data encryption is hard to do fiberlink

Delivering Mobility as a Service

DDAATTAA EENNCCRRYYPPTTIIOONN IISS HHAARRDD TTOO DDOOFIBERLINKBest practices for successfully deploying and managingdata encryption on laptops

Delivering Mobility as a Service ii

Wh i te Pape r > Data Enc r yp t ion

ContentsDATA ENCRYPTION IS HARD TO DO.............................................................................1

The GAO Report on Federal Agency Encryption Efforts..............................................................................1

What Can Be Done?........................................................................................................................................2

BEST PRACTICES FOR DEPLOYING DATA ENCRYPTION................................3Determining the Objectives and Selecting the Technology...........................................................................3

Planning the Project and Designing the Solution............................................................................................5

Preparing and Configuring the Software.......................................................................................................7

Rolling out the Data Encryption Solution........................................................................................................8

A MANAGEMENT AND REPORTING PLATFORM FOR DATA ENCRYPTION.............9Status and Activation Reports........................................................................................................................9

Policy Enforcement and Remediation...........................................................................................................10

More on Mobility Management Platforms....................................................................................................11

Delivering Mobility as a Service 1


Data Encryption is Hard To DoData encryption has become a "must-have" technologyfor businesses, government agencies, healthcareorganizations, and other enterprises. Magazines and websites are filled with news stories about stolen laptopscontaining thousands, or even millions, of confidentialrecords (Figure 1). Every organization must assume that acertain number of laptops will be lost each year. Anddata encryption is the best available technology toprevent the loss of confidential data when laptops andmobile devices are lost or stolen.

But to paraphrase the old song: "Data Encryption is hardto do."

First, it can be difficult to deploy successfully.

Second, even when it is appears to have been deployedsuccessfully, many organizations lack the managementtools to ensure that the encryption solution is in factfunctioning properly.

The lack of management tools is important not only from the point of view of maintaining good security, butalso because organizations could potentially fail audits if they cannot prove that their data encryption solutionis performing as planned

THE GAO REPORT ON FEDERAL AGENCY ENCRYPTIONEFFORTS

The challenges of deploying and managing data encryption on remotedevices are illustrated in a recent report from the United States GovernmentAccountability Office titled "Federal Agency Efforts to Encrypt SensitiveInformation Are Under Way, But Work Remains." (Figure 2)

The GAO auditors found that despite directives dating back to 2006 todeploy data encryption only 30% of data was actually encrypted: "…themajor agencies collectively reported that they had not yet installedencryption technology...on about 70 percent of their laptop computers andhandheld devices."

A second finding was noted by Computerworld's Frank Hayes:

"...The GAO also found that, in many cases, even the devices believed to beencrypted had problems. Sometimes the encryption wasn't actually installed.Or it wasn't configured correctly. Or it hadn't been turned on."

Two examples of this type of finding are quoted in Figure 3.

Figure 1: Headl ines about stolen and lost laptops

Figure 2: The GAO report onencrypt ion efforts by US

federal agencies

1 The GAO report is available at: http://www.gao.gov/new.items/d08525.pdf. See also: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf2 Frank Hayes, Frankly Speaking: Encrypting end user data is tough to do, Computerworld, August 4, 2008http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=323225&source=NLT_SIT&nlid=91 Seealso: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110983



Evidently even rocket scientists can be challenged by information security.

And unfortunately, while 93% and 90% compliance might be satisfactory in some situations, GAO and otherauditors are not likely to be happy with a 7%-10% failure rate on systems that management thought werealready protected (not to mention the 70% of systems that were known not to be encrypted yet).

WHAT CAN BE DONE?

The GAO report provides ample evidence that data encryption is not easy to deploy or manage, even forhighly motivated organizations.

However, there are:

• Best practices that can significantly improve the success rate for rolling out data encryptiontechnology.

• Management tools that can give administrators visibility into encryption status on mobile devices.

