Skip to content

Data security on company machines

Featured Replies

A question for those of you in IT departments - what do you do about data security on laptops?

I reckon that for most purposes setting a drive password and using windows EFS with an internal CA is going to be sufficient - someone finding or stealing a laptop would be unlikely to download password removal tools and be able to break the encryption.

We do need to use USB memory sticks from time to time and can issue ones with decent levels of encryption , but there's no realistic way that I can think of to prevent people burning data to a CD without encryption , or copying it to their own USB sticks or drives.

Take a look at Appsense (it might have been Securewave, it's been a while since I looked at it), I'm pretty sure they had some logic to ensure that if any data was exported from a machine, you had to be the owner (i.e author) of the data and encryption was mandatory. Similar controls for importing data, too.

We saw it as a tool that would enable us to endorse the sensible use of USB removable media without getting all draconian.

Dave

We use Pointsec full disk encryption across laptops - the whole disk is encrypted, which reduces the risk of someone forgetting to put something which should be encrypted into an unencrypted area of the drive (if EFS isn't enforced across the whole drive, for example). However, there have been some issues with it - fortunately I've managed to avoid all of them, so I'm not too sure what they are, but I know it's stopped quite a few people being able to logon to their laptops, etc.

EFS is pretty secure from casual theft, but someone with knowledge and determination could probably find a way in (though there are steps you can take to make it harder).

You might want to take a look at TrueCrypt - it's a pretty good product (especially for the price), and as it's not designed to integrate so tightly with Windows specifically then some of the recovery methods are harder to exploit.

A lot depends on how sensitive your data is. :)

Rob.

  • Author
Take a look at Appsense (it might have been Securewave, it's been a while since I looked at it), I'm pretty sure they had some logic to ensure that if any data was exported from a machine, you had to be the owner (i.e author) of the data and encryption was mandatory. Similar controls for importing data, too.

We saw it as a tool that would enable us to endorse the sensible use of USB removable media without getting all draconian.

Dave

That sounds interesting , thanks.

  • Author
We use Pointsec full disk encryption across laptops - the whole disk is encrypted, which reduces the risk of someone forgetting to put something which should be encrypted into an unencrypted area of the drive (if EFS isn't enforced across the whole drive, for example). However, there have been some issues with it - fortunately I've managed to avoid all of them, so I'm not too sure what they are, but I know it's stopped quite a few people being able to logon to their laptops, etc.

EFS is pretty secure from casual theft, but someone with knowledge and determination could probably find a way in (though there are steps you can take to make it harder).

You might want to take a look at TrueCrypt - it's a pretty good product (especially for the price), and as it's not designed to integrate so tightly with Windows specifically then some of the recovery methods are harder to exploit.

A lot depends on how sensitive your data is. :)

Rob.

Thanks for that.

I'm guessing it's not cheap once you add in the extra components that stop you copying stuff to USB drives as well.

Still , we do work with checkpoint firewalls so have access to a decent enough level of discount......

This may not be an issue for Dr Z, but Pointsec has been implicated in breaking directory sharing here.

I have heard of securewave before... my previous employers looked at it but it was dropped due to cost.. my current employers use something else to encrypt the hard drive and lock-down the use of USB sticks/cd burning.. although our whole infrastructure is based around citrix so its not easy to get hold of files locally anyway.

Also there are some features in group policy that can make it more difficult.. ie hiding drive letters and blocking the windows cd burning services.

  • Author
I have heard of securewave before... my previous employers looked at it but it was dropped due to cost.. my current employers use something else to encrypt the hard drive and lock-down the use of USB sticks/cd burning.. although our whole infrastructure is based around citrix so its not easy to get hold of files locally anyway.

Also there are some features in group policy that can make it more difficult.. ie hiding drive letters and blocking the windows cd burning services.

Part of the problem is that we have engineers who for various reasons do need to have admin rights on their laptops and will need to be able to burn cds and copy stuff to USB at times.

It's easy enough to stop this entirely but much harder to allow it under certain crcumstances.

I know I'm not going to get a perfect solution but something close will do me.

Where I work we use BeCrypt for laptop hdd encryption. The users have a USB based token system and a personal passcode that they have to use to unlock the laptop before it even boots up.

IIRC SecureWave is used to lock out USB connections once booted up (in fact, I think it is set up now so that plugging a flashdrive into a USB port gets wiped) unless the user has access, same with CD/DVD drive access, locked out unless there is a business need.

