Feds' Edict To Encrypt Hard Drives Gets -- You Guessed It -- Ignored

from the surprise! dept

Back in May, the Transportation Security Administration did its best to gloss over the fact that it lost a hard drive containing personal information on some 100,000 of its employees by putting out a press release about it at 7 o'clock on a Friday evening. Now, a few months later, it's disclosed that the drive wasn't encrypted (via Threat Level), in contravention of a White House order from last summer saying that all devices containing personal data need to be encrypted if they're taken outside secure areas. As we've noted, these sorts of edicts and guidelines are meaningless unless they're actually followed, and non-compliance brings real repercussions.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    MiniDevil, Jul 17th, 2007 @ 5:36pm

    That's lame.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jul 17th, 2007 @ 5:42pm

    Repercussions?

    It sure doesn't look like there are any repercussions for the jerk that lost the hard drive.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Ray Trygstad, Jul 17th, 2007 @ 5:54pm

    The problem is UNFUNDED edicts

    Based on my experience as an Information Systems Security Officer in the Navy, the problem is that when these edicts are made there is never any accompanying funding to carry them out. It's not that the people WANT to ignore the edict; it's just that's the way the system works: someone makes a rule without considering the cost of compliance and certainly without ensuring that funds are made available to comply. Since there is no money to fund it, it's not possible to comply, even if you really, really want to.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    matt, Jul 17th, 2007 @ 5:56pm

    no, the problem is thinking you need money

    if you need extra money to encrypt the data on your hard drive,

    then you have problems on an employee level, not on a funding level.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anome, Jul 17th, 2007 @ 6:05pm

    Typical

    I have to say that it seems a typical approach to security. No-one wants to do stuff they see as being a waste of time, no matter how important it might be. Encrypting data is one of these. It's much more convenient to just leave it, and worry about losses later.

    And if the real reason it wasn't done was a lack of funding, then as Matt said, you have bigger issues. Software to encrypt data is relatively cheap. Otherwise, don't let anyone take the data out of a secure area. An organisation that is chiefly concerned with security ought to already have sufficient resources allocated to protect this kind of data.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Byron Ware, Jul 17th, 2007 @ 6:18pm

    Lost Drives

    Should this be a suprise? Give us a break, it's just lead-ing to a mandated I.D. system. We all Know it, we're just
    cattle on the way to the, oh well, you know the picture...

    Good Day

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Mark Ohiosikha, Jul 17th, 2007 @ 6:37pm

    Lost Drives

    Cost? How about free hard drive encryption software from Microsoft? Must every solution involve a zillion dollar contract?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    erstazi, Jul 17th, 2007 @ 6:46pm

    Re: Lost Drives

    Or even better, an open source solution for hard drive encryption like truecrypt (Microsoft or GNU/Linux) or StegFS (GNU/Linux only). Both of these two are great examples of Open Source applications.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Dosquatch, Jul 17th, 2007 @ 6:57pm

    Re: Lost Drives

    Even if the software comes for free, there are costs. The IT staff must construct a deployment plan that minimizes downtime while taking every precaution, imaginable and unimaginable, to ensure that there is no chance of lost data during deployment. There are tests that must be carried out looking for unintended consequences ("Whaddayamean, the backup solution won't work on an encrypted drive??!?") There is the downtime while the solution is being rolled out. There is user training. There is support after the fact. There are the ongoing costs of making sure that the solution stays patched against vulnerabilities going forward.

    On any large-scale enterprise deployment, the cost of the software is NEVER the only cost, and quite frequently not even the major portion of the cost.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Byron Ware, Jul 17th, 2007 @ 6:58pm

    Mark O. and Microsoft

    Right on! back to The H. drive vanishing. You folk's most likely already know of the super computor (no companies mention)that soon will be on the job that it can process one Quaddrillion bytes per second, that's 33 thousands bytes per second on every person on earth. I do not (size wise) how big it is, I don't think it would fit in my study... Keep mouth shut while cruising on Bike @ nite, Take care.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Jul 17th, 2007 @ 7:00pm

    Re: Repercussions?

    im not sure its the person who lost the device thats to blame (after all we don't know the details)

    its who ever is in charge of security in said department, since he didn't apply the edict plus the hard drive could be stolen

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    john, Jul 17th, 2007 @ 7:02pm

    Lost Drives

    Actually, OMB issued the directive knowing that there were only a few encryption solutions that meet NIST standards (encryption solutions not NIST compliant cannot be used) and told agencies to come up with the money out of existing budgets. Then they started a "Smart Buy" initiative to identify a range of appropriate products and told agencies that they needed to hold off on making any purchases until they (OMB/GSA) got this purchasing vehicle in place (which was done just a few weeks ago). Now agencies need to determine which solutions work best with their enterprise architectures, and figure out how to roll the solution out. There is a lot to this with key issues being impact on existing backup solutions and key management. So doing it right and by the rules is not as simple as it seems.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Brian, Jul 17th, 2007 @ 7:05pm

    not as easy as it sounds

    Those who will say funding is irrelevant have never worked in IT. Cost is only a small problem tho.

