Prism, the National Security Electronic Surveillance program operated by the United States National Security Agency (NSA) has caught a great deal of press lately. This surveillance program has raised questions as to how individuals can protect their data from being snooped upon. These revelations have led to discussions on ways that allow people to use encryption for protection.
I have been advising lawyers to use encryption technology for some time. When contacted by a lawyer who has had a laptop stolen from a car or elsewhere my first question to them is: “Did you have the laptop encrypted or just password protected?” I have yet to encounter a yes to encryption. Unfortunately it is all-too-easy to break a Windows password or otherwise gain access to the data on the laptop – for example, see: .
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
So what is encryption and how do you use it?
Wikipedia states: “In cryptography, encryption is the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can.”
Encryption can be used to encode messages as well as encrypt files or folders on a hard drive (or the entire drive itself).
From a management perspective (for this column is intended to be about management tips) it behooves a law firm to ensure that there is as much protection around their and their client’s data as possible. After all, wouldn’t you prefer to say to a client that the firm had a laptop stolen but all the data on it was encrypted with a state-of-the-art algorithm over saying that you had a laptop stolen or lost that only had a Windows password….
Let’s look at disk encryption. Windows version 7 in the Ultimate and Enterprise editions comes with . Bitlocker can encrypt the entire drive and any file that you create.
Macs come with FileVault that is built into OSX. Once you turn it on, it encrypts everything – all disk contents and actively encrypts and decrypts data on the fly. Techhive has a blog post on how to encrypt a hard drive.
Now what about email? LifeHacker.com has a blog post on how to encrypt your email. Microsoft has posted on .
What about the endpoint security that Edward Snowden was speaking about as being so terrifically weak that it poses a problem for encryption?
In network security, endpoint security refers to a methodology of protecting the corporate network when accessed via remote devices such as laptops or other wireless and mobile devices. Each device with a remote connecting to the network creates a potential entry point for security threats. Endpoint security is designed to secure each endpoint on the network created by these devices.
Usually, endpoint security is a security system that consists of security , located on a centrally managed and accessible server or gateway within the network, in addition to client software being installed on each of the endpoints (or devices). The server authenticates logins from the endpoints and also updates the device software when needed. While endpoint security software differs by vendor, you can expect most software offerings to provide antivirus, antispyware, firewall and also a host intrusion prevention system (HIPS).
Endpoint security is becoming a more common IT security function and concern as more employees bring consumer mobile devices to work and companies allow its mobile workforce to use these devices on the corporate network.
Accordingly, management must be concerned with both encryption as well as possible access to the network via wireless devices and laptops to ensure high IT security and prevent ways to get around that highly secure encryption.
David J. Bilinsky
The views expressed in this blog are those of the writer and should not be inferred as those of the Law Society of British Columbia.