Fiberlink is a "Mobility as a Service" provider that helps customers deploy and manage a wide range ofsecurity and connectivity solutions on laptops and PCs. In this white paper we will discuss deployment bestpractices for data encryption developed by our Professional Services organization. Then we will briefly outlinehow Fiberlink's MaaS360™ Visibility, Control and Mobile services can help customers report on and manageencryption solutions on mobile devices.

"At the National Aeronautics and Space Administration (NASA) location we tested, we confirmed that theagency's selected FIPS-compliant encryption software had been installed on 27 of 29 laptop computers.Although the agency asserted that it had installed it on all 29 laptops, officials explained that they did nothave a mechanism to detect whether the encryption product was successfully installed and functioning."(page 30)__________________________________________________________________________________________________

"...a component of the Department of Agriculture had not effectively monitored the effectiveness andcontinued functioning of encryption products on 5 of the 52 laptop computers that we examined. Agencyofficials were unaware that the drives of these devices had not been correctly encrypted…and the agencyhad no mechanism in place to monitor whether the installed product was functioning properly." (page 31)

Figure 3: From the GAO report: "no mechanism in place to monitor. . . the instal led product"



Best Practices for Deploying Data EncryptionFiberlink's Professional Service organization finds that data encryption deployments are often undermined byproblems such as:

• Incomplete understanding of the capabilities and limitations of the data encryption solutions selected.

• Lack of the right personnel on the implementation team.

• Inadequate planning and testing during the roll-out.

To avoid these we will discuss best practices and pitfalls for four phases of the process:

1. Determining the objectives and selecting a data encryption technology

2. Planning the project and designing the solution

3. Preparing and configuring the software

4. Rolling out the solution.

1. DETERMINING THE OBJECTIVES AND SELECTING THE TECHNOLOGY

Many organizations run into trouble early because they don't explicitly analyze the objectives (and constraints)of their data encryption project.

What needs to be protected?

An obvious place to start is to clarify exactly what needs to be protected:

• What types of sensitive information are found on laptops? Customer and employee records, financialinformation, business plans, research reports, software code?

• In what types of files is this information stored? Spreadsheets, database files, word processingdocuments, slide presentations, html files, software executable files?

• Whose laptops need protecting? Key executives, the sales force and field consultants, all employees,contractors, business partners?

• Who owns the laptops? Your organization, your employees, contractors, business partners?

• Is sensitive information being copied to USB thumb drives and other removable media?

Compliance and Policies

It is also important to understand compliance and corporate policy requirements from the beginning.

Is your organization affected by HIPAA, PCI and other regulations? If so, what are the expected security "bestpractices" for your industry?

Widely-accepted federal standards such as FIPS 140-2 address topics like the control, distribution andmanagement of encryption keys. And data encryption may be one means of enforcing policies of your ownorganization concerning what information employees are allowed to access and share.

You may need to create and distribute new corporate policies. Employees need to understand that dataencryption is being implemented to advance justified corporate policies, not to satisfy the paranoid fantasiesof the IT security staff.



Limitations

It is also important to understand some of the limitations of data encryption technologies so you don't setexpectations that the technology is a panacea for mobile security threats.

Data encryption protects data on lost and stolen devices, but it does not block employees from emailingsensitive data to outside parties, or prevent a hacker or file-sharing program from opening and transferringsensitive files. You should also be deploying complementary technologies like firewalls, zero-day threatprotection packages, and Data Loss Prevention (DLP) products.

File/Folder Encryption Products

There are three major data encryption technologies on the market today, and selecting the right one for yourenvironment can have a big impact on the success of your project.

Many of the first data encryption products on the market were "file" or "file/folder" systems. These encryptfiles selected by the user, or encrypt all files placed in folders specified by either the user or an administrator.

File/folder encryption solutions are very easy to implement. There are few configuration decisions to be made,and they do not conflict with patching systems, backup and recovery packages and other system software.

But most file/folder encryption products rely to some extent on user actions like selecting files to encrypt andsaving files to selected folders. Unfortunately, users can rarely be relied upon to follow policies consistently.These technologies also do not encrypt temporary files and swap space, so copies of sensitive files can befound on the system in an unencrypted state. Finally, the IT staff can rarely prove to auditors that all sensitivefiles on remote systems have in fact been properly encrypted.

