Encryption technology was once so complicated and expensive to implement that no one used it. That’s changing. These examples illustrate how it can be done.

Halfway through a meeting led by one hospital’s IT security team, the doctors finally got a break to stretch their legs and get coffee. While they were gone, some of the security team went around the room and picked up a few of the PDAs that had been left behind. When the doctors came back, the security team displayed some of the sensitive information on patients that had been left unprotected on the devices. It was an enlightening experience for the doctors.

In that case, theft had not really occurred, but in reality, hardly a month goes by when a serious security breach isn’t reported in the news. In most cases, the problem is that the personal data has not been encrypted.

But perhaps you’re thinking that it’s simply not practical to expect everyone to encrypt the data they work with routinely. Maybe you’re imagining a huge, expensive project that requires the IT team to devote time to the complex task of managing a host of electronic keys and certificates while users have to jump through hoops deciding when (and remembering how) to use encryption.

Thankfully, those days are gone. Encryption products are smaller, easy to manage, and transparent to end users. At the same time, they can be just as powerful as a giant public-key infrastructure (PKI) solution that only five years ago would have had managers and users alike pulling out their hair in frustration.

Not only is encryption easier and cheaper than ever before, but it can be used in a variety of ways. Data on mobile devices can be secured; e-mail messages automatically encrypted and decrypted; and full disk encryption can be implemented where necessary.

The following stories show how three different organizations used encryption to secure information.

Mobile Devices
Randy Maib is the senior IT consultant with INTEGRIS Health, an Oklahoma-based chain of 10 hospitals with 10,000 employees. Maib was the ringleader of the prank pulled on the doctors during their coffee break. It was an important lesson to learn, he says. “It really shed some light and got some buy-in to start doing some mobile security measures.”

Getting buy-in from end users is important in any environment, but it is especially critical in the healthcare setting where much personal data is handled. Maib knew that physicians tend to carry multiple pieces of equipment around—cell phones, PDAs, laptops—with sensitive information on them. Therefore, mobile security was at the top of his list of concerns when he helped set up the IT security department in 2001.

Demonstrating the problem was an important first step; finding the right solution was the next challenge. It had to be user-friendly because end users are notoriously reluctant to implement security measures that cause them any inconvenience. It also had to help him to understand the size of the problem.

“The first thing we wanted to find out was exactly how many mobile devices were roaming through our environment, specifically PDAs without any authentication,” he says. Until he knew what was in the field, it would be impossible to know what needed to be protected.

Maib discovered Addison, Texas-based CREDANT Technologies in a trade journal; his interest was piqued when the company’s ad claimed the product could discover mobile devices as well as provide authentication for PDAs.

There are three components to the CREDANT solution. The first, the management piece, is the Mobile Guardian Enterprise Server. This houses the security policies and connects with the company’s directories that allow it to keep track of users as they’re added or deleted from the system.

The second piece is Gatekeeper, a small client that resides on every desktop and laptop in Maib’s network. The third is the Mobile Guardian Shield, a piece of software that sits on each mobile device and does the encrypting using highly secure, industry standard encryption algorithms such as 3DES and Blowfish.

Here’s how it works. Gatekeeper does not actively look for mobile devices; it detects when a mobile device—a doctor’s PDA, for example—connects for synching. It then queries the device, looking for Mobile Guardian Shield. If it doesn’t find it, it can either prevent the PDA from synching, or it can install Mobile Guardian Shield on the device.

Getting Mobile Guardian Shield installed, Maib says, is a simple process for the end user, who first enters his or her network credentials, and then chooses a four-digit PIN, a password, and a question and answer as a backup. During regular use, if users forget the PIN, they can use the password; if they fail that three times, they get the question. If they can’t answer the question correctly, they’re locked out.

CREDANT also offers a “kill” feature which Maib doesn’t use. If a user fails each step of the authentication process, the kill feature can either render the PDA (or whatever other device is being used) unusable until the organization’s helpdesk intervenes, or it can execute a command that deletes everything that’s been encrypted on the machine.

Another optional part of the Mobile Guardian product is CREDANT2Go, which allows users to selectively encrypt files and folders that are stored on a USB thumb drive or iPod. Files encrypted using this program can be decrypted on any computer by any person who has the proper password; there is no need to install any special software.

PDAs and other mobile devices have much smaller drives and less memory than laptops and desktops, so using encryption on them has raised fears of slowdowns that will frustrate end users. Maib says this has not been a problem with the system selected.

The encryption process “is very rapid on both a PDA and a laptop,” he says. “Whenever you login to the machine, it hesitates about a half second.” One reason the process happens so quickly is that Mobile Guardian Shield encrypts only preselected files, and folders where sensitive information is held. This includes all databases on the devices; Maib can easily change the security policy to encrypt other files, including e-mail attachments, calendars, contact lists, or the My Documents folder.

