Like This Blog 1

Added by Mike Danseglio August 30, 2012

Last week I spoke at a public IT conference on Microsoft’s campus in Redmond, Washington. One of my popular lecture topics is data security and encryption. Even though my session was at the end of the conference, I had a capacity audience. An attendee spoke up early in the session with a surprising comment. “Are you going to just show us BitLocker? Because Microsoft has been telling us how great it is all week and we get it.” This tall fellow from the healthcare industry wasn’t being insulting or flippant. He genuinely wanted to learn about data protection and was hoping I planned to deliver new ideas instead of rehashing Microsoft’s BitLocker praise. I hadn’t attended the Microsoft sessions so I asked for some details. Did Microsoft explain BitLocker within a larger data security framework? Did they cover critical topics like data classification, risk analysis, and how direct encryption like BitLocker fit with other components like ACL, EFS, and DRM protection? And finally, did the previous sessions explain how data protection is a technology that can only succeed within a security approach that includes non-technology components? No, of course they didn’t. But those ideas are critical. People, Process, Technology There is no silver bullet for data protection, no big red “Make everything secure” switch. No security solution is a complete solution against all possible threats. That’s why effective information security requires a multi-faceted approach. When I create security strategies at all levels I start with a clear understanding of the current situation, the goals, and related variables like budget and timeframe. Then I form a strategy that always includes three elements: people, process, and technology. These are the building blocks of a comprehensive security plan. And without some attention to each, a data security plan is doomed to failure. People – Your First Line of Defense You have no choice but to rely on users to protect data. At one level or another, people directly impact all data security measures. Consider a laptop that has your standard corporate build and includes BitLocker data encryption, USB device restriction, network security, strong authentication, and all the other great measures that you implemented. Now take a look at that laptop after you’ve issued it to an employee. Figure 1. A failed data security scheme. I took that photo in a local supermarket over the weekend. The nice gentleman got up, turned to me, and said, “Can you please watch my computer for a sec? I need another Americano.” I had never seen him before, yet he was gone about five minutes. His inattentiveness could easily have broken every security measure you put in place. Virtually no technical data security control will stop an attacker that finds an unlocked and unattended laptop. Employee security awareness is both easy and difficult to address. Look for future blogs that will explore this topic in depth. Process to Ensure Consistency and Equality Hopefully you have a standard computer build and configuration process. Many businesses of all sizes have them, of varying complexity. Having a standard is the key part of a data security plan. Whether you protect your data with TrueCrypt, BitLocker, CheckPoint, Access Control Lists, or even Syskey (!) it is critical that every system leave IT with a known good and consistent configuration. Several hardware vendors like Dell and HP even enable you to build a custom software configuration and upload it to their servers. Then when you (or purchasing or operations etc.) order systems they are built and delivered with your custom configuration already in place. I really like this option for organizations where more than one group can order computers. It ensures consistency while minimizing IT involvement. Technology to Empower and Enforce You’ve seen that technology doesn’t solve security problems. It supports good security, it implements good practices, and it contributes to a holistic security plan. But by itself it is far less than effective. Consider BitLocker for a moment. The cryptography is really strong. It is fast, has good key management, enables recoverability without significantly compromising security, and supplies a host of other security warm-and-fuzzy features. Turning BitLocker on is a great idea in many cases, especially for laptop computers and USB drives. But turning it on without explaining a few best practices for laptop and memory stick security weakens the approach. Similarly, an inconsistent implementation may lead to gaps like some USB devices not being encrypted and some laptops slipping through and being deployed without technology-based security. Conclusion Your data security plan should certainly include encryption for data both at-rest and in-transit. But betting exclusively on a technology solution is a bad bet. You must consider security across all three elements of security: people, process, and technology. Enjoy! Mike Danseglio -CISSP Interface Technical Training – Technical Director and Instructor Systems & Security Courses Mike Teaches SEC250: Information Security for the IT Professional CISSP SEC550: Certified Ethical Hacking & Countermeasures (CEH) Training 50331: Windows 7 Enterprise Desktop Support Technician 20417: Upgrading Your Skills to MCSA Windows Server 2012