Commerce uses encryption to help steel notebooks
SPECIAL REPORT: Case study no. 1 | Departmentwide data security software aims for ease of use.
With thefts of notebook PCs a leading cause of data breaches, the Commerce Department is encrypting its mobile hard drives to lock up files and data. The encryption makes a notebook as useful as a brick to unauthorized users, said Commerce CIO Barry West.
“They can’t do anything with it,” he said.
Commerce is about 25 percent through its deployment of hard-drive encryption from SafeBoot Corp. of Naples, Fla., on its laptops and mobile devices. West expects to complete the installation across the department in March. The encryption software is compliant with National Institute of Standards and Technology Federal Information Processing Standard 140-2.
Some of the bureaus had encryption in place through other encryption applications.
“DOC’s approach, however, was to deploy an enterprisewide solution,” he said.
West’s plan is to encrypt all notebooks that contain personally identifiable information, then go back and install SafeBoot on the remaining unencrypted notebooks. Once that is complete, Commerce will install SafeBoot on notebooks in its bureaus that used other encryption products under its previous contract last fall.
If a laptop is lost or stolen, no one will be able to access the data, West said.
“The first thing, when you turn the computer on, is you’re asked for the SafeBoot user name and password. Getting through SafeBoot encryption is next to impossible,” West said.
An administrator manages encryption, based on policies that Commerce has created, from the server. The user has no say, West said. Commerce used SafeBoot device and content encryption, and port control.
“Most of our software is about management. Encryption is pretty simple. Most of the work is giving effective management processes and policies,” said Simon Hunt, SafeBoot’s chief technology officer.
Synchronizing the employees’ Windows and SafeBoot passwords makes the process more invisible to users as they log into their devices.
If the encryption is loaded while the user is operating it during workday operations, the user may experience a performance overhead hit of up to 20 percent while the software is encrypting the hard drive in the background.
Once the software is loaded, the most a high-performance user, say a numbers cruncher, might experience is a 2 percent hit, said West.
“But the average user computing word processing and e-mail activities may not see any degradation ...” he said, adding that he detected no performance slowdown while using a notebook on travel.
Still, encryption involves challenges in establishing adequate procedures and recovery mechanisms if someone loses a password, West said.
The logistics also are difficult for training employees who are geographically dispersed, such as in Commerce’s Census Bureau and National Oceanic and Atmospheric Administration.
Indeed, encryption can interfere with automated patch management and password management, said Bob Post, vice president of Booz Allen Hamilton Inc. of McLean, Va.’s assurance and resilience capability team.
“If you have encryption on the laptop and you get hit by a car, who has your password and who can retrieve the data? You have to start thinking about those things,” he said.
NEXT STORY: Waxman to probe Doan's dealings