are lining up behind the technology. But laptop vendors are unlikely to integrate the drives until a second supplier jumps into the market.

Smart cards are the best bet for additional access controls beyond the system log-in. Major laptop vendors already offer integrated card readers as an option. Biometric devices, in contrast, are more of a convenience feature for password management than a true security mechanism. For example, the ThinkPad X41 has an embedded fingerprint reader and encrypts the password database using the TPM chip. But while there's only a 1 in 10,000 chance that it will accept a wrong fingerprint, there's a 1 in 20 chance that it will reject a valid fingerprint. For systems without an integrated reader, add-on devices can cost $70 or more per system. "From a pure hardware-enablement standpoint, the cost is more than double for biometrics over smart cards," says Tim Gee, product marketing manager at Dell.

Among Dell customers, the adoption rate of smart cards is about 20%, compared with less than 5% for TPM and biometrics, Gee says. But lost smart cards can also be an annoyance for both users and the support personnel who manage them.

All of these technologies can add to management complexity and can be expensive to deploy at scale, cautions Gee. For protecting locally stored data, however, disk encryption will suffice. If an encrypted laptop is stolen, the perpetrators can't access the data or they can't use the machine unless they swap out the drive or reformat it. "The chance of them getting the information is so infinitesimally small that it isn't worth thinking about," says Anderson. Given how much IT already has on its plate, one less thing to think about is just what the doctor ordered.

Robert L. Mitchell is Computerworld's senior features editor. Contact him at robert_mitchell@computerworld.com.