The Executive Branch’s Office of Management and Budget has just released a memo (spotted at SecurityFocus) that’s intended to staunch the flow of sensitive information that federal agencies have been practically hemorrhaging for some time now. Many of the recent high-profile stories involve either portables with sensitive data falling into the wrong hands (e.g., the VA laptop thefts) or some form of remote access (e.g., the DOJ incident), so the OMB has decreed that all mobile devices need some form of encryption and all remote access must be protected by two-factor authentication. Here’s the list of mandates from the memo:
Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;Use a “time-out” function for remote access and mobile devices requiring user re- authentication after 30 minutes inactivity; andLog all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.
The memo doesn’t specify the particular technologies that are to be used, but it does stipulate that the agencies have only 45 days to comply. One hopes that this is the first move in a more comprehensive government-wide infosec reform that will be unveiled soon, and not somebody’s idea of the ultimate solution to the government’s mounting security woes.
Laptop encryption: it’s a good idea for everybody
I’ve been on a big backup kick this past week, and I snagged a copy of Knox so that I could make encrypted backups to my iPod. I like a having portable copy of all my work with me in case my apartment gets broken into and my hardware gets stolen, NAS and all. (I’ve been paranoid ever since this happened to me once back in Boston. I also busted a guy trying to break into my neighbor’s apartment last month.) Just in case I accidentally leave the iPod somewhere, I don’t want the person who finds it to have copies of my Quicken database—hence the encryption part.
Anyway, in the course of my research I’ve found that laptops are an increasingly common target for identity thieves. If your laptop gets boosted from a coffee shop table or from the back seat of your car, the odds are pretty good now that the thief is just as interested in your Firefox cache and other sensitive data files as he or she is in the hardware itself. So if you’re someone who does online banking on your laptop, you should seriously consider some kind of encryption solution, like Apple’s Filevault, or Knox.
Filevault kind of scares me, because I’ve had to hard reset OS X a few times before and the homework I’ve done tells me that this might hose my account if I had Filevault on. I also worry about the potential performance impact of encrypting all the disk reads and writes, but from what I can tell this isn’t too much of a problem. I guess that makes sense if you’ve got enough RAM and you’re not writing to the disk that often. It might get painful during one of my marathon Illustrator sessions, though.
Right now, I’ve settled on Knox, especially since you can get it bundled with Pathfinder. Knox is nice, because it creates an encrypted disk image that you can mount as a volume. You can then move your sensitive files to the Knox volume (called a vault) and work from there. The mounted file vault scheme doesn’t address browser cache issues, but there are other solutions for that.
Personally, I’m using Knox for making encrypted backups to my iPod and NAS box. I mount a secure vault and back up to it with my backup tool of choice, Chronosync. Knox itself then handles backing up the image to the iPod when I dock it, and Chronosync backs up the image to the NAS on a weekly basis.
I haven’t yet taken the plunge and started encrypting my regular data yet, but that’s the next step.
So now that you’ve heard about my laptop security setup, I’d be most interested in hearing about yours. Drop into the discussion thread and share your tips for keeping your laptop’s sensitive data out of the hands of thieves in the event that those thieves get their hands on the hardware itself.