This is such a straightforward problem to solve it’s annoying that it still makes the headlines. Laptop and tape encryption are the low hanging fruit of data security. Not that they are click-box easy, but it’s pretty straightforward for most organizations to protect this stuff.
Home Depot lost a “password protected” laptop when it was stolen from a car, and 10,000 employee records with it. Iron Mountain lost a case of backup tapes with a decade’s worth of Social Security Numbers from college applicants in Louisiana. Their proactive strategy to protect their customers?
“We certainly don’t want to create any panic. But people should be aware and take the necessary steps,” Amrhein told the AP. “This is backup data off of a mainframe that contains sensitive personal information.”
Darn, it’s my fault for applying to college and not being aware. Silly me.
I do take umbrage at some of the misguided advice at the end of the article:
“If you buy encryption you need to work with the company’s legal department and top executives on a process where you can prove data on a stolen device can’t be tampered with,” he said. “A cradle-to-gave transaction record on the server is one way to provide an inventory on the current state of all your drives. Another, more difficult approach is to write everything down.” He said it helps if a company can show it is using a reputable vendor to put a barrier around stored data, and mentioned Seagate Technology as an example. The Scotts Valley, Calif.-based hard drive maker said this week it will roll out enterprise-class drives with full disk encryption in 2008 and will push to make hard-drive encryption standards a reality to reduce complexities that could hinder adoption.
Like a cradle to grave transaction record and an inventory of all you hard drives is realistic. Also, while encrypted drives will play a role in data security they are far from a panacea! First of all, the software solutions today, especially for whole drive, are effective without requiring you to install new drives. Second, the encryption on those drives is managed by software, so now you’ll have to buy both the encrypted drive and the software to manage it. More often than not, non-laptop encrypted drives are totally unnecessary and don’t improve security.
I like how Seagate designed their drives, but it’s not like they’re the right choice in all cases, nor will they put us (or software encryption) out of business.