    I am a civilian contractor for the Navy, and we've been encrypting our laptops since last summer. They jumped right in with zero thought given to the consequences, and now security is WORSE.

    First, we're talking volume encryption (it's pointless if you can mount the drive in linux and bypass the free crap suggested above), and I've never seen a free solution that easily lets you boot into XP with a fully encrypted HD. The options that do are actually pretty dangerous from my experience. The ATA standard makes allowances for bad sectors, etc, and the encryption breaks that - at least to the point where it would take 2 years for an emergency decryption. Oh yeah, warranties don't cover a HD that died due to a bad sector + encryption... Free?

    Long story short, word has gotten around that if you have even a minor HD problem, your data is gone forever. So now we're fighting users who "back up" their data on unencrypted, personal USB devices. Turns out those things are FAR more easily/likely to be lost and/or stolen.

    It's a joke - however I blame most of the problem on the lack of user education. Zero training is offered on any of this crap.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Lawrence D'Oliveiro, Jul 17th, 2007 @ 7:35pm

    Still Relevant After All These Years...

    Why Johnny Can't Encrypt. Because ordinary people still can't figure out encryption.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jul 17th, 2007 @ 7:47pm

    Re: no, the problem is thinking you need money

    if you need extra money to encrypt the data on your hard drive, then you have problems on an employee level, not on a funding level.
    Employees require funding. People don't work for free.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Bill, Jul 17th, 2007 @ 9:19pm

    Anyone that thinks drive encryption costs nothing has little foresight, at best. As a previous poster already stated, it would have to be full volume encryption and must be seamless in windows. Data loss during a hard drive failure is almost a given. Users need proper training on what can, can't, should, and shouldn't be done when working with encrypted volumes.
    The bottom line is these solutions DO cost money (a great deal, actually) and none of them are as perfect as they need to be to truly integrate in a large business.
    It's one thing to say "all hard drives with personal information will be encrypted", it's a completely different thing to actually do it.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Sean, Jul 18th, 2007 @ 1:09am

    Encrypted hard-drives - and then what?

    Ok so everyone encrypts their hard drives. For a corporation with lots of cash, a laptop life of 2 years is standard. For the government, usage until failure is probably more likely. This means that everyone has to ensure that all their data is backed up somewhere for when HD failure occurs (here's a hard fact guys - the rate of hard drive failure is 100%). Now how are you going to encrypt those backups? How are you gonna get the data off the laptop and onto the backup system? Are you gonna run encrypted networks?
    Encryption is free? In what universe?
    I reckon the best thing is to ban all personal computing devices and return to working off mainframes and dumb terminals.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Enrico Suarve, Jul 18th, 2007 @ 2:04am

    Re: not as easy as it sounds

    And all the others who said the same basic thing

    Sing it loud brothers!! - I feel your pain

    The problem with large scale IT support is there are always a million experts who have a friend that did it once on their home system for a few bucks or with open source software so it must be easy

    Yeah right - the trick to large scale IT support isn't gadgets, hardware, flashy software etc. It's picking the right *solution* to support the business both during and after the rollout. The software usually has to be vendor supportable, open source has the distinct disadvantage that its source code is open to all (so not great for a security app you are relying on), and that in my experience if you end up with a problem that is almost unique to your build (not too uncommon) you are basically alone

    You have to be able to plan a rollout which will not stop the business dead in its tracks, if you're 24x7 this can sometimes mean installing temporary clusters and almost always means shit loads of overtime. On the subject of clusters - you probably want to test in a model office environment what happens if one half of the cluster is encrypted but not the other....

    For a major mid-high risk rollout like this (I don’t know of an encryption project that didn't screw up some drives) you need to invest time in communication - otherwise you end up with exactly what Brian states users panicking and backing up data to their MP3s. Hell if you are sensible you probably want to ensure you have some form of workstation backup solution before you go about this, or at least a few fast USB hard disks to do temporary backups at the users side before going ahead (which again requires more staffing, business disruption etc)

    You'll want to make sure your support staff have adequate training in how to work the software, diagnose faults with it or are even basically aware of it - this includes your helpdesk – how are they going to support remote users?

