Layer 8

You know, I very nearly commented on Rothman’s blog when I read that as well. I also think he has that wrong.

I cannot really trust users to put sensitive files into special encrypted lockers on their desktops, even if they get browbeat into knowing how to properly do it. People just don’t. Some people store their junk in My Docs, on the Desktop, in a folder on the C:\ drive, in a different folder stucture, and so on and so on. Not to mention how Windows loves to hide temp copies all over. And what about things deleted that can be recovered?

No, the eventual solution is full-disk encryption by default. The performance hit is not all that great, especially since we’re not talking about gaming rigs that need to tweak those last half dozen FPS in order to be competitive. These are predominently business people who have relatively small needs as far as performance. Besides, if someone needs performance, they shouldn’t necessarily be on a laptop, and FDE applies more to mobile laptops than stationary, “protected” desktops.

If there is data at rest on a mobile device, it needs FDE.

The only real question that arises is twofold: how does IT staff recover that data when the user inevitably screws something up (and not allow a backdoor for crackers), and how does IT centarlly manage those settings/passkeys/audits? Those questions will differentiate the corporate FDE/disk encryption products.

I hear you.  But let me play devil’s advocate and suggest that the user awareness scenerio you described is the problem itself.  Good data classification policy puts the primary security responsibilty on the owner of the data.  We as security practitioners are simply caretakers to this data.  It is thier data, not ours.  Encyrpting everything is expensive, difficult to do right and it can get real silly real fast.  If the user’s are well trained and aware of security policy, you are killing like three birds with one stone.. cost savings on encryption, better general security awareness, more effient/effective compliance, etc.

James, excellent point.  You’re right that awareness is well over half of the equation.  But let me put out a concrete scenario for you:

Have you ever tried to make a list of the “owners” of all your organization’s data?  Have you gotten actual names, and gotten those people to agree that they’re the owners?  How did you define the data that they’re owners of?  By directory structure on a server?  By business area?  Do they get to make up the IT rules on how their data is stored, transmitted and handled?

I’m stacking the deck a little here, because I’ve already tried answering all of those questions.  Just try making a spreadsheet with data and owners—two columns—and see where that gets you.  If you’re like me, you’ll end up with very vague descriptions of data that match the business area, because that’s the clearest way to associate everything:  by org chart. And that doesn’t say ANYTHING about where that data is stored, which could be multiple places.  (It all gets mixed up in the email, for example.)

And if you try asking a managing director what she wants her policy to be on encrypting the data she “owns,” chances are, she’ll get that deer in the headlights look and ask you to suggest something.  Not only that, but most CEOs are not happy to let their directors make different security decisions that may compromise the reputation of the WHOLE company.  They want one policy, applied across the board.  Do you make the CEO the owner of ALL the data, or is that kind of a cop-out?

My tactic is:  encrypt everything, no matter what it is, on anything that has a certain chance of getting lost or compromised.  Mobile devices and media are in the outer, most exposed layer; so is anything exposed to the Internet.  (Oh no, I’m getting into the “security is an onion” analogy!  The more you dissect it, the more it makes you cry.) 

Anything that is accessed by a limited number of individuals is easier to encrypt.  But once you have an internal server that is being accessed by everybody, I don’t see the gain in using full-disk encryption—your security protection is reduced back to the strength of your users’ passphrases on their keys and/or accounts. (Unless you’re worried about the server physically being carried off, which I HAVE seen happen before.  But that gets you back to my criteria above.)

So, more mobile + more exposed + few users = encrypt it all, no-brainer.  At least, that’s the way I look at it.  But I’m going to hear Marcus Ranum talk on FDE next week, and maybe he’ll have better wisdom to impart.

Well said.

It’s funny.. the spreadsheet of “who owns what data” you mentioned - I have that -  ..And the challenges you noted - oh, I have those too. 

For the size of company I manage security for (<$200M mkt cap), this approach makes the most sense.  Make the owner responsible for their data and provide encryption capability/tools for anything they classify as restricted.  Behind the scenes.. IPSEC and SSL on the wire for whatever I can and PGP full disk encryption for any data at rest that can (or must) be protected. I send out the spreadsheet (requesting adjustments) and a copy of the Data Class policy quarterly.  We also use this data owner matrix for Help Desk to know who can approve access to that data. I put alot of responsibility back on Business/ data owners.

However for any larger company, like the one I used to work for.. negatory.  My process would be impossible to manage.  Isn’t there a tattoo or something, “Encrypt it all and let God sort it out” ?

Cheers!

James, are you, like, my evil twin or something?  I have used that exact same last phrase of yours in my mind more than once ...

And yes, for my size of company, let’s just say we have about 50 ... organizational silos.  And a lot of them want to stay that way.  Dang, they’re worse than the French.

But it’s good to know that someone out there is actually managing this stuff!  Maybe you should write a book.  “The Even Pragmatic-er CSO.” 

Dude, I totally dig this site’s email notification on replies!

I actually manage (more on that in a second) our data ownership on our file server. On the main share, each folder is “owned” by someone, and that person is the one who decides things about that data, or is someone who should be knowledgable about it. I keep this 3 column list (I track changes in it too) in a spreadsheet.

Now, sadly, this is just lip service and a foundation in case the company or anyone beyond 2 of these 40 owners gives more than a shit about their data. Sadly, no one cares or even thinks about this beyond those couple people and us IT staffers. And there is no penalty or mandate to make sure data is properly stored or managed or tracked.

But that is neither here nor there in my company, and neither is it something IT can do in an empty vault.

I am of a mind to encrypt it all. Less complication, less one-offs, less need to have people who don’t give a shit and have zero training on data management and sensitivity try their hand at it. (We don’t encrypt the file servers, though.)

Of course, I wish it were that simple and that’s all that was needed, but even with encryption, if a data owner does the stupid thing and says, “why, everyone in the company needs access to my data…” and 2 years later throws in sensitive information into that share, there’s not as much I can do without a mandate from senior mgmt to be aware of these things and police them. :(

Woot, long posts for an afternoon spent off work enjoying the beautiful day we have here!