I often point out that hard disk encryption like AlertBoot is not a cure-all for data security concerns. However, what the UK's Ministry of Defence has got going with their latest breach decidedly takes the cake.
According to the BBC, "a laptop containing secret data was stolen from the Ministry of Defence" headquarters last month, "along with a key used to decode encrypted files." According to The Sun, "The computer was left in the HQ by a high-ranking RAF officer" and "he was removed from the maximum security building and posted to another station while the incident is investigated." Obviously, there are details lacking in this story due to the sensitivity of the case. It's been pointed out by a source to The Sun that "this has the potential to become one of the most serious security breaches at the Ministry for a very long time. Laptops have been mislaid before, but not with encryption keys."
According to the BBC, "a laptop containing secret data was stolen from the Ministry of Defence" headquarters last month, "along with a key used to decode encrypted files."
According to The Sun, "The computer was left in the HQ by a high-ranking RAF officer" and "he was removed from the maximum security building and posted to another station while the incident is investigated."
Obviously, there are details lacking in this story due to the sensitivity of the case. It's been pointed out by a source to The Sun that "this has the potential to become one of the most serious security breaches at the Ministry for a very long time. Laptops have been mislaid before, but not with encryption keys."
Generally, protected data must be accessed later on, so whenever one encrypts data, a way to decrypt it is required as well. Encryption and decryption of data requires, among other things, the encryption key. An encryption key is different from a password when it comes to encryption software. Basically, providing the correct password relays instructions to the encryption software to use the encryption key to reveal protected data. The password can be changed as needed, but the encryption key cannot: once data is protected with a particular key, that encryption key can only be changed by getting rid of it and re-encrypting the data with a different key. It wouldn't be wrong at all to say that data security provided by encryption hinges upon the encryption key. In other words, the encryption key is a core component when it comes to protecting data. Passwords are extremely important, too, but not something one would consider "core." For example, losing a key to an unauthorized agent pretty much guarantees access to the data, whereas contingency plans could kick in when losing a computer and the encryption password (blocking access to the computer remotely by deleting the password...although, I'll be the first to point out that in my opinion it's more of a gimmick than a security component). If an encryption key is lost, it's game over. That prompts a question, though (among many others, such as: what kind of physical security do they have inside MoD HQ?). What was this high-ranking RAF officer doing with the encryption key out and about? My personal guess is that all this talk about "encryption keys" actually refers to the encryption password. Probably written on a Post-It note or something, and stuck to the laptop.
Generally, protected data must be accessed later on, so whenever one encrypts data, a way to decrypt it is required as well. Encryption and decryption of data requires, among other things, the encryption key.
An encryption key is different from a password when it comes to encryption software. Basically, providing the correct password relays instructions to the encryption software to use the encryption key to reveal protected data. The password can be changed as needed, but the encryption key cannot: once data is protected with a particular key, that encryption key can only be changed by getting rid of it and re-encrypting the data with a different key. It wouldn't be wrong at all to say that data security provided by encryption hinges upon the encryption key.
In other words, the encryption key is a core component when it comes to protecting data. Passwords are extremely important, too, but not something one would consider "core." For example, losing a key to an unauthorized agent pretty much guarantees access to the data, whereas contingency plans could kick in when losing a computer and the encryption password (blocking access to the computer remotely by deleting the password...although, I'll be the first to point out that in my opinion it's more of a gimmick than a security component).
If an encryption key is lost, it's game over.
That prompts a question, though (among many others, such as: what kind of physical security do they have inside MoD HQ?). What was this high-ranking RAF officer doing with the encryption key out and about?
My personal guess is that all this talk about "encryption keys" actually refers to the encryption password. Probably written on a Post-It note or something, and stuck to the laptop.
Related Articles and Sites:http://news.bbc.co.uk/2/hi/uk_news/8409363.stmhttp://www.scmagazineuk.com/new-laptop-loss-report-from-the-ministry-of-defence-as-it-confirms-the-encryption-key-was-also-taken/article/159552/