I recently came across an article at Android Authority detailing how all Nexus phones shipping with the latest version of Android (Lollipop) have full device encryption enabled by default. With Apple offering encryption on their iPhone 6 models, that means that the two dominant mobile platforms are offering a level of privacy that causes concern for law enforcement, including the FBI.
Why the concern? The encryption is so strong that Google and Apple claim they won’t be able to crack phones if asked to do so by law enforcement.
Especially at this time of year, we’re reminded almost weekly of data breaches at Home Depot and Target, or how easy it is for thieves to steal our identity. This morning I watched two cyber-security experts debate the severity of the attacks on Sony Pictures in which sophisticated hackers were able to gain entry to a Sony-owned server and use it to leak documents detailing the salaries of senior executives.
With so many stories floating around I want to take a look at where encryption could help. Encryption has been around for many years and comes in many forms. Should you be looking to encrypt every single device you own? What about your laptop or desktop PC? Does it make sense to encrypt your phone or server, and are there any trade-offs for that added security?
Your smartphone is your most portable computer, and the one that most likely carries your most personal data. It may not hold the most data, but it probably holds a lot of data you’d like to keep secure.
Three of the most used apps on my phone are from Amazon, my banking app and Facebook. Each of these apps include a trove of my personal data. Both Android and iOS use passcodes to enable data encryption on their devices that can be found under the security settings of both devices. For Windows Phone owners there’s some confusion about which devices support encryption, but from what I was able to find, only managed devices running Windows Phone support encryption. With Microsoft having completed the Nokia acquisition, I’m sure this is one area to which they will give more attention.
Even if you don’t do a lot of shopping or banking from your phone, thieves can learn a lot about you just by gaining access to your email. Enabling encryption on your device and always using a passcode makes it far more likely your data will kept private and out of the hands of thieves.
If you’ve been issued a company laptop and work with company sensitive data, there’s a good chance your company’s IT department has already encrypted your laptop drive. Microsoft offers a full disk encryption feature called BitLocker that’s found on versions of Windows aimed at business use. By default it uses the AES encryption algorithm in cipher block chaining mode with a 128-bit or 256-bit key to encrypt entire drive volumes.
In order to run BitLocker, your PC must meet a few requirements, such as:
- You must be running Windows 7 Ultimate or Enterprise; or Windows 8 Professional or Enterprise versions.
- BitLocker works best with PCs that have a TPM (Trusted Platform Module). BitLocker stores your key in the TPM. BitLocker can use a USB or Flash drive to store its key if a TPM isn’t available.
- If using a USB or Flash drive to store the BitLocker key, your system BIOS must be able to read the drive upon startup.
BitLocker isn’t the only drive encryption game in town, it just happens to be one that’s widely supported across many companies. When I worked for Microsoft, they required any computer that accessed shares on their internal network to be encrypted with BitLocker.
There are a number of questions to ask before you encrypt the drive(s) on your server such as: How likely is it that someone could gain physical access to your server? If someone could gain access to your server, how likely is it they could compromise its data?
Encrypting backups has become standard practice in the industry. There might be valid reasons for encrypting drives on a server hosted at your facility. For example, a departmental file server that contains sensitive data that’s left out in the open and not behind a locked rack or cabinet.
If you’re using a level 3 hosting company such as Amazon or Rackspace, you’re probably not going to worry about encrypting drives or volumes on servers.
Encryption is complicated technology that requires a lot of education. MSPs can assist in that education and deployment when necessary. If you’re an end user and wondering if you should encrypt your company issued smartphone, laptop, desktop or server, I strongly advise you to speak with your IT manager beforehand. She’ll be able to provide you with recommendations for solutions and policies used by your company.
Encryption solutions are notoriously unforgiving, which is by design. They also come with a number of tradeoffs that include the following:
- Decreased Performance – depending on the technology used, encrypting your hard drive will result in a 10 to 15% drop in performance. When I had BitLocker installed on my laptop, I didn’t notice a degradation in performance outside of a bit longer boot time.
- Increased Costs – there are both hardware and software costs involved when using encryption, but also education and training costs should be considered as well.
- User Unfriendly – this might not be a big deal to some, but encryption is still not seen as being user friendly. It’s improving, but has a long ways to go.
Although law enforcement might not be thrilled to hear how easy it is to encrypt your data, there are more options than ever before. While it’s getting easier and less expensive to do so, that doesn’t mean the procedure is any less complex. MSPs can step in here and help companies select products that will keep company data safe and employees happy.
Top photo credit: rafael-castillo via Flickr