Data Storage Security for
Laptops
By stealing hard drives, criminals can access internal company data that can then be used to damage that company or to provide themselves with a competitive advantage. To combat the threat of unauthorized access to information, data on local hard drives is encrypted. If, as a user, you want to view your plain text data on the hard drive, you must first enter a password to decrypt them. Any person attempting unauthorized access without this password only sees indecipherable binary data.
Bear in mind the following aspects of encryption:
· Manageability
When using encryption, you must always ensure good administration of the encryption keys used. Depending on the product, this implies additional planning, management and administration.
· Encryption technology
· Usability
· Loss of performance
When you access encrypted data, the application decrypts the data and then encrypts it again when it is changed. The loss in performance depends on the solution used and the implementation scenario. If the encryption is implemented with hardware support, then performance loss is less than it is for a fully software-based solution.
● Emergency guidelines for application errors caused by the user or by hardware problems
You provide encryption for individual users. Therefore, in situations of data recovery, it must not be impossible for access to company data. These procedures are also relevant, for example, if users delete the encryption key or if hardware problems prevent encryption for normal operation. The corresponding emergency mechanisms, procedures, and guidelines must therefore be available, planned, and implemented.
· Saving encrypted data
You must decide whether to save data in encrypted or unencrypted form. If you save in encrypted form, you must also ensure that the corresponding encryption keys are also saved so that you can decrypt the data again.
We recommend that you encrypt the hard disk, because any kind of encryption is better than none at all. However, you should consider which mechanism for encrypting the hard disk best meets your application areas and requirements.
There are several options for data encryption in the mobile client context. They have the following properties:
● Encryption either at operating system level or at a lower level.
For example, Microsoft Windows provide the Encrypting File System (EFS) feature for Windows 2000 and higher. This option can be used.
● Encryption either for individual files or for all data.
The following solutions are currently available:
○ Encrypting the Hard Drive
§ Software-based encryption
§ Hardware-based encryption
○ Encrypting the Virtual Hard Drive
Encryption of Hard Drives
Software-based Encryption
Encrypting the entire hard drive of the laptop protects all its data equally. Once installed, the booting of the laptop starts encryption software, before the operating system. A password (used for decrypting and encrypting data again) must be entered before decrypting all the hard drive data. This means that if the hard drive is stolen and accessed with a disk editor, the attacker only accesses the encrypted data rather than the plain text data.
This process can also be used in the mobile client scenario because all the relevant data would also be covered by the encryption. In scenarios in which several people are sharing a single client device, make sure that the product used can also be operated for several users. Hard drive encryption products provide a Public Key Infrastructure (PKI) that enables access to the encrypted disk (that is, access to the computers protected with the product) through users and groups. The PKI must then be installed and managed. Compared with file encryption and virtual drive encryption, hard drive encryption provides general, all-round protection for all saved data. However, they place somewhat increased organizational and technical demands. Encryption problems always affect the entire computer because the operating system is also encrypted.
Hardware-based Encryption
Besides fully software-based hard drive encryption, hardware can also be used to support encryption mechanisms. There are two main types of hardware support:
● Encryption of data using special hardware
● Hardware used to store the encryption keys
Only the first type is likely to provide improved performance, as the second type still uses software to encrypt the data. Whether hardware encryption actually provides better performance than software encryption depends to a large extent on the technology used. If you are using a high-performance encryption chip that is well-integrated with the computer hardware (high level of data throughput), then you should experience minimal loss in performance.
Procedures that simply store the encryption key or user identities on separate hardware (for example, smart card, USB token) provide increased system access security because you need hardware and the password to access the system. This means that if the hardware is lost, then the computer can no longer be accessed. Of course, this is also true in the event of encryption-related problems. You therefore need to plan and execute emergency mechanisms and procedures. These must also be supported by the encryption product. You must also operate and manage a product-specific PKI.
