• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 582
  • Last Modified:

Local file encryption - Data at rest

I know this is a much beleaguered topic, but I want to get some overall perspective on this subject based on some considerations.  

For the purpose of this question the following assumptions are true --

Encrypted files are fully accessible when authenticated access occurs.
We are guarding against stolen or lost devices that fall into the hands of others.
We are not necessarily guarding against remote hackers

So in our world, we have local windows authentication which is password protected, and local file encryption using windows 7 pro file encryption.  The question is when is the solution enough?  There are many 3rd party solutions out there that claim to do it better and be more secure however as in most any security solution implementation, risks and pitfalls exist that make it only as good as the policy which is drafted, and not necessarily provided by the technology itself.  I understand that if I were holding the codes for nuclear Armageddon, of course we would spend millions of dollars for both the technology as well as the process to protect that data.  In our simple world I have yet to find a windows 7 machine that I have not been able to recover local admin rights.  So that being said, am I exercising satisfactory due diligence to secure my protected data?  (And if you tell me you have a solution that is better than mine, and can you also guarantee me that there is no possible way to hack it / crack it, I'm not buying it... )  

So again, when is the process satisfactory?  Where do we draw the line.  IF I protect my device and spend 200 man hours, and 20K$ to secure my system and you only do windows auth and EFS, and we both lose our device and the data is recovered -- did I win? do I get more points than you?  Will I get a blue ribbon?

OK so just a little reflection.  Please feel free to give me your opinion on this topic, I will most likely award points to those I am in agreement with, but I tend to be fair and reward thoughtful insights.


The following story kind of sums up my disposition on security:

I have a hosted solution with N-able, and they have a password policy that is every 45 days, and the complexity is beyond memorization or comprehension.  So as a result we end up calling N-able once per week for password resets.  after so long all of our staff has written down their passwords and keep it in secure locations like under the keyboard, in the pen jar, top drawer of the desk... so they can access the site.... This is a perfect example of a security policy which has backfired.  I can see the looks on the faces of the security officer who master-minded the password policy for enable... he / they are very proud of their work... "Boy we've shown them... No one will hack into our Systems...."  of which they are right... all that will happen is someone will come along and steal a username and password, and voila they will be in.... So as I hope I have illustrated, this is a policy that truly lacks any introspection into the value proposition of its intended purpose...
3 Solutions

This is an opinion-question and given the amount of text and the amount of security principles/techniques that you mention, we will have a hard time avoiding this discussion to get quite chaotic (I fear).

I know very well what you are talking of as I am working for a military related company.
Let me illustrate some remarkable things: The really important data (classified "NATO secret") and so on, may NOT be held on networked computers AT ALL.
Instead, you have stand-alone machines in secured rooms that are even shielded physically against electro-magnetic emmitance. http://www.automation.siemens.com/mcms/topics/en/tempest-products/pages/home.aspx

Those are not encrypted at all, instead the hard drives are being put in a safe at the end of the day.

That tells you quite a lot about real computer security. It is nearly impossible to achieve without such drastic measures.
Giovanni HewardCommented:
An answer entirely depends on your organizational information security governance and risk management policies (if any.)

Ideally these policies were designed using proven security and audit frameworks and methodologies such as COBIT, ITIL, ISO 27000, NIST SP 800-30, 800-30 and 800-66, CRAMM, FRAP, OCTAVE, etc.

Qualitative and quantitative risk analysis (involving exposure factors, single loss expectancy, annual loss expectancy, asset value, etc.) is generally used to identify resource value, risks, and mitigation cost.  Mitigation cost should consider all control types (administrative, technical, physical) and control categories (directive, deterrent, preventive, compensating, detective, corrective, recovery, etc.) as necessary.

So put simply, are they willing to spend 10% or 25% of the asset value to protect it?  It essentially boils down to the value of the asset (whether tangible or intangible.)

I'd say you get a blue ribbon if you're ultimately able to ensure organizational operations and mission objectives.  This requires ensuring availability, integrity, and confidentiality.  This what you're being compensated for after all-- is it not?

Do your emanation controls address RF retro-reflectors, implant RF transceivers, and commercial wireless communications (GSM/EDGE, UMTS/HSPA, etc.)?

Rich RumbleSecurity SamuraiCommented:
I tackled a lot of this in my article: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
And I even did some more in the 2-factor article:  http://www.experts-exchange.com/Security/Misc/A_12368-Two-Factor-Authentication-Added-layers-are-not-always-added-security.html

EFS isn't like some containers you find like TC, it allows multiple people to access it, but takes quite an effort to secure from a hacker. A mounted TC container relies on file/folder or machine access once it's open. A fully encrypted OS is great when it's physically stolen, but does nothing when it's running (unlocked).

We recommend companies put their data in encrypted databases/tables, and use HSM's to manage the keys so no human knows the passwords.
Nothing wrong with a written down password actually, I have many, I just protect them well on my person. I address that in yet another article: http://www.experts-exchange.com/Security/Misc/A_12386-How-secure-are-passwords.html
I don't know too many technical details, sorry. Those computer encasements (also shielded monitors and printers) are the only ones the german government certifies for working on this type of classified data and by the shielding, it saya we can achieve that no one could simply park his equipped bus next to our office and simply view for example the screens via recorded emittance.
halejr1Author Commented:
thanks for the feedback fella's --- almost exactly what I was expecting with some valuable feedback / information.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now