While this setup works, Maib would like to reduce the number of mobile devices that have to be secured. To that end, he is testing Cingular 8125, a Windows-based all-in-one cellphone and PDA that will eventually replace everything else. He’s already got the CREDANT solution working on it, a critical part of the package, since these devices are receiving and storing more sensitive information than ever before; for example, data from a patient’s EKG can be sent to the on-call doctor’s device and saved as a PDF.

Maib is satisfied with the solution he chose to keep mobile devices secure. He says that encrypting data on mobile devices, which are exposed to the greatest risk of loss or theft, makes the most sense to him. And it’s been an affordable solution as well. CREDANT’s solution starts at about $85 per user and drops to the mid-twenties per user for large volumes.

E-mail and FTP
After Sharon Finney, information security administrator at DeKalb Medical Center in Decatur, Georgia, conducted an IT risk assessment 18 months ago, she had two areas of concern related to the Health Insurance Portability and Accountability Act (HIPAA). The first was that outbound e-mail might contain protected healthcare information, and that there was no way to take any action on such e-mails if identified. And second, she was concerned that there was no secure way to transfer the large amount of data that needed to be shared with business partners.

Finney decided to approach the two problems separately. The first step was to find a way to identify whether an e-mail contained any confidential information on a patient or about the hospital, a 627-bed facility with more than 23,000 admissions each year. She tested several applications and ultimately chose Proofpoint, a solution that scans each e-mail for protected health information. Proofpoint didn’t offer an encryption solution but its sales team told Finney that they worked often with encryption vendor PGP Corporation of Palo Alto, California.

She liked the idea of using PGP, she says, for a number of reasons. Many business partners were already using some form of PGP, she says, so there would be less of a need to suddenly demand that everyone switch to a new vendor and buy a new encryption product.

The e-mail encryption product she chose, PGP Universal, provided another benefit that Finney was looking for. “One of our criteria was we didn’t want the recipient [of an encrypted message] to have to purchase or download anything onto their desktop in order to receive secure mail from us,” she says. “PGP accomplished that.”

“We have 3,300 e-mail boxes and 4,100 employees,” Finney explains. That adds up to tens or hundreds of thousands of daily e-mails.

When an employee sends out a message, it is first scanned by Proofpoint for the presence of protected information. If the software finds such information, the e-mail is routed through the PGP server and encrypted; the server then holds the message and sends out an e-mail to the recipients saying that there is a secure message for them.

This e-mail includes a link that takes the recipient directly to the Universal server. He or she authenticates (or, if it’s a first visit, creates a passphrase for future visits), and then picks up the message across a 128-bit encrypted connection. For first-time users, Finney has posted a simple how-to document on the page that users are linked to that explains the process and includes contact information for DeKalb’s helpdesk.

PGP Universal software runs on a dedicated server. It took Finney only three hours to get it up and running—that, she says, is from the time she began to unpackage the product to when she sent her first encrypted message.

Another PGP product helped Finney solve her second problem—how to secure file transfers using FTP (file transfer protocol). That software product, PGP Command Line, was similarly loaded onto a server and was simple to install, DeKalb says. It took only a couple of hours for her to install and configure the software for all the organization’s internal users.

Command Line allows DeKalb employees to easily encrypt large files that need to be transferred to business partners via FTP. The encryption is done transparently to the user, though behind the scenes Command Line is using public and private keypairs to accomplish this task. (Something encrypted with a partner’s widely available public key can only be decrypted with its securely held private key.)

Again, Finney didn’t want to burden partners with buying a high-priced or complicated solution. Many were already using this product; and she helped smaller vendors get and install an inexpensive desktop version of the software that worked much the same as the full-blown version, though it added a few more manual steps.

“As a result, we’re able to work efficiently with our large partners as well as with our smaller vendors and partners that need to exchange data with us without putting undue financial burdens on them and requiring them to purchase a very expensive encryption solution,” Finney says.

While the motivation behind these encryption solutions was HIPAA, Finney says that securing e-mails has provided some unexpected benefits. “It allowed us to expand how we use e-mail in the hospital,” she says. “Now that we’re encrypting, we’re able to communicate more information to patients, physicians, and family members without worrying if it violates HIPAA, and our employees don’t have to worry about it.”

PGP Universal subscriptions start at $129; PGP Command Line costs around $1,100.

Full Disk Encryption
The Black Hat and DefCon conferences are known around the world as the premier gatherings for anyone interested in the cutting edge of IT security. So it’s no surprise that the mind behind the conferences, Black Hat Director Jeff Moss, is himself a security pro with an eye for what’s best on the market.