Full Disk Encryption (FDE) Products

Full Disk Encryption (FDE) solutions, as their name implies, encrypt the entire contents of a disk or volume.This includes the operating system and applications as well as data files. Typically these solutions authenticatethe user at boot time. Unauthorized users without the password cannot gain access to any code or files at all,making it impossible for them to get around the encryption program.

Full Disk Encryption is a mature technology, and is extremely simple to configure, since the only decision iswhat disks or volumes to encrypt. There is no dependency on users (except to remember their passwords). Italso protects the operating system, temporary files and swap space, so sensitive information is encrypted in allits forms.

However, initially encrypting the hard drive can be a lengthy process. In some cases users will see slowerperformance when accessing very large files (although most FDE products have reduced the performancepenalty significantly over the last few years). Encrypting the master boot record can make it hard to coexistwith backup and recovery programs. And the failure of some sectors on the disk drive can make it much moredifficult to recover data.

"Intelligent Encryption" Products

New "Intelligent Encryption" products combine some of the characteristics of File/Folder and Full DiskEncryption systems.

These hybrid solutions resemble File/Folder products in that they encrypt files selectively and do not encryptthe operating system or application software. This reduces the time required for the initial encryption and



avoids performance issues. In addition, they permit administrators to specify encryption for files of a certaintype (say spreadsheets and database files) and files produced by certain applications (say financial and HRapplications). This approach ensures that all files of these types are encrypted without relying on the user tosave them to specific folders. Finally, hybrid solutions typically do not interfere with backup and recovery,patch management, or strong authentication products.

However, to ensure that all sensitive information is protected, you need to know what it is and where itresides. If you do not have a good handle on which files or file types contain confidential information it may besafer to simply encrypt everything using a FDE product. Also, in some situations there are benefits to havingthe extra level of authentication provided with FDE software.

2. PLANNING THE PROJECT AND DESIGNING THE SOLUTION

As with all major IT projects, a solid investment in planning can avoid innumerable headaches in the roll-outphase.

Document objectives, requirements and constraints

You should document the objectives, requirements and policy issues uncovered so far in the project, and makesure that these are understood and approved by management and by key executives of the user groups thatwill be affected. While data encryption should not be a significant burden on computer users, it will not becompletely transparent either, so everyone needs a clear understanding of why the effort and inconvenienceare justified.

You also need to identify the scope and the constraints of the project, including the time window available, thebudget, and the availability of staff resources. As noted earlier, limits in the budget or staff resources couldgive you a reason to select a particular data encryption product or to call in the help of a consultant or amanaged security services provider.

Select the project team

A typical data encryption involves multiple teams across the IT organization. You should select a project teamthat includes members from:

• The security group

• The desktop group (or whoever is responsible for laptop hardware and software)

• The network administration group

• Subject matter experts in networking and firewalls.

Identify infrastructure integration tasks

You need to allocate time and resources to integrating your data encryption solution into the rest of the ITinfrastructure. Changes to the infrastructure might include:

• Changes in firewall and proxy server settings.

• Adjustments to endpoint backup and recovery processes.

• Integration with Active Directory and other enterprise directories.



Allocate resources to end user and support training

Most data encryption solutions require some changes in the behavior of computer users, so end userresistance is a serious risk. It is therefore critical that you allocate resources and set schedules for educatingend users. You will also need to train the help desk and IT administration groups so they can fully support thesolution.

Define success criteria

Many planners neglect to define success criteria for their projects. This task is necessary to limit scope creepduring the course of the project and to justify the effort to management at the end.

Decide what to encrypt

If you are implementing a file/folder encryption or intelligent encryption product then deciding what toencrypt is a critical step. For example, one intelligent product that we deploy allows you to selectively encryptdata:

• Included in specific file types (for example spreadsheets, databases, or temporary files).

• Written by specific applications that handle sensitive data for example an accounting application.

• Written to specific disk drives or removable media.

• Associated with a specific user (if a system is shared).

