IT managers see an increasing need for data encryption.
Kent School District in Washington state has an ambitious plan to outfit thousands of students with their own notebooks – and securing those machines is a top priority.
The district will issue an HP 6000 series notebook running Windows 7 Enterprise to every middle and high school student, as well as to every teacher. By fall, there will be more than 10,000 notebook users in the district, with another 2,500 notebooks added every year for the next four years.
To plan for the rollout, Thuan Nguyen, the district's chief information and automated operations officer, ordered the HP notebooks with built-in Trusted Platform Module (TPM) chips, which provide encryption capabilities.
Nguyen also deployed Absolute Software's Computrace, which lets systems administrators see where every notebook is at a given time, who is logging in and what software is installed. It also allows them to remotely wipe the data from the hard drive if the unit is stolen.
As the IT department installs Windows 7 on the notebooks, it also includes Microsoft's BitLocker Drive Encryption, a full-disk encryption system, which uses the built-in TPM chip to fully encrypt the hard disks.
“With BitLocker installed and TPM enabled, our notebooks will be fully encrypted,” Nguyen says. “When you think about the amount of information our students and staff have, and have access to, making sure the devices are encrypted and protected is extremely important.”
Kent School District is doing the right thing, says Michael Spinney, senior privacy analyst with the Ponemon Institute, a security research group. In fact, a recent report on encryption by the institute found that more than 90 percent of organizations now believe that data protection is either a “very important” or “important”part of their risk management efforts, rising significantly from previous surveys.
“There was a point in time when device encryption may have been good enough, but that time has passed,” Spinney says. “With devices getting so small, people becoming so mobile, electronic communications so pervasive and hackers becoming so good at what they do, encryption at the data level is a critical piece of the security solution.”
Not all school districts are as far along with data encryption as Kent School District. Most are like Jefferson County Public Schools in Golden, Colo., where information security manager Chris Paschke looks forward to when the budget becomes less of an impediment.
The average cost of a breached data record in the United States
Source: Ponemon Institute
“We see both full-disk encryption for our laptops and e-mail encryption as priorities, but we're still trying to find the money and the best way to go about it,” he says.
Probably the first step will be e-mail encryption, which Paschke says is a greater concern, especially when it comes to protecting healthcare data sent via e-mail. The search for an e-mail encryption tool is under way, and Paschke expects a decision to be made by the next school year.
Only after e-mail security is implemented will the IT team begin to consider how best to use data encryption for the 500 to 1,000 notebooks that are most susceptible to data breaches. Paschke envisions a hardware solution as opposed to software because he says hardware is easier to manage.
5 Data Encryption Tips
- Encrypt throughout the organization. Don't rely on encrypting data just at the department level, or just on one type of system. Make sure encryption is deployed consistently throughout the organization and across all e-mail and mobile device platforms used within the organization.
- Build in flexibility. Create policies for disabling access for any user quickly if the need should arise. That includes procedures for making sure data has not been copied to another device.
- Understand encryption's importance. Don't consider other forms of security, such as firewalls, as a substitute for data encryption.
- Be thorough. For data that will be transmitted electronically, make sure the technology you use incorporates some of the following: Secure Sockets Layer certificate for message encryption, PGP encryption to secure e-mails, a digital certificate to ensure data authentication and e-mail encryption for digitally signing electronic documents.
- Take new media seriously. Don't ignore the data encryption of new media, such as tablets and smartphones.