laptops and security

Lynne Desrochers · September 26, 2011, 01:23:15 PM

I got a laptop for the Personal Lines Producer. I've been reading on the security for it and everyone says "make sure data isn't stored on it". Well how do I do that? Or is the answer, if you have to ask you have no hope. My thoughts are she would connect via citrix while out at a client.
Thank you everyone.

Bloody Jack Kidd · September 26, 2011, 01:26:49 PM

It could be as simple as providing the mobile user(s) with an IronKey. They keep all docs etc. on that and not on the notebook hard drive.

https://www.ironkey.com/personal

Depends on how the device is used.

Jeff Zylstra · September 26, 2011, 01:29:22 PM

I wouldn't get too concerned about it, as long as you don't store anything like drivers license, social security or credit card numbers on it. Your proposals and/or power point presentations aren't probably on anyone's desired reading list. Sorry.

Alice · September 26, 2011, 01:50:25 PM

Not saying this is a good thing or a bad thing...just mentioning what they do here.

They lock the laptops down so hard that nothing can be accessed except IE to connect to the Citrix Xenapp server. Everything they need to do their job is there. But here's the thing...all laptop users need to make an appointment to bring them in to:
- install Windows updates
- install virus updates
- install printer drivers
- anything that requires local files be updated/installed/changed.

I'm not involved with all that...seems like a pain in the butt for the user, especially if they live/work 60 - 90 minutes away. And we all know that producers never complain about anything...right?

Mark · September 26, 2011, 04:24:57 PM

IronKey is slick, but I would just not have them use the laptop for anything other than connecting back to the office. It's as simple as that. All the laptop should be is a portable remote access tool. Get a 3G/4G card for it if you're worried they may not always have an Internet connection wherever they go, or if you don't want to bother the client with connecting to the Internet.

Kevin Crow · September 26, 2011, 04:36:33 PM

We use TrueCrypt (www.truecrypt.org) to encrypt our laptops at the system level. ALL data on the laptop is AES 256 bit encrypted (1 of 8 encryption options). You can't boot Windows without first entering the password to unlock the volume. We also changed the password prompt to "HARD DRIVE NOT FOUND" to throw off the would-be thief (customizing the password prompt is a nice feature of TrueCrypt).

Jeff Golas · September 26, 2011, 05:01:48 PM

What Kevin said - that way they can use it as they would any other computer and the data is safe.

Bloody Jack Kidd · September 26, 2011, 06:31:46 PM

Quote from: Kevin Crow on September 26, 2011, 04:36:33 PM
We use TrueCrypt (www.truecrypt.org) to encrypt our laptops at the system level. ALL data on the laptop is AES 256 bit encrypted (1 of 8 encryption options). You can't boot Windows without first entering the password to unlock the volume. We also changed the password prompt to "HARD DRIVE NOT FOUND" to throw off the would-be thief (customizing the password prompt is a nice feature of TrueCrypt).

Had this done at one time, but had some disk errors and the entire thing became unrecoverable - was unpleasant. I now use a TrueCrypt "drive" that uses keyfiles instead of a password, and the keyfile is on my AES encrypted IronKey.

I joke that it's 4-factor since you need to know I have a TrueCrypt drive in the first place (isn't mounted at boot), you need to know it's keyfile-based, you need the IronKey and the IronKey password. You also need to know which file on the IronKey I used as the keyfile.

Mark · September 26, 2011, 06:36:19 PM

Quote from: Bloody Jack Kidd on September 26, 2011, 06:31:46 PMYou also need to know which file on the IronKey I used as the keyfile.

I wonder if something like trid would be able to tell me which file is the keyfile.

Bloody Jack Kidd · September 26, 2011, 08:34:46 PM

not sure - you can actually use anything as a keyfile, but I believe mine is cryptographic, which could be a bit of a giveaway.

Mark · September 27, 2011, 08:40:11 AM

trid just ID's file types.

Kevin Crow · September 27, 2011, 09:44:35 AM

We encrypt the whole drive because a lot of data goes to the system volume (browser and other temp files, Outlook cache files, etc). It's a lot of work to reroute all that to the TrueCrypt volume and I wouldn't be confident we got it all.

Also, the key file can be any file but it's very specific. The TrueCrypt web site warns about using an MP3 because if you rate the song (which changes the metadata) it won't unlock your volume any more.

Our users are told that nothing on their computer is backed up, so if it's lost, it's lost. All important data is to be stored on the network and cached to the laptop for offline access.

Mark · September 27, 2011, 09:48:24 AM

Hey Kevin,

I heard you talk about this probably a few years ago, but since hardware is constantly evolving, could you talk about the performance hit that you see on these TruCrypt'd laptops?

Jeff Golas · September 27, 2011, 09:55:08 AM

I use Truecrypt and its not too bad, but doing it on a 5400rpm drive may be a bit slow.

I've heard of other people using it on SSDs but there's issues in doing so, particularly if the SSD was already in use before encrypting (as the wear leveling may leave data outside the encrypted realm), and the fact that the entire drive gets filled/encrypted thwarts the wear leveling mechanics.

Long story short although anything can happen, I think the key thing is protecting the drive if someone grabs the laptop. I'm not sure how many laptop thieves put an SSD under a microscope, but anything's possible.

Kevin Crow · September 27, 2011, 10:32:06 AM

Personally, I haven't noticed a performance hit and my laptop's 3 years old. I think for business purposes, CPU, memory and disk speed far exceed our needs these days. If you were running a gaming machine with an encrypted drive you'd probably feel some loss of performance.

laptops and security

Alice