Design for verification

It is critical that you be able to verify that the data encryption software is operating correctly at all times.Then, if a laptop is lost or stolen, you can prove that sensitive data has been encrypted. Therefore:

• During roll-out there should be a way to verify that the data encryption package has been installedcorrectly. It is not enough for users to simply report that they have loaded the software on their

machines, or for you to send them the software on CD and tell them to install it.

• You should to be able to perform regular "health checks" to make sure the software is operationaland no one has tried to tamper with it.

• You should be able to verify when laptops were updated and that they are on the latest version of thedata encryption product.

This information should be captured and stored in a central, auditable log.

In many environments these capabilities are mandatory. The FIPS 140-2 standard specifically requires user-independent verification that the software is operational. The Federal Trade Commission's "Safeguards"document states that companies must "check with software vendors regularly to get and install patches thatresolve software vulnerabilities."

And frankly, you may get into just as much trouble for not being able to prove that the data on a lost or stolenlaptop is protected as for failing to protect it in the first place.

These verification capabilities may be provided by the data encryption software that you selected, but theycan also be provided, or provided better, by a mobility management platform (which will be discussed later inthis white paper).



Design for Minimal User Impact

You should design the solution to have the minimum interaction with end users apart from displayingwarning messages and alerts. Little or no action from end users should be required to implement orupdate the solution, and users should not be able to change any encryption parameters or the way inwhich data encryption is applied to attached devices. Users must not be able to uninstall the software byusing the Windows Control Panel or deleting program files. Also, users must not be able to prevent theencryption software from executing by using the Windows Services Manager or Task Manager features.

3. PREPARING AND CONFIGURING THE SOFTWARE

Prepare the Infrastructure

At this stage in the process you make changes to the infrastructure so that your data encryption solutioncan be integrated into it. This may include changes in firewall and proxy server settings, adjustments tobackup processes, and integration with an enterprise directory.

Many data encryption products work best on defragmented disk drives, so a best practice beforeencryption is to run the defragmenter on disks to clean up bad sectors. You should also delete alltemporary Internet files on the laptops, since you won't want to encrypt them.

Finally, you should identify the corporate images of your laptops and reduce them to the smallest numberpossible. You will find it much easier to administer your environment if there are relatively few variation inthe images.

Configure the Data Encryption System

If you are implementing the solution yourself you will need to purchase, install and configure an encryptionserver. You will also need to configure the data encryption clients to encrypt files and drives based on thedesigns you created earlier.

If you are using a "Mobility as a Service" provider like Fiberlink you will not need to install the server orserver software, but you will want to work with them to develop and implement your encryption policies.

Run an alpha test

We strongly recommend running an "alpha test." This means deploying the solution on a limited numberof laptops belonging to the IT staff. Often this uncovers critical issues like incompatibilities between thedata encryption package and other software being used in the organization (for example the backup andrecovery application).



4. ROLLING OUT THE DATA ENCRYPTION SOLUTION

The last phase of the process is to deploy the solution.

As mentioned earlier, it is critical to train end users and support staff so that they understand thejustification for the project and know what to expect.

Start the roll-out itself with a "beta test" of 10-30 non-IT employees using standard corporate images. Thistesting will uncover not only any remaining technical problems, but also issues related to userunderstanding and acceptance. Document the lessons learned and make changes accordingly.

When the "beta test" is complete, you should roll out the solution to the rest of the organization inphases. This can be on a department-by-department basis. If you are deploying a file/folder encryption orhybrid encryption solution, then another approach we like is to start by encrypting only a few critical filesor types of files, and then ramp up to encrypting all of the targeted files.

You should schedule checkpoints throughout the deployment phase to document the status of the processand make mid-course corrections.

At the end of the roll-out you should update the requirements documents and process plans to includenew information gathered and lessons learned. These will help you when it is time to expand or upgradethe data encryption solution.

Finally, you should provide a written report to management that describes the results of the process andcompares them with the success criteria you determined at the beginning of the process.

Although the processes described here involve a lot of work, it is good to keep in mind that a well-managed data encryption implementation is much less painful than notifying thousands of customers oremployees that their personal data has been exposed because someone lost a laptop.



