Cracking Down On Laptop Security

Mobile computing has revolutionized the working practices of workers in all sectors and industries.

The key tool that has enabled this change is the laptop computer, combined with fast in-office access via a dial-up modem. The ability to work anywhere and at any time with secure access to the office network has spawned many trends, such as road warriors and, of course, teleworking. But perhaps most importantly it has enabled employees to have maximum flexibility in the way in which they work with the positive knock-on effects of improved efficiency and productivity.

It is not just executives on planes and salesmen on the road who can benefit from mobile computing. An enormous variety of people in a diverse range of sectors and roles are seeing enormous advantages. However, for certain sectors these benefits cannot be realized because of other impediments, the most crucial of which is security. Defense workers, police, intelligence services and central Government employees are probably the most restricted of all sectors by the security implications of mobile working.

The global threat of terrorism has reinforced the need for the most stringent IT security measures possible. At the same time, the various security agencies can benefit enormously from mobile computing. They need to be flexible and responsive in the way they work, and to do this all relevant information, whatever its security status, must be at their fingertips. Therefore, there is a clear need for mobile computing but in turn this focuses the spotlight most firmly on the weakest link - the laptop.

Many lessons appear to have been learned since the outburst of negative press coverage a couple of years ago surrounding laptop theft. Between 1996 and 2002, more than 1,300 U.K. Government laptops went missing. Of these, 594 belonged to the Ministry of Defense. Little surprise, therefore, that tabloid and broadsheet journalists alike have had a field day with stories about lost nuclear secrets and highly sensitive information on security services operations. There was even one sensationalized tale where a laptop that was taken from an intelligence officer at a London railway station was handed into The Mirror newspaper.

Obviously, the one key factor that the press chose to overlook or brush over was the security features that were already in place during the spate of laptop theft scandals. The fact that the data stored on the machines was heavily encrypted and almost impossible to crack was largely ignored. Instead, attention focused on more melodramatic angles such as, how could people be so careless as to lose such expensive machines? Or alternatively, why would anyone be so slipshod as to walk around in public with a laptop that contained highly sensitive information?

The answer to those two questions is fairly obvious. As highly valuable kit, laptops will always be a number one target for thieves. Secondly, the very point of having a laptop computer is to enable mobile computing and the machine would be little more than an expensive toy if it did not contain the data needed by the user to do his or her job.

More importantly, the users, in this case civil servants and MI5 agents, were reassured by the fact that all the information contained on the laptops could be encrypted. As former MI5 agent David Shayler stated in an interview with the BBC after one of the high profile laptop thefts: "The chances of a private individual being able to decrypt the information are zero. The sun is more likely to melt." However, Mr Shayler made one further astute comment that questioned whether the laptop users had made sure they had encrypted their data.

To date, encryption programs have relied upon the laptop user actively opting to encrypt the data. If done, this information is often safeguarded by 3DES or AES (U.K. government) encryption software that, it is commonly held, would take a hacker a billion years to crack using the world's entire processing power. However, the necessity for the user to proactively choose to encrypt the data leaves a massive hole in security management.

There are several reasons as to why this state of affairs has been allowed to develop. The prevailing difficulty is one of performance. If the encryption software dramatically reduces the machine's performance capability then there seems to defeat the object of mobile computing. Linked to this difficulty is the fact that the problem of securing data has been envisioned as being wholly or at least partly a software issue.

Instead, encrypting data on a laptop should be viewed from the hardware perspective. As all the information is stored on the hard disk it makes sense to focus on this as the security hub. If the user has to proactively decide to encrypt the data that is being saved, there is an inevitable danger that this might not be done. However, if every piece of data that goes on the hard disk is automatically encrypted by a separate hardware device, without any involvement from the user, then the security risk is dramatically reduced.

It is therefore little wonder that the U.K. Ministry of Defense, which has far in excess of 20,000 laptops, has mandated that from April 2003 all new laptops must incorporate hard disk encryption. All existing laptops must have similar levels of protection by January 2006. This means that any laptop thief will be faced with a totally encrypted, uncrackable hard disk and a separate encryption device. At the same time this encryption hardware is itself totally tamper proof, so there is absolutely no prospect of being able to access the encryption keys.

Automatic hard disk encryption means that the laptop will no longer be the weakest link in the security chain. Instead the focus switches totally over to the user. However, this is another area where technology can have an enormous impact.

Current security systems require the use of two passwords. Both passwords are relatively long and randomly generated. While efforts are made to make it possible for the user to be able to remember these passwords, the mental discipline of remembering two non-sensical 12 character long passwords is a tall order. In such circumstances the user is extremely prone to physically noting down the passwords rather than committing them to memory.

To deal with this security risk, new systems of security management should be adopted that mix password protection with other forms of security, such as radio frequency smartcards. By combining the two a far higher level of security management can be achieved. With only one password, the user can be reasonably expected to be able to commit this to memory. It is also highly unlikely that an opportunist thief will be aware of the existence of the smartcard. This means that any stolen laptop will only be worth the sum of its parts.

Of course, security issues surrounding mobile computing are not only about laptop theft. There is also the problem of ensuring secure dial-up connections. But by employing similar hardware based solutions, in this case with all the emails being passed through an encrypting modem, the highest levels of security can be maintained.

These steps are all ones that can be taken today. The challenges will be to focus on the threats of tomorrow. While the main tool for mobile computing today is the laptop, other devices such as mobile phones and PDAs are rapidly entering the fray. As their levels of sophistication increases, so both their encryption security and general security management will also have to be improved. This is the only way to ensure that the headlines of tomorrow are not of police officers, civil servants and intelligence agents being pilloried for the loss of another valuable mobile computing tool.

Paul Jackson is marketing director for Thales e-Security (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.