We looked at securewave but the infrastructure chaps went a bit white when we described it. Getting all the good code identified would have been a massive job.

For laptops we're putting in BeCrypt. We need certified products and BeCrypt is the most flexible with USB disk and PDA options.

For occasional bits of encryption we've used PGP desktop and even TrueCrypt. TrueCrypt has Fips 140-2 now.

Ultimately user awareness and training is the big one. At some point the data has to be decrypted for the workers to actually use it. If the security causes them issues they will put a lot of effort into finding ways around the security, more effort than would be needed to use it properly.

Stupid managers will demand passwords from staff and then put them in drawers. Staff will share laptops and put passwords on post its.

A few high profile disciplinariesfor mishandling data work wonders for getting people to toe the line.

Before I joined McLaren the company I was at used Afaria from Sybase for data encryption of hard drives on laptops.

It's a mobile device management suite that we used for laptops and PDA's. We looked into and trialled pointsec but found we had issues similar to those Ken has mentioned and that it affected the speed of some devices.

At the end of the day once you start putting data on USB sticks and CD's things start becoming less secure.

Oddly enough, later this week I'm seeing a demo of a Checkpoint product that offers laptop and USB key encryption- I'll post here once I've seen it. Maybe it's one of the ones already mentioned.

I recently had to have my laptop reimaged by our IT dept. Previously, it was unencrypted (it was built about 3 years ago). Since then, a whole company-wide encryption policy has kicked in and I know have pointsec.

I hate it

It's made my laptop decidedly slower and the hard drive is always working away and just seems to take 1.5x the amount of time it used to before.

I suppose there are other factors, other software that's been put on that wasn't before that may also have an impact.

The other thing I don't like about it, I can no longer image my harddrive as a backup. Also, because they were using the entire drive encryption, it's impossible to change partition sizes or do any other management kind of work with the disk encrypted - you have to fully decrypt, make the changes then re-encrypt. And as you can imagine, going through 60GB on an old, tired 4200rpm drive takes a couple of hours.

Not that I can say I have experience of any other software that is better / easier to work with. It's just that coming from "no pointsec" to "full pointsec", it's been a pain, and I hear of dreaded stories of whole drives going / being unaccessible.

And of course, if you can't salvage anything in any way, you're totally dependant on it, and if there's a problem, you're screwed. So it makes backing things up even more important, and then, you potentially have a security breach again, as the right honourable reverend mentioned ;)

BeCrypt sounds like very similar to what a company I worked for a few years ago used to produce (TopSoft). If it has CAPS approval then it has been tested well and is worthy of a look.

The reasons mentioned by Xav are enough for me to refuse to work on a laptop like that. Admittedly there is nothing *that* critical on our work laptops.

Wild brainstorm here, but cant you force a policy down to prevent access normally, and then provide the corresponding regedit file to disable it?

As soon as you log in the AD will push it back down anyway, and only admin user could possibly override locally during that session. It is a way I work around certain IT policies over here ;)

We use Winmagic securedoc hard drive encryption on our laptops. The whole drive is encrypted, and the performance of the laptop appears to be unaffected.

Because of the way the drive is encrypted putting it in another laptop or a USB caddy means the data is still unreadable, you cant even access the FAT and the drive appears unformatted unless booted from.

The only interaction from the user is they need to input a password at power on before the system will start, enter that password wrong 3 times and they are locked out, however that only requires a reboot. Do this six times though, and the only way out is to reimage the drive, its really secure which is whats demanded these days by the place where I work.

WinMagic Hard Disk Encryption - The most secure and versatile disk encryption software.

BeCrypt sounds like very similar to what a company I worked for a few years ago used to produce (TopSoft). If it has CAPS approval then it has been tested well and is worthy of a look.

BeCrypt is CAPS and CCTM. Ticks lots of boxes if you need that sort of assurance.

It will get a lot of complaints from users since it is another layer for them to get through. They might come round to the idea when it clicks that this will stop them getting sacked.

Tolerance for the loss of personal data is very low right now.

Dell is beinging out some laptops with hardware encryption on the disks

Of Dell's self-encrypting laptop ? The Register

And just to be safe even after encrypting and locking down user rights, there are a number of apps that can phone home as soon as the PC is booted with net access (even if not logged in) so you can remotely start killing data on a missing laptop.

Some of it really costs, but there are some cheap and nasty versions too. Our firm is looking at one as staff have a habit of leaving them lying around...

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.