May 31, 2007

When it comes to objects wonderfully suited to being lost or stolen, it's tough to beat a laptop computer. The stats reveal a widespread, costly problem: 81 percent of 484 IT pros surveyed by security consulting firm Ponemon Institute say their company lost at least one laptop with sensitive information in the past year. And more than half of identity theft-related data breaches stem from the theft or loss of a laptop or storage device, according to Symantec.

Yet most companies aren't locking down every laptop. Maybe the data isn't worth the price of securing the computer, but for most financial services companies there are no excuses. The options for securing laptops are expanding and in many cases getting more practical for broader use.

Authentication: Who's Signing On?

Biometrics is one of those ideas that everyone's familiar with but hardly anyone actually uses. Several advances, however, might chip away at the obstacles that have kept this a niche application. Foremost is making biometrics easier to use.

If a biometric device isn't built into a laptop, it's not practical. Fortunately, laptops from Dell, Fujitsu, Hewlett-Packard, Lenovo, Toshiba and others now include fingerprint readers. Lenovo, for instance, last October introduced ThinkPad laptops that include a fingerprint reader and related Utimaco software to authenticate users. Replacing passwords has productivity as well as security appeal because it can cost $100 per employee a year to reset passwords, says Stacy Cannady, a security product manager at Lenovo.

There's less activity beyond fingerprints. Bioscrypt last month introduced a USB-pluggable 3-inch, 3-D face-recognition camera that can authenticate computer users. But face recognition relies on an external camera, so it has the same problem other biometrics options do. Unless it's integrated into a laptop like a webcam, it will remain mostly for authenticating desktop PC users. Another limitation is that to use the system, a person must undergo a digital face measurement.

The next area of focus for laptop makers is to make biometrics more intuitive, because "if security becomes a burden, people will bypass it," says Shab Madina, product marketing manager for HP's Personal Systems Group. Mass adoption will be slow going. A typical company might replace a laptop every three years, and most aren't likely to speed that up just to get built-in biometrics.

Smart Card Readers also are becoming more common. HP made them standard on many business laptops last year. Most laptop makers either have smart card readers built in or can support them via a PC card slot or a USB slot.

Few companies have used smart cards for PC security, though, because it wasn't economical to have one card for PCs and one for building access, says Ed MacBeth, senior marketing VP at ActivIdentity, a provider of smart card software. But advanced smart cards now allow, on a single card, the storage of passwords and other data, such as building-entry credentials. They also can generate one-time passwords.

Vendors are pitching smart cards to secure smartphones, too. Research In Motion's BlackBerry Smart Card Reader is worn like an ID badge and prevents use of a BlackBerry if the badge is out of the device's Bluetooth wireless range. The same reader can be used to authenticate a Bluetooth-enabled laptop user.

The Trusted Platform Module (TPM) is an embedded security chip that likely will become increasingly important in the coming year. It's based on a standard from the Trusted Computing Group, which was formed by Advanced Micro Devices, HP, IBM, Infineon, Intel, Lenovo, Microsoft and Sun Microsystems to push hardware-enabled security. The chip stores keys, passwords and digital certificates, and can be used in conjunction with portable tokens such as smart cards or biometrics to authenticate a laptop user.

The idea behind the Trusted Platform Module is that it removes some of the security from the operating system (OS). So if someone takes out a hard drive to get around a laptop's security software, for example, he's unlikely to be able to access data because password information or encryption keys are stored with the chip. Windows Vista uses TPM as part of its BitLocker Drive Encryption feature, so TPM's importance will rise with Vista adoption.

BIOS (Basic Input/Output System) Security is the most fundamental laptop security, providing authentication through a password before the OS boots. "If you can't get into the operating system, you can't steal data," says Paul Moore, senior director of mobile product marketing at Fujitsu. Most laptops ship with similar BIOS password protections, so it's a matter of making sure they're set up to keep unauthorized users from modifying the BIOS without administrative access. Most have management capabilities that let administrators remotely set BIOS security policies.

HP last year integrated Disk Sanitizer into the BIOS of its laptops. The feature lets companies wipe laptop hard drives clean by writing over them multiple times.

Encryption: What Can They Get Access To?

Encryption Hardware from Seagate Technology, the world's biggest hard-drive maker, offers businesses a new option — securing laptops from the inside out with the first encrypting hard-disk drives. The first Momentus 5400 FDE.2 hard drive with Seagate's DriveTrust technology shipped this quarter in laptops from ASI Computer Technologies. Seagate makes a claim not many security vendors dare — that laptops with Momentus may be exempt from state data breach disclosure laws if the computer is lost.

Seagate's hard drive uses a government-grade security protocol to encrypt all stored data, even temporary files. The encryption can't be turned off, so users can't violate policy. To access the drive, users need to type in a password. "A thief may get into the operating system, but they won't get into the hard drive," says Dan Good, VP of new business initiatives at Seagate.

But an encrypted hard drive doesn't eliminate all security risks. The encryption on Seagate's Momentus remains unlocked unless a laptop is switched off. That means users will have to make sure they don't leave their laptops unattended in hibernation mode, which is a default in Windows Vista.

Hitachi will offer hardware encryption as an option on all of its 2.5-inch drives starting this year. Lenovo is evaluating whether it wants to provide encrypting hard drives as an option or a standard in its laptops, and Seagate is likely to have competition soon from other hard-drive makers. "Pretty much all the PC makers will eventually go to market offering these drives," says Stacy Cannady, Lenovo's security product manager.

Encryption Software is the more common approach to full-disk encryption, provided by vendors such as GuardianEdge Technologies, PGP and Pointsec Mobile Technologies, which was recently acquired by Check Point Software Technologies. Additionally, Windows Vista's Enterprise and Ultimate editions offer an encryption feature through BitLocker.

Full-disk encryption software encrypts every bit of data, which is similar to what Seagate offers with its encrypting hard drive. One major benefit of the software approach is that a company can install it across different operating systems and laptop models.

Yet "encrypt everything" is an expensive and potentially risky approach. There's the cost of software, training and support. The extra software and hardware layers also can slow the performance of systems, especially when data packets must be decrypted by firewalls and intrusion-prevention systems to spot intrusions. Most difficult is that decryption keys can be lost or stolen — which leaves the rightful owner of the laptop unable to access sensitive data, just as surely as it would a thief.

Courtesy of InformationWeek, a CMP Technology property.