Setting up annual conferences in the U.S., Europe, and Asia is the work of Moss and his small staff, and despite Black Hat’s recent acquisition by corporate giant CMP Media, Moss remains in charge of his team’s computer security.

Ensuring that the data on every one of his laptops remains safe from prying eyes has always been a top priority for Moss, and he decided years ago on full-disk encryption with token-based authentication, so that any lost or stolen laptop would be utterly unusable, and its data would remain secure.

Moss says there weren’t many commercial choices available to him on the market. He wanted to use the tokens he already had (Rainbow’s iKey solution, which works via a USB port) so he needed a solution that would be compatible. He researched the options and decided on SecureDoc from WinMagic of Mississauga, Ontario, Canada.

SecureDoc software loaded onto each laptop integrates with the iKey in the preboot stage before the operating system loads, Moss says.

As soon as a laptop tries to boot from the hard drive, SecureDoc looks to the iKey token for a certificate that is held there. It then asks the user to provide the password for that token, Moss explains. So the user must have the token and know the password.

For many users, that two-factor authentication would be sufficient, but not for Moss, who also stores certificates for other encryption products he uses (such as PGP for his e-mail). “My concern is, if you just unlock the token, you’re also unlocking all those other things,” he says. So he is prompted for another password that unlocks those encryption certificates, meaning an extra step—but also an extra layer of security.

Once the passwords have been entered, the system boots up normally. When Moss used SecureDoc on an older machine with a slow drive, a delay to the boot was “slightly noticeable,” he says, but with newer machines, there is no delay at all.

Getting SecureDoc installed on the half-dozen of Black Hat’s computers was a fairly straightforward process, Moss says, though he advises careful planning before getting started. That’s because it’s necessary to decide if tokens or biometrics (or both) will be used, how they’ll be managed and assigned, who’s got the master password, and so on.

When tokens are used, there needs to be a master token that can be locked away in a safe place so that an administrator can decrypt a laptop if someone forgets the password.

As both user and administrator, Moss needed to create multiple accounts for himself—Jeff the user and Jeff the administrator. This, he says, was confusing at times; hence the need for proper advance planning before getting started (it will be simpler for organizations that have a separate IT security team).

One reason that Moss decided on full disk encryption was that he was concerned about data tampering. “If you leave your laptop in the office overnight or in a hotel room and you go out to dinner, if your full drive is not encrypted, someone could come along and install a keylogger or tamper with your machine,” he says. Then, even if your e-mail is encrypted, an attacker may nevertheless have full access to your operating system.

With full disk encryption in place, the computer is safe from tampering. And if a laptop is stolen, adds Moss, “it’s nice not to have to worry about your data popping up somewhere.”

For now, Moss’s only concern is that in the version of SecureDoc he uses, there is no recovery floppy disk. He recalls, in the pre-SecureDoc days, a trip to Asia when his machine crashed and wouldn’t boot. The product he was using allowed him to boot from a floppy and decrypt the operating system. The process took overnight, but at least the files became available. (WinMagic says that its latest release has such a feature.)

The enterprise version of SecureDoc is $99 per user, with discounts offered for large installations.

Encryption is no longer a difficult-to-manage headache. Transparent to end users and affordable, the many varieties of encryption products can help to ensure that sensitive data remain secure. By taking these precautions, companies can ensure that even if employees get robbed or get careless, client data and the company’s reputation will remain secure.

SYNOPSIS
Protecting data through encryption no longer means a huge, expensive project that becomes a headache for management and users. Today’s encryption products are smaller, easy to manage, and more transparent to end users than ever before.

Organizations use different types of encryption products for different purposes. At INTEGRIS Health, a chain of hospitals in Oklahoma, the IT security director was concerned that physicians were carrying around sensitive patient data on unsecured PDAs. After demonstrating just how easily this information could be compromised if a device were lost or stolen, he implemented an encryption solution that ensured that any PDA that tried to synch with a hospital desktop had the proper encryption product installed. If it didn’t, the desktop could push the software onto the PDA or deny it access to the network.

At DeKalb Medical Center in Georgia, the security team was concerned about protected health information being sent out in unencrypted e-mails. The center implemented a two-part solution. The first product could automatically identify the presence of any such information; the second was an encryption product that would encrypt such messages without any help from the user. Recipients of encrypted e-mails pick up their messages from the medical center’s secure server. Another encryption product secures large data transfers that need to occur among the center’s business partners.

In another example, Black Hat, which sets up annual conferences of IT security professionals around the world, installed a full disk encryption product on each of its laptops. During boot up, a user must plug in a USB token and enter the proper authentication information. Then, the computer boots up normally and without any noticeable latency. Full disk encryption also gives the director peace of mind that data is not tampered with or keyloggers installed.

Peter Piazza is an associate editor at Security Management.