Perspective: Locking down laptops before it's too late

Confidential, invaluable business and personal data are at risk when laptop computers are misplaced or stolen. Companies large and small, public and private, are all at risk.

Within the past year, the Veterans Administration lost a laptop holding information on 26.5 million individuals, the Internal Revenue Service lost or misplaced 500 laptops, and Boeing reported the theft of a laptop with files that contained Social Security numbers for more than 300,000 of its past and present employees.

Unfortunately these incidents are far from unusual.

During 2005, 20 percent of all banks, 18 percent of credit card companies, 13 percent of government organizations and 9 percent of health care companies reported data breaches--and that number is growing.

Clearly, something must be done before one of these breaches bankrupts a company or threatens national security.

The real and associated costs of data breaches are staggering: In 2006, corporations that experienced a data breach spent an average of $5 million trying to recover data. Customer relationships suffer, too; among consumers that discovered their data had been lost, 20 percent terminated their relationships with the company, another 40 percent considered terminating their relationships, and 5 percent considered legal action.

Clearly, something must be done before one of these breaches bankrupts a company or threatens national security.

The government has begun to address the issue with recently enacted legislation. Federal laws such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) make the security of critical digital content--including the secure disposal of electronic files to end the data lifecycle--a fundamental requirement. On a state by state basis, 29 states thus far have enacted data protection legislation and 28 of these laws have provisions calling for the encryption of digital content.

The flaw with current legislation is that it does not specify how to encrypt data--and that's critical. If agencies and companies encrypt their data using software, it's like locking individual car engine components?-time-consuming, expensive and fraught with failure points. By contrast, hard drive full disc encryption is similar to a car key: it protects everything from the engine to the dashboard with a single mechanism and point of entry.

Hard drive full disc encryption is straightforward; it automatically protects every bit of computer data without any human intervention. It makes any data stored on a stolen or lost notebook unreadable and unusable forever. It can also automatically "repurpose" existing laptops or deny access to data when computers reach the end of their useful life. No need to smash a drive with a hammer or use special software to wipe it clean. By simply changing the encryption key on the disc, all stored data is instantaneously rendered unreadable and unusable forever--saving both time and money.

The advantages of hard drive full disc encryption are clear; the dangers of stolen and misplaced laptops are overwhelming. To thoroughly protect sensitive information, government and business organizations must mandate hard drive full disc encryption--especially for mobile workers--to help keep data from falling into the wrong hands. The time to lock laptops down is now.

Biography
Bill Watkins is chief executive of Seagate.

More Perspectives

[Tronman161]

Destroying Data

I was always taught the only 100% secure way to erase data on a disk is to smash it with the ol' hammer. Is this full disc encryption thing really that secure?

[dargon19888]

No.

Nothing short of physically destroying the medium is secure...

[Phillep_H]

Erasing data

You are mixing two different things.

Encryption is not erasing, it's just making it so no one else can easily read the information. Nor can you, if you forget the key.

For erasing, even a hammer /might/ not work, if you don't do a real good job. You have to figure what threat level you want to deal with, for either.

[fitzgm3]

Keep the data off the laptop

This shouldn't even be an issue. There is no reason for this data to be on a laptop in the first place. Sensitive data should be kept in a data center where a access can be controlled and tracked.

Encryption is great but it provides a false sense of security. What happens when the laptop is stolen while it is running. It is akin to someone leaving the keys in the car.

The best way to keep this data secure is to ensure there are no copies made out side the secured data center.

[jmartin724]

unfortunately...

There are entire offices in the government that use only laptops in their organization, for ease of use when traveling. IF that is their only machine, then all their work, sensitive or not, will be on it. Having a laptop is only following policy. It is easier to encrypt a laptop than to change policy from the top level of an organization.

[garyrgilbert]

Disk Encryption Speed

I had full disk encryption and it was slow, took forever to boot up! The technology needs to improve or the laptops need to be really fast (loads of ram) to compensate. It's frustrating when you are trying to develop software and have a slow computer/laptop!

[J_Satch]

I don't know how long ago...

...you used it but it is not slow now and does not require loads of ram. Maybe it's come a long way since you last used it or maybe you had to use a poor product.

