John Dasher - Director of Product Marketing
One of the more common queries I hear when talking with both customers and the press involves how I manage my computer/data security while traveling. People seem increasingly nervous about this.
There are a variety of best practices that are specific to your operating system platform (which I’ll cover in a future post), there are a number of import safeguards you can take regardless of your specific computing environment. While I personally find this specific solution a bit of a pain in actual practice, I would be remiss if I didn’t point out that the safest approach you can take is to simply not travel with sensitive data. You can’t lose or have stolen what you haven’t brought with you. And do you really need to carry with you every piece of intellectual property you’ve touched since you’ve been at your company? Probably not.
For the purposes of this article let’s assume you travel with a laptop computer and a USB thumb drive or two. My approach begins with an age-old security strategy that PGP Corporation consistently preaches known as “defense in depth,” which means that a failure in one security mechanism doesn’t result in complete insecurity. I’ll share a simple, practical application of this philosophy in a moment.
Of course, any security solution is only as strong as the weakest link in the chain. With this in mind, I implore you to choose strong passwords. At PGP Corporation, we prefer strong passphrases. I can’t stress this enough. Seldom are systems breached due to failures in the underlying encryption or cryptosystems. Rather, the human element is attacked; people seem inexorably drawn to weak passwords that can but quickly and easily attacked via brute force. Or just as bad, they write their password down and keep it in an insecure place.
With the above in mind, let’s talk tactics. First, it’s crucial that insomuch as is practical, you prevent an attacker from having physical access to your machine.
Second, use of a full disk encryption (FDE) product should be considered a basic first line of defense. Employing FDE means that your hard drive and any USB thumb drives that you carry will be fully encrypted from stem to stern, preventing the machine from booting or thumb drive data from being read if proper authentication credentials (usually a password) are not provided. Encrypting the entire disk is great, because all of your sensitive files protected, and the stuff most people don’t think of – temp and swap files, cache files, web browser cookies, etc., are also secure. FDE does this without the user having to make conscious decisions about what to encrypt.
Third, in addition to FDE, I use an encrypted virtual disk system for all of my important/confidential data. There are both organizational and security benefits to this practice.
Organizationally, I can have different virtual disks for different projects, or perhaps one for my personal data, one for work data, etc. This makes it very easy for me to back up an entire encrypted volume by simply dragging the virtual disk file to an external disk or server. Everything in a given project directory stays together on the backup volume and it remains encrypted.
The security benefit here is that by having one passphrase for my boot disk, and another for my virtual disks, I have additional layers of protection from either a brute force attack or the consequences that arise from being compelled to provide my disk passphrase to an official; my virtual disks remain protected.
By employing these simple steps, you’ve taken giant steps