Advantages of this solution
● Depending on the implementation, better performance than for software-based encryption
● Depending on the implementation, greater security because physical possession of the hardware is required (keys/identities saved on the hardware)
● Entire data on the hard drive is protected equally
● Security independent of operating system and its configuration
● The entire operating system (including the swap files) is encrypted
Disadvantages of this solution
● Installation of additional software required
● Installation of additional hardware required
● License costs for encryption product
● Depending on the product, hibernation mode is or is not supported
● Increased technical and organizational demands
● A separate PKI must be installed, depending on the product
● When encryption-related problems occur, the computer can no longer be used
● Performance depends on the product to a great extent
Encryption of Virtual Hard Drives
Unlike encryption of individual files, this solution allows encryption of all data that has been copied onto a virtual hard drive. The virtual hard drive is represented by a file saved in your file system, which can be connected as a separate drive using a special driver. The advantage of this solution is that all the data on the virtual hard drive is always encrypted.
Encryption of virtual hard drives allows you to encrypt the entire file hierarchy on the virtual hard drive. To do this, the correct software must be installed. The encrypted, virtual hard drive is represented by a file in the computer’s normal file system, and the file contents are encrypted. When the file is connected as a drive, you have to enter a password, which is then used to encrypt and decrypt the data when the virtual drive is accessed.
In the mobile client scenario, the database files could be stored on an encrypted virtual hard drive. Depending on the product, the encrypted virtual hard drive is either connected automatically when the user logs on, or it must be activated manually. The encrypted virtual drive can also be used to save other sensitive data.
One advantage of this solution is that security of the encrypted data relies exclusively on the encryption software and the quality of the selected encryption password. Attackers cannot view the plain text data even if they succeed in getting past the operating system’s access protection.
When selecting a product, make sure that the encryption product can also encrypt a virtual hard drive for several users. This is important because the database may be accessed by several users (depending on the scenario). Access rights to the file that implements the virtual hard drive must be configured so that it can be accessed by all authorized users.
An encryption product provides key generation and administration features. Depending on the range of functions, the product is also provided with its own PKI, which must be installed and managed accordingly. Before or during initial operation, the keys must therefore be created either by the users themselves or by an administrator. Administration and backup of the keys must therefore be planned.
When using encrypted virtual hard drives, it is not possible to encrypt the swap file (disk space set aside for virtual memory) or the hibernation file (suspend to disk). The operating system also cannot be installed on an encrypted virtual hard drive. Like file encryption, any encryption-related problems only affect the applications that access data saved on the encrypted virtual hard drive. The remaining computer functions are not affected.
Advantages of this Solution
● Software solution, no additional hardware required
● Data security independent of the operating system configuration
● Data on the virtual hard drive is always encrypted
● No access to plain text data even after the operating system has been compromised
● Encryption problems only affect applications that access encrypted data
Disadvantages of this Solution
● Installation of additional software required
● License costs for encryption software
● Files must be saved explicitly to the encrypted virtual drive
● Depending on the mobile client scenario, the product must support encryption for several users
● Key generation and administration (for example, backup) must be planned separately
● A separate PKI must be used, depending on the product
● Memory images are not protected
● The operating system is not encrypted
● You may be forced to accept lower performance than for a hardware-based encryption
Encryption of Database Password
Mobile client for laptops uses SAP MaxDB as the default database. When the client installs the MaxDB database, the client prompts you to enter a user name and password for accessing the database. After installation, this user name and password are visible in the default.properties file. The parameters that display these values are:
● com.sap.tc.mobile.jdbc.user
● com.sap.tc.mobile.jdbc.password
To secure the database password, you must encrypt the password by adding the following parameter in the default.properties file:
com.sap.tc.mobile.jdbc.pwsecurity=true
On enabling this parameter, the database password is encrypted with the master key.
If you are using the MaxDB database, you must refer to the security guide for MaxDB.
More
information:
MaxDB
Security Guide