    On the subject of backups as already mentioned you need to make sure that you can backup encrypted disks so more testing - I reckon you'll probably also want to see what happens if you need to roll back due to a fault and your full backup is unencrypted but the incrementals aren't

    On that note - roll back plans....

    I'll stop, but you get the idea, there is a shit load more to consider in a large rollout of this level of software than most people initially think and almost every aspect involves increased cost and/or business disruption. The faster you want to go, the deeper pockets you need

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous TSA contractor, Jul 18th, 2007 @ 5:01am

    TSA is dumb

    I'm a contractor at TSA. I asked to be issued a desktop because I never take the computer home, but they gave me a laptop. They installed encryption software on it, but never told me how to use it. I've been here four months and just this week got a cable lock for the laptop. Then, they told my entire department that everyone has to take their TSA laptop HOME EVERY NIGHT until further notice.

    Now, luckily there's nothing even vaguely sensitive on my laptop. But I find it hard to believe that it's safer in my bag riding the Metro than it is locked to my desk in a secure building with 24 hour security.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    SailorRipley, Jul 18th, 2007 @ 8:32am

    Bitching about the costs and the logistics

    I see plenty of reactions here going on and on about the logistics, the planning, the costs, the roll out, testing, etc... to encrypt every computer.

    However, the order/edict is: "all devices containing personal data need to be encrypted if they're taken outside secure areas".

    (to keep in with the TSA example:) Just how many TSA computers do you think have the personal information on some 100,000 of its employees and are taken outside of secure areas?

    I don't know how many computers/drives we're talking about here, but objections to the cost and logistics to encrypt every computer/drive aren't relevant, (unless said personal information would be stored on every single TSA computer/drive).

    I would assume that in effect it's only a small portion of all TSA drives/computers that have said personal information (so even if all those drives do leave secure areas, the actual required work is much smaller than assumed here).

    And if the majority of TSA drives have large amounts of people's information on it, there are larger fish to fry (global TSA stupidity) than figuring out how to encrypt drives, because that would be treating a symptom, not the (stupidity) disease.

    PS: Brian, why would you need a fully encrypted drive? If the confidential data is encrypted, that is sufficient, encrypting the rest of the drive at bests obscures the issue slightly, and as we know, security by obscurity is never good...

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Brian, Jul 18th, 2007 @ 9:23am

    SailorRipley

    COE - common operating environment = all of our laptops and PC's are essentially the same eqpt running the same image. You see that in every large organization. If you treat every machine on a case by case basis, you just doubled the cost (and my staff).

    Why do you need a fully encrypted drive? Ask the NIST, not me. I believe "ease of use" is the primary factor (from my point of view at least, I'm sure those 4 levels above me would differ). It's much easier to explain to a user that they now need to log in one extra time when the PC boots than it is to train them to use encrypted stores. Not to mention what data needs to be encrypted and what doesn't. One note- none of our users have personnel data, I'm talking about sensitive/proprietary design data for ships and weapons systems (and not classified data - that has it's own policy universe)

    One thing I think we all take for granted here is user savvy (or the lack of it). If all the users were computer experts, I'd be out of a job. For the majority of my users (3000+ at last count), all they really know is their next deadline and how they'll never meet it if they experience even a small glitch.

    It's

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Enrico Suarve, Jul 18th, 2007 @ 9:45am

    Re: Bitching about the costs and the logistics

    Good point - perhaps we have missed the mark slightly, although depending on their business processes it may actually be an awful lot of drives that have 'some personal data on them' - granted not all would have 100,000 records but thats not the edict

    You are right however - I think perhaps we are just applying the 'what would we like to see happen' logic rather than 'follow the edict' which would have been more appropriate for this post

    Re encrypting just the data though - this is not usually a good, reliable method, for the reason that in these cases the key is either likely to end up stored on the same drive as the data, or be one the user can remember (i.e. easy). Bear in mind that you don't have as many timedetection constraints with data thats on a drive in your hand, so brute forcing becomes a viable option. Full hard drive encryption is the avenue I would go down for immediate strong & reliable protection and then work to build in other safe guards such as individual data encrption later

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Brian, Jul 18th, 2007 @ 10:00am

    small clarification

    Something worth noting: when I speak of 'costs', I mean 'support costs'. Again, something easily taken for granted by most readers of this blog who are able to provide their own support.

