Local file encryption - Data at rest
Posted on 2014-02-07
I know this is a much beleaguered topic, but I want to get some overall perspective on this subject based on some considerations.
For the purpose of this question the following assumptions are true --
Encrypted files are fully accessible when authenticated access occurs.
We are guarding against stolen or lost devices that fall into the hands of others.
We are not necessarily guarding against remote hackers
So in our world, we have local windows authentication which is password protected, and local file encryption using windows 7 pro file encryption. The question is when is the solution enough? There are many 3rd party solutions out there that claim to do it better and be more secure however as in most any security solution implementation, risks and pitfalls exist that make it only as good as the policy which is drafted, and not necessarily provided by the technology itself. I understand that if I were holding the codes for nuclear Armageddon, of course we would spend millions of dollars for both the technology as well as the process to protect that data. In our simple world I have yet to find a windows 7 machine that I have not been able to recover local admin rights. So that being said, am I exercising satisfactory due diligence to secure my protected data? (And if you tell me you have a solution that is better than mine, and can you also guarantee me that there is no possible way to hack it / crack it, I'm not buying it... )
So again, when is the process satisfactory? Where do we draw the line. IF I protect my device and spend 200 man hours, and 20K$ to secure my system and you only do windows auth and EFS, and we both lose our device and the data is recovered -- did I win? do I get more points than you? Will I get a blue ribbon?
OK so just a little reflection. Please feel free to give me your opinion on this topic, I will most likely award points to those I am in agreement with, but I tend to be fair and reward thoughtful insights.
The following story kind of sums up my disposition on security:
I have a hosted solution with N-able, and they have a password policy that is every 45 days, and the complexity is beyond memorization or comprehension. So as a result we end up calling N-able once per week for password resets. after so long all of our staff has written down their passwords and keep it in secure locations like under the keyboard, in the pen jar, top drawer of the desk... so they can access the site.... This is a perfect example of a security policy which has backfired. I can see the looks on the faces of the security officer who master-minded the password policy for enable... he / they are very proud of their work... "Boy we've shown them... No one will hack into our Systems...." of which they are right... all that will happen is someone will come along and steal a username and password, and voila they will be in.... So as I hope I have illustrated, this is a policy that truly lacks any introspection into the value proposition of its intended purpose...