Data protection directives and your customers
Joseph Souren promotes self-encrypting drives and trusted platform modules in the struggle for compliance
The Information Commissioner's Office (ICO) fined UK public sector bodies more than £2m in 2012 for inadequate data handling practices.
As we approach the third year since the Data Protection Act came into force, such instances of malpractice are expected to increasingly come to light in the private sector as well as in the public sector.
Last year's draft European Data Protection Directive presents a significant opportunity for the channel as enterprises need help to ensure their devices are encrypted and compliant.
The directive will mandate that organisations must notify national supervisory bodies of serious data breaches as soon as possible – within 24 hours, if feasible.
Those organisations that are deemed not to do enough to protect personal data may be fined up to two per cent of their global annual turnover, which is much more than in current UK legislation.
For many enterprises, anti-virus software, network access control and full disk encryption have been key in their fight against data and information security threats.
It's easy to see why – it's the approach that has been sold to them.
But these approaches are no longer sufficiently robust. The TDL4 malware variant, for instance, showed up anti-virus technology's inadequacy when it comes to detecting advanced persistent threats (APTs).
When a device is lost or stolen or data on it is threatened, enterprises must prove the device was encrypted at the time of the incident. This can be a challenge if they cannot be sure all data was encrypted, or whether the encryption was switched on at the time.
Moreover, anti-virus software does not encrypt the master boot record, leaving data open to attacks on the OS.
The most simple solution is managing the hardware-based security capabilities already built into devices, deploying, for example, a self-encrypting drive. An events log can show whether or not encryption was turned on.
A self-encrypting drive checks user access credentials using a cryptographic hash. This means there are no credentials or media encryption key on display inside such a drive. User credentials are provided in the preboot, so no software attack by the booted OS can discover the media encryption key or user credentials.
If a user has not been authorised, the drive will not permit access. There is no other way to obtain the data, even if the drive is removed. Only encrypted data can be read by a hardware attack.
With SSD, most of the information on the drive may be recovered even after a wipe. Flash drives keep old data around so as not to use up the read-write cycles.
Another useful strategy is trusted platform module technology, which stores the signatures of critical start-up components and sends an alert when unwanted changes are detected. This can defend a device from pre-boot attacks.
Joseph Souren is vice president and general manager at Wave Systems