The data breach tracking site databreaches.net notes that the Information Commissioner's Office in the UK has issued Undertakings with two UK organizations: The Association of School and College Leaders (ASCL) and Holly Park School. The breaches are quite mundane: laptops were stolen. However, the ASCL case shows why the use of full disk encryption software like AlertBoot is preferable over the use of file encryption software.
Like I noted, the breach at ASCL is pretty mundane. A laptop computer is stolen from an employee's home during a burglary. What is quite extraordinary is that the employee had final say on what was to be encrypted on that computer (my emphasis): The ICO’s enquiries found that, while the laptop had encryption software installed on it, the decision on whether to encrypt individual documents was left to the employee. At the time of the theft the laptop included unencrypted personal information relating to approximately 100 individuals, including details of their membership of the union and in some cases, details of their physical or mental health. [databreaches.net] It's quite obvious that the type of encryption employed was file encryption, where individual files are selected to be protected with the power of cryptography. Now, I have noted in the past that there are strengths to file encryption over disk encryption as far as encryption software goes. However, there are also weaknesses, the biggest being the one you see above: you've got to trust your employees to do the right thing all the time. It goes without saying that the use of full laptop encryption would have been preferable, especially with hindsight. On the other hand, a crystal ball is not required to see that it provides protection over that particular problem of trusting people to encrypt the correct files: laptop encryption encrypts everything on a computer. No active decisions necessary.
Like I noted, the breach at ASCL is pretty mundane. A laptop computer is stolen from an employee's home during a burglary. What is quite extraordinary is that the employee had final say on what was to be encrypted on that computer (my emphasis):
The ICO’s enquiries found that, while the laptop had encryption software installed on it, the decision on whether to encrypt individual documents was left to the employee. At the time of the theft the laptop included unencrypted personal information relating to approximately 100 individuals, including details of their membership of the union and in some cases, details of their physical or mental health. [databreaches.net]
It's quite obvious that the type of encryption employed was file encryption, where individual files are selected to be protected with the power of cryptography. Now, I have noted in the past that there are strengths to file encryption over disk encryption as far as encryption software goes.
However, there are also weaknesses, the biggest being the one you see above: you've got to trust your employees to do the right thing all the time.
It goes without saying that the use of full laptop encryption would have been preferable, especially with hindsight. On the other hand, a crystal ball is not required to see that it provides protection over that particular problem of trusting people to encrypt the correct files: laptop encryption encrypts everything on a computer. No active decisions necessary.
If you're unaware, this is how whole disk encryption (aka, laptop encryption, aka computer encryption) works: the storage component of a computer -- the computer's hard disk drive -- is encrypted in its entirety. As such, any digital files that are saved on the computer are encrypted automatically. Even the operating system of the computer is protected cryptographically. The beauty of such a solution is that you don't rely on fallible behavior to encrypt your data. It matters not whether an employee is forgetful, tired, harried, etc.: the data in a computer will always be protected. This doesn't mean that data breaches will not occur. This is because the encryption is specific to the computer itself. For example, if you email a file to someone else, that copy of the file will be received in its unencrypted form. Likewise if you copy a file to a USB memory stick. Or to an external drive. The solution to the latter two is quite simple, actually: use disk encryption. For the email example, however, disk encryption is not a possibility. The appropriate type of encryption would be file encryption. The best way to protect your data? Use both. Disk encryption as a baseline security measure against a long litany of potential data breaches plus the use of file encryption when things are moving about (this is essentially what email encryption is all about, although different companies have different approaches to it).
If you're unaware, this is how whole disk encryption (aka, laptop encryption, aka computer encryption) works: the storage component of a computer -- the computer's hard disk drive -- is encrypted in its entirety. As such, any digital files that are saved on the computer are encrypted automatically. Even the operating system of the computer is protected cryptographically.
The beauty of such a solution is that you don't rely on fallible behavior to encrypt your data. It matters not whether an employee is forgetful, tired, harried, etc.: the data in a computer will always be protected. This doesn't mean that data breaches will not occur.
This is because the encryption is specific to the computer itself. For example, if you email a file to someone else, that copy of the file will be received in its unencrypted form. Likewise if you copy a file to a USB memory stick. Or to an external drive.
The solution to the latter two is quite simple, actually: use disk encryption. For the email example, however, disk encryption is not a possibility. The appropriate type of encryption would be file encryption.
The best way to protect your data? Use both. Disk encryption as a baseline security measure against a long litany of potential data breaches plus the use of file encryption when things are moving about (this is essentially what email encryption is all about, although different companies have different approaches to it).
Related Articles and Sites:http://www.databreaches.net/?p=20870