National lab looks to encryption to secure mobile devices

While on travel for work, the hotel room of an Army official was broken into, and his notebook PC was stolen. But unable to start the computer, reset or extract any data from it, the thief returned it to the front desk, said Bob Egner, a vice president with Pointsec Mobile Technologies Inc., Lisle, Ill.The notebook was locked, and its data was encrypted with a Pointsec tool, Egner said.Seeking that same level of security, officials at the Pacific Northwest National Laboratory turned to full-notebook encryption, said IT services project manager Troy Juntunen. The lab had used file-level encryption, but wanted an additional layer of protection."We saw that whole-disk encryption was definitely a very good option and offered a high level of protection," Juntunen said. "We wanted to encrypt the drive and protect it, so if the hardware was stolen, we wouldn't have to worry about the data being compromised."Data protection is important for the laboratory, because of the sensitive nature of the work of its scientists and researchers.The lab is involved in cleanup work at the World War II-era Hanford, Wash., nuclear site. It's also a leader in nuclear non-proliferation and works in the fields of energy, environment and life sciences. Such a diverse mission requires traveling around the globe, as far as Russia and Ukraine.The first phase of the project involved ensuring the security of notebooks used for overseas work, Juntunen said."Obviously, we wanted to make sure the time and money spent on the development of information was going to be safe and secure," he said.Laboratory officials also wanted a solution that users wouldn't find cumbersome. It had to be transparent and require no user maintenance.Although, for ease of use, the solution had to minimize the number of logons required, lab officials use Pointsec boot-logon protection to authenticate users before the operating system loads.The lab also uses the product's lockout feature, which prevents logins after a specified number of failed attempts. When a device is locked out, a lab administrator must unlock it. That can be a challenge for agencies that don't operate 24 hours a day, and it's a factor that systems integrators and customers should consider when installing an encryption solution.The lab's help desk assists traveling staff to get back into locked-out systems. Help-desk members talk users through a challenging process to regain access to their devices.Those devices are not necessarily notebook PCs, said Pointsec's Egner. Over the past two years, the U.S. market, particularly the government market, has seen a large amount of data compromised because of lost or stolen computer hardware.Many incidents involve notebook computers "because they have a very large hard drive," Egner said. "But it is also things such as removable media: USB memory sticks, writable CDs, optical drives or external hard drives that might have a lot of information."As the equipment grows smaller, the likelihood that it can be lost and stolen grows larger, making encryption a more important measure to take.Wrestling with these issues is a good time for systems integrators and agencies to re-examine security policies, no matter how recently they were drafted, Egner said."One of the things we've seen in the U.S. government space, on the defense side as well as the civilian side, is that many organizations have put together security policies in the past that have become invalid, given the expanding mobility trend," he said."If they had a security policy from a number of years ago, [they] made an assumption that all the computer equipment was safely locked inside a locked building," Egner said. "But now, with the advent of more and more notebook computers, and smaller and smaller smart phones that can receive e-mail, suddenly the security policies assumptions are no longer true."When integrators approach an encryption project, they should test compatibility of software on all the PC configurations that an agency has, he said. A worker doing clerical work, for example, will have a different configuration from that of an engineer doing classified work.Agencies also need to ensure that the support system and help desk are ready to work with the encryption software.Pointsec will work with an organization's patch management system, according to the company. If the organization has no patch management in place, the product can handle update tasks.Now the Pacific Northwest Laboratory is sharing what it has learned about device encryption."I've been talking to a number of other laboratories within the Energy Department that are looking to do the same thing," Juntunen said. "They want to leverage the knowledge from somebody that's already done that. Our simple deployment had made it easy to replicate."