[timcoyote]

Work at Work - Physical Security

We never had this problem when we all worked at work instead of taking our laptops home and working. Our homes and cars are not as secure as the workplace and we are not security minded outside the office. I don't work at home, not ever, I go to the office, so even if I had a laptop (I save the company $ by just getting a desktop computer) it would just stay at home...I know I know, I'm old fashioned and I should take work home and work extra and ignore my kids and I should live far away from the office so I need a laptop to work weekends, but I don't. And I should take a laptop on trips so I can do work instead of focusing on whatever conference, training or meeting I traveled for, but I don't. I'm a terrible person.

[DecliningUSDollar]

Seagate is struggling a bit ...

Seagate is struggling a bit with a few issues. One issue is that HDs are, or have become a commodity, so Seagate is trying to promote this as something that will justify a $/GB; however, there likely needs to be some triggering event ... 500,000 CC numbers and names lost along with the associated identity theft. In the mean time, I'm sure that Seagate will continue backing/financing those who push legislation that will force others to buy and use their technology.

[DecliningUSDollar]

edit

^higher $/GB

[euspos]

You are trusted...

When you carry a laptop you are trusted with taking the company's data "outside" - and will have to behave like that as well.

For someone traveling in sales, not having (needed) data on a laptop would be like trying to empty the ocean with a coffee cup.

I had - and struggled - with full hard disk encryption (PointSec). Why on earth would you need to encrypt the OS? No, encrypt the data stored, with as a secury method as possible.

Why? I had my laptop "crash" more than once. In most cases it was the MBR that got corrupted. On a "non-encrypted" disk this would have been a matter of minutes to fix. In my case, local IT staff (HP Services) were not trusted with tools to work around encryption. Laptop shipped to US HQ where not even there technicians were trusted with keys to bypass encryption. Keys needed to be obtained from overseas, and then it still took them time.

All in all, I was w/o laptop for about 4 days. 4 critical days in a customer relation.

A laptop in the wrong hands is just like a company car in the wrong hands. It can be a very devastating tool, even lethal. In the right hands (a trusted employee), it is a great productivity tool.

Never again FULL hard disk encryption! Encrypt the data and be done with it!

[247mark]

Naive

The law should not tell people how to encrypt their data. It is enough that the law requires encryption at all. However, to assume that the encryption will render the data useless seems naive. As we move forward, technological advances will likely require us to revisit security standards. Security of the past is no guaranty of security for the future. You'd think someone in a business of making hard drives, something so essential to information technology, would understand this.

[LuvThatCO2]

TrueCrypt

If you dont want to do full drive encryption, there's an open-source alternative called TrueCrypt. It will create encrypted, virtual 'drives' from either unformatted space on your drive, or out of large files.

I've been using it for a while on my laptop to secure my source code and email. Very easy to use, no noticable speed issues.

Will it keep my data safe from the Russian intelligence service? Who knows. But it will keep it safe from just about anyone else - particularly your average street urchin who steals laptops.

[euspos]

TrueCrypt

Thanks for the tip. Will check this one out.
Used PGP in the past but was not to happy. It needs to be "invisible" and if TrueCrypt works as you say, it might fit the bill.

Open source as well, even better!

[dargon19888]

Kind of a self serving article..

Here is the CEO of the hard drive manufacturer.
What he would like to do is to tell everyone that by adding some additional hardware to the drive, his company can secure hard drives from divulging their secrets.

Ok. Fair enough. Add to the price of the hard drive, increase the latency and read/write times all in the name of "security".
Only problem, no one knows which or how much security is needed.

And does this really lock down the data? What happens if the user of the computer doesn't have a password?

In truth, there is no simple single silver bullet when it comes to data retention and security issues.

[DecliningUSDollar]

Users - Password

Are these the same users who cannot remember one network password?

[gggg sssss]

windows EFS

free, built in, encrypt just a dat apartition / volume / folder as needed - does naybody know if it is fast enough?

[hddguru]

disk drive encryption speed

Having the encryption technology in the disk drive is much faster than software solutions and is not prone to eavesdropping and keylogging attacks. Passwords are entered during computer BIOS start.

In the HDD solutions I've read about, the 3DES/AES encryption is done in hardware at full disk data rate and adds no measurable access time or latency penalties to performance, so it is transparent to the user.