A Management and Reporting Platform for DataEncryption

As noted earlier, rolling out data encryption is only half the battle. Administrators need tools to monitorthe deployment of encryption across the organization, to document the status or health of the software onmobile and remote systems, to identify and remediate problems.

Sometimes these tools are provided by the data encryption vendor, but frequently these tools are notreliable when systems are out of the corporate office (as shown by the GAO report excerpts quoted inFigure 3 above).

STATUS AND ACTIVATION REPORTS

Figure 4 illustrates of the type of reports that can help administrators track the progress of a rollout. Thesereport show information like how many systems have been successfully encrypted, how many haveencryption installed but not active, how many systems have no encryption at all, and what differentencryption products are being used.

The information in this report is obviously helpful for initial deployments of data encryption solutions, butit also helps the organization track progress over time and keep on top of events when user populationschange (for example because of acquisitions or rolling out encryption to new departments). And versionsof this report can be used to show managers and auditors progress over time toward 100% compliance.

Figure 5 is an example of an activation report that drills down to individual systems to show exactly whichdevices have been encrypted and which have not.

Figure 4: Summary reports track the progress of encrypt ion deployments across an organizat ion



This type of information allows administrators to go right to the unencrypted systems and troubleshootthe problem.

POLICY ENFORCEMENT AND REMEDIATION

Finally, if the mobility management platform includes software on the mobile device, the software may beable to remediate some problems. This often means automatically restarting the data encryption softwareif it has been turned off by the user, or a virus, or some other piece of software on the system. Figure 6shows a policy enforcement dashboard; the second graph in the left-hand column shows the policyenforcement and remediation actions that have been taken during the last 7 days, which in this exampleincludes 435 automatic "Application Started" actions.

Automatic remediation actions can reduce the number of expensive calls to the help desk and reduce thetime the IT staff spends diagnosing and fixing problems on remote systems. This can be particularlyvaluable during the rollout period for a new data encryption product.

Figure 5: An act ivat ion report shows which systems have notbeen successful ly encrypted

Figure 6: This pol icy enforcement dashboard shows that 435 "Appl icat ion Started" act ionshave been taken in the last 7 days



MORE ON MOBILITY MANAGEMENT PLATFORMS

Fiberlink is the world's leading provider of "Mobility as a Service."

"Mobility as a Service" means enabling productive, secure mobile work by delivering and managing mobility-related technologies as hosted services.

In practice this means offering a wide range of connectivity and security products, and allowing organizationsto use Fiberlink's global web-based infrastructure to deploy and manage them.

For example, with Fiberlink's services enterprises can deploy and manage not only data encryption packages,but also anti-virus and patch updates, data loss prevention (DLP), media encryption and port control (USBcontrol), backup and recovery, VPNs and other security technologies.

Fiberlink's MaaS360™ Visibility, Control and Mobile services provide visibility into laptops and remote devicesand help administrators control software and security on those devices.

These services are based on the MaaS360™ Platform, a unique cloud-based platform that provides a singleportal for IT operations and security personnel to monitor and manage laptops and remote systems.

Fiberlink also offers connectivity and remote access services, so mobile workers can connect with the Internetand corporate networks anywhere, using one standard user interface for all connection types (including Wi-Fi,3G mobile data network, corporate WLAN, broadband and dial-up).

Enterprises that utilize Fiberlink's Mobility-as-a-Service offerings can speed up the deployment of newmobility-related technologies, reduce the cost of managing those technologies, improve security, increase thesatisfaction of mobile workers, and streamline the collection of compliance data for audits.

For more information on Fiberlink's MaaS360 Visibility, Control and Mobileservices and Fiberlink's SecurityServices, please see Fiberlink's home page and related pages on the web site.

FFOORR MMOORREE IINNFFOORRMMAATTIIOONNFor more information on Fiberlink’s technology and services, contact Fiberlink at:1787 Sentry Parkway West, Building 18, Suite 200; Blue Bell, PA 19422Phone 215.664.1600; Fax 215.664.1601www.fiberlink.com

0823-0709

data encryption is hard to do fiberlink

Documents