Feds' Edict To Encrypt Hard Drives Gets -- You Guessed It -- Ignored

from the surprise! dept

Back in May, the Transportation Security Administration did its best to gloss over the fact that it lost a hard drive containing personal information on some 100,000 of its employees by putting out a press release about it at 7 o'clock on a Friday evening. Now, a few months later, it's disclosed that the drive wasn't encrypted (via Threat Level), in contravention of a White House order from last summer saying that all devices containing personal data need to be encrypted if they're taken outside secure areas. As we've noted, these sorts of edicts and guidelines are meaningless unless they're actually followed, and non-compliance brings real repercussions.

Filed Under: data breaches, identity theft
Companies: tsa

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Brian, 18 Jul 2007 @ 12:45pm

    In your first post you implied a custom solution for every laptop/user, or at least that's how I read it. Quadruple costs are more likely in that scenario, not double.

    Your second post actually gets a little closer to reality, but still doesn't make much sense - wouldn't it be easier/cheaper/more reliable to just have one single image? At least in my org (not TSA), we only issue laptops to users that actually have a strong need - not just to anyone who asks. Perhaps if every user had a laptop multiple images would make more sense, but not if every laptop user handles sensitive data by definition.

    Since I deal with drive encryption issues every day, a couple 'simple' real-world examples came to mind that I'd like to share:

    1) email - laptop users are far more likely to use offline email storage in the form of local PST files (Exchange + Outlook). A big problem we see is the bad habit of CC:'ing unnecessary people - like a revised drawing or tech-spec PDF. How do you encrypt live PST files and still have Outlook recognize it? I haven't given it much thought, but my first guess is you can't - unless Outlook.exe and all it's req'd files are also contained on the same encrypted store. Fragmentation, bad sectors, etc, and you've got a nightmare.

    2) the actual drive encryption process - takes a LONG time. The encryption solution we use (and shall remain nameless) can encrypt the volume in the background during normal use, but any hiccup during that week-long process (running in the background during normal use) and the data is toast. So before issuing a laptop to the user, we use the vendor's admin utility to fully encrypt the drive and at 100% utilization it still takes overnight. Decryption is the same but far more costly. Now on even routine service calls the first thing we have to do is manually decrypt the drive in case anything goes wrong during diagnosis or a component needs replacement (the software keys on an UID it generates based on the ID's gathered from the components, so the HD can't just be placed in another PC and brute-forced).

    Again, "encrypting all gov't laptops" sounds peachy, but is a total PITA to implement. Unless of course you have a budget set aside for it and ample test/lab lead-time.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.