FireStarter: Is Full Disk Encryption without Pre-Boot Secure?

This FireStarter is more of a real conversation starter than a definitive statement designed to rile everyone up. Over the past couple months I’ve talked with a few organizations – some of them quite large – deploying full disk encryption for laptops but skipping the pre-boot environment. For those of you who don’t know, nearly every full drive encryption product works by first booting up a mini-operating system. The user logs into this mini-OS, which then decrypts and loads the main operating system. This ensures that nothing is decrypted without the user’s credentials. It can be a bit of a problem for installing software updates, because if the user isn’t logged in you can’t get to the operating system, and if you kick off a reboot after installing a patch it will stall at pre-boot. But every major product has ways to manage this. Typically they allow you to set a “log in once” flag to the pre-boot environment for software updates, but there are a couple others ways to deal with it. I consider this problem essentially solved, based on the user discussions I’ve had. Another downside is that users need to log into pre-boot before the operating system. Some organizations deploy their FDE to require two logins, but many more synchronize the user’s Windows credentials to the pre-boot, then automatically log into Windows (or whatever OS is being protected). Both seem fine to me, and one of the differentiators between various encryption products is how well they handle user support, password changes, and other authentication issues in pre-boot. But I’m now hearing of people deploying a FDE product without using pre-boot. Essentially (I think) they reverse the process I just described and automatically log into the pre-boot environment, then have the user log into Windows. I’m not talking about the tricky stuff a near-full-disk-encryption product like Credent uses, but skipping pre-boot altogether. This seems fracking insane to me. You somewhat reduce the risk of a forensic evaluation of the drive, but lose most of the benefits of FDE. In every case, the reason given is, “We don’t want to confuse our users.” Am I missing something here? In my analysis this obviates most of the benefits of FDE, making it a big waste of cash. Then again, let’s think about compliance. Most regulations say, “Thou shalt encrypt laptop drives.” Thus, this seems to tick the compliance checkbox, even if it’s a bad idea from a security perspective. Also, realistically, the vast majority of lost drives don’t result in the compromise of data. I’m unaware of any non-targeted breach where a lost drive resulted in losses beyond the cost of dealing with breach reporting. I’m sure there have been some, but none that crossed my desk. Share:

Read Post

Return of the Security Start-up?

As Rich described on Friday, he, Adrian, and I were sequestered at the end of last week working on our evil plans for world domination. But we did take some time for meetings, and we met up with a small company, the proverbial “last company standing” in a relatively mature market. All their competitors have been acquired and every deal they see involves competing with a multi-billion dollar public company. After a few beers, we reminisced about the good old days when it was cool to deal with start-ups. Where the big companies were at a disadvantage, since it was lame to buy from huge monoliths. I probably had dark hair back then, but after the Internet bubble burst and we went through a couple recessions, most end user organizations opt for big and stable vendors – not small and exciting. This trend was compounded by the increasing value of suites in maturing markets, and most of security has been maturing rapidly. There is no award for doing system integration on the endpoint or the perimeter anymore. It’s just easier to buy integrated solutions which satisfy requirements from a single vendor. Add in the constant consolidation of innovative companies by the security and big IT aggregators, and there has been a real shift away from start-ups. But there is a downside of this big company reign. Innovation basically stops at big companies because the aggregators are focused on milking the installed base and not necessarily betting the ranch on new features. Most of the big security companies aren’t very good at integrating acquired technology into their stacks either. So you take an exciting start-up, pay them a lot of money, and then let the technology erode as the big company bureaucracy brings the start-up to its knees. A majority of the brain power leaves and it’s a crap show. Of course, not every deal goes down like this. But enough do that it’s the exception when an acquisition isn’t a total train wreck a year later. So back to my small company friends. Winning as a small company is all about managing the perception of risk in doing business with them. There is funding/viability risk, as more than a couple small security companies have gone away over the past few years, leaving customers holding the bag. Most big companies take a look at the balance sheet of a start-up and it’s a horror show (at least relative to what they are used to), so the procurement group blows a gasket when asked to write a substantial check to a start-up. There is also technology risk, in that smaller companies can’t do everything so they might miss the next big thing. Small companies need good answers on both these fronts to have any shot of beating a large entrenched competitor. It’s commonly forgotten, but small companies do innovate, and that cliche about them being more nimble is actually true. Those advantages need to be substantiated during the sales cycle to address those risks. But end users also face risks outside of the control of a small company. Things like acquisition risk, which is the likelihood of the small company being acquired and then going to pot. And integration risk, where the small company does not provide integration with the other solutions the end user needs, and has no resources to get it done. All of these are legitimate issues facing an end user trying to determine the right product to solve his/her problem. As an end user, is it worth taking these risks on a smaller company? The answer depends on sophistication of the requirement. If the requirement can be met out-of-the box and the current generation of technology meets your needs, then it’s fine to go with the big company. The reality of non-innovation and crappy integration from a big company isn’t a concern. As long as the existing feature set solves your problems, you’ll be OK. It’s when you are looking at either a less mature market or requirements that are not plain vanilla where the decision becomes a bit murky. Ultimately it rests on your organization’s ability to support and integrate the technology yourself, since you can’t guarantee that the smaller company will survive or innovate for any length of time. But there are risks in working with large companies as well. Don’t forget that acquired products languish or even get worse (relative to the market) once acquired, and the benefits of integration don’t necessarily materialize. So the pendulum swings both ways in evaluating risks relative to procurement. And you thought risk management was only about dealing with the risk of attack? There are some tactics end users can use to swing things the right way. Understand that while negotiating the original PO with a small company, you have leverage. You can get them to add features you need or throw in deployment resources or cut the price (especially at the end of the quarter). Once the deal closes (and the check clears), they’ll move onto the next big deal. They have to – the small company is trying to survive. So get what you can before you cut the check. So back to the topic of this post: are we going to see a return of the security start-up? Can smaller security companies survive and prosper in the face of competition from multi-billion dollar behemoths? We think there is a role for the security start-up, providing innovation and responsiveness to customer needs – something big companies do poorly. But the secret is to find the small companies that act big. Not by being slow, lumbering, and bureaucratic, but by aligning with powerful OEM and reseller partners to broaden market coverage. And having strong technology alliances to deliver a broader product than a small company can deliver themselves. Yes, it’s possible, but we don’t see a lot of it. There are very few small companies out there doing anything innovative. That’s the real issue. Even if you wanted

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.