Encryption is essential.
It is essential to encrypt data that is both at rest and in motion. 1 Encryption mitigates the most prevalent threats associated with mobile devices. Encrypting data at rest mitigates the disclosure of data when a mobile device is lost or stolen. Encrypting data in motion mitigates the threats (e.g. eavesdropping) associated with the transmission of sensitive data over insecure public networks that mobile devices often connect to.
Encryption, of course, does not address every mobile device concern. For example, encryption does nothing to prevent a mobile device from be lost or stolen in the first place. This FAQ talks about other safeguards that can be used in conjunction with encryption to address a range of mobile device concerns.
Encryption “scrambles” data in a way that it can only be read by someone who possesses the corresponding decryption key. If an unauthorized individual obtains access to a device with encrypted data, but does not have the decryption key, they see only random “gibberish” instead of sensitive data.
Using a “boot” (BIOS) password and/or account password along with a password protected screensaver is a recommended best practice for keeping honest people honest. These “boot” or logon passwords however, do nothing to prevent an individual from accessing a hard drive if they want to. All an “interested” individual needs to do to bypass a boot password is put the hard drive in another machine. All that is needed to bypass an account password is to insert a different boot disk. In short, passwords provide no protection when physical security is breached as in the case of a stolen, lost, or confiscated device.
Besides actually protecting confidential data from unauthorized disclosure, encryption has the added benefit of saving you the cost and embarrassment of having to notify potentially affected individuals when your mobile device is lost, stolen, confiscated etc. Because a properly implemented encryption solution is recognized as an adequate protection mechanism against even the most determined attacker, most notification laws provide for an exemption if sensitive data on a lost or stolen device is encrypted. Due to the high costs and negative publicity of notification along with the potential fines and legal ramifications associated with a sensitive data breach, encryption of sensitive data is often cost justified.
Deciding on an encryption solution can depend on a lot of factors. Some decision points such as usability, cost, and platform support are easy to understand. Other decision factors, such as algorithm support are complicated but less interesting because, in the end, different solutions will support the same techniques. One influential parameter that is worth understanding further, however, is the approach used to secure the files on disk. The two competing philosophies are File/Folder-level encryption and Full-Drive encryption. These two approaches are explained in further detail below.
File/folder level encryption is selective. It allows specific files to be encrypted or it allows a container (i.e. folder or directory) to be created such that files saved in the container are encrypted. Full-drive encryption, on the other hand, encrypts all the sectors on a disk or disk volume. Thus, a full-drive encryption solution will often encrypt operating system files, applications, system settings, and cache files in addition to specific sensitive data files.
The benefit most often cited for full-drive encryption over file/folder-level encryption is that full-drive encryption leaves less doubt about whether all instances of sensitive data were actually encrypted. This is because operating systems and applications write data in caches, temp directories, page files, hibernation files and other areas that are difficult to identify let alone selectively encrypt. Furthermore, humans make mistakes. Users may simply forget to store sensitive data in the right (encrypted) folder. Techniques and solutions exist to mitigate all of these file\folder-level shortcomings, but such solutions are typically only viable in “managed” environments where the mobile devices are managed by an IT department and end-users do not log in with administrative privileges.
First, make sure you have a choice. Your unit, or authoritative compliance office, may already mandate a specific encryption approach. If the File/Folder versus Full-Drive approach has not already been decided, we offer the following guidance:
If both approaches are available for the effectively the same cost 3, then use the full-drive encryption approach.
However, if the cost of full-drive encryption significantly outweighs the cost of file/folder level encryption, then that cost needs to be weighed against the likelihood and incremental impact of the lost or stolen laptop. When considering this tradeoff we offer these baseline recommendations:
Full-drive encryption is recommended for regulated environments because, as explained in the answer to the previous question, full-drive encryption reduces doubts that people (users, administrators, auditors, investigators, customers, research subjects etc.) have regarding the possible exposure of sensitive data when the device is lost or stolen. In fact, in Japan, only the full-drive encryption approach is recognized as sufficient for avoiding notification when a device containing private personal information is lost or stolen. 4
That being said, highly “managed” environments which are run by an IT department supporting end users that do not have administrative rights may be able to successfully deploy a policy-based file/folder level encryption solution even for regulated or other highly sensitive data. For these environments, a good centrally managed policy based file-folder encryption solution may be as transparent and demonstrably comprehensive as the full-disk encryption approach, but the IT department should convince themselves of that.
1 - Data at rest is data that is stored on some physical storage media like a hard disk, flash drive, or DVD. Data in motion refers to data that is traveling as packets through a network e.g. as an email makes its way across the internet. Note that data on a thumb drive is considered data at rest even though the thumb drive itself may be mobile. Back
2 - File/folder and full-drive encryption are not necessarily mutually exclusive. However, this FAQ does not discuss using both approaches simultaneously because this FAQ is concerned primarily with the threat of information disclosure due to a lost, stolen, or confiscated laptop and either approach may be used, by itself, to mitigate this threat. Back
January 17, 2013