    In any large org, licensing costs are barely negligible. In any project, labor costs account for 70-80% of the total. In the civilian contractor world, all the costs are factored into the service contract - which in most cases was tallied long before edicts such as this come down.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    SailorRipley, Jul 18th, 2007 @ 11:48am

    Re: SailorRipley

    True, large organizations will have large amounts of the same (computer)equipment and use images to install/restore, however, I don't get how having 2 different HW configs doubles your cost and staff:

    Situation 1: (1000 computers with HW configuration A)

    install OS and software on first computer, make image A, install image A on 999 other computers.

    Situation 2: (1000 computers, x with HW configuration A, 1000-x with HW configuration B)

    install OS and software on first computer with HW A, make image A, install image A on x-1 other computers.
    install OS and software on first computer with HW B, make image B, install image A on 1000-x-1 other computers.

    net difference: install OS and software on first computer with HW B...this really doesn't seem to justify doubling your cost or staff...

    (I admit there will be a little more overhead than that)

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    SailorRipley, Jul 18th, 2007 @ 12:36pm

    Re: Re: Bitching about the costs and the logistics

    Good point about the encryption, although when I made my comment, I was mainly thinking of scenarios like the Ohio theft, where it was meant as an off-site backup: in that situation the sensitive information wouldn't be used as such (on the computer/drive it was backed up on), so it could be just encrypted, even without the user of the notebook knowing the key or without even accessible (decryptable) on the computer it was stored (backed up) on (in those cases, there would be no "easy" key or key being on drive/computer issue).

    I do agree that for data (that is sensitive and should be encrypted) that would be used (on a daily basis) on the notebook/drive it is stored on, a full drive encryption would probably be best. (Although I'm not sure whether I would opt for a 1 drive solution and encrypt that, or have an unencrypted drive for the OS and a seperate, full encrypted drive for that sensitive data.)

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Brian, Jul 18th, 2007 @ 12:45pm

    In your first post you implied a custom solution for every laptop/user, or at least that's how I read it. Quadruple costs are more likely in that scenario, not double.

    Your second post actually gets a little closer to reality, but still doesn't make much sense - wouldn't it be easier/cheaper/more reliable to just have one single image? At least in my org (not TSA), we only issue laptops to users that actually have a strong need - not just to anyone who asks. Perhaps if every user had a laptop multiple images would make more sense, but not if every laptop user handles sensitive data by definition.

    Since I deal with drive encryption issues every day, a couple 'simple' real-world examples came to mind that I'd like to share:

    1) email - laptop users are far more likely to use offline email storage in the form of local PST files (Exchange + Outlook). A big problem we see is the bad habit of CC:'ing unnecessary people - like a revised drawing or tech-spec PDF. How do you encrypt live PST files and still have Outlook recognize it? I haven't given it much thought, but my first guess is you can't - unless Outlook.exe and all it's req'd files are also contained on the same encrypted store. Fragmentation, bad sectors, etc, and you've got a nightmare.

    2) the actual drive encryption process - takes a LONG time. The encryption solution we use (and shall remain nameless) can encrypt the volume in the background during normal use, but any hiccup during that week-long process (running in the background during normal use) and the data is toast. So before issuing a laptop to the user, we use the vendor's admin utility to fully encrypt the drive and at 100% utilization it still takes overnight. Decryption is the same but far more costly. Now on even routine service calls the first thing we have to do is manually decrypt the drive in case anything goes wrong during diagnosis or a component needs replacement (the software keys on an UID it generates based on the ID's gathered from the components, so the HD can't just be placed in another PC and brute-forced).

    Again, "encrypting all gov't laptops" sounds peachy, but is a total PITA to implement. Unless of course you have a budget set aside for it and ample test/lab lead-time.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Brian, Jul 18th, 2007 @ 12:49pm

    The point of my 2nd example is that because of the encryption edict, what used to be a half-hour service interruption is now a minimum 1.5 day downtime for a laptop user. Now consider the human-error factor on the technician's part, because not only is he juggling 7-8 calls a day, he has 3-4 laptops on his desk in various states of decryption/encryption.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Jul 18th, 2007 @ 1:59pm

    Re: Re: no, the problem is thinking you need money

    People don't work for free.


    Military pay is about as close to "free" as you can get, without slavery. ;-)

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Enrico Suarve, Jul 19th, 2007 @ 12:39am

    Re: Re: Re: Bitching about the costs and the logis

    Just my opinion but - always encrypt the whole thing if you value the data. Reason being these are users you are talking about, and you have no idea (and little control) about how they use the data

    Screenshotting certain bits to send as a query to Bob in accounts may not be uncommon, as may programs which take the data and then store it in temporary files

    That's before you get to users who for no known good reason create a folder outside their 'normal' my documents work area to put things in

    If you encrypt the lot then you know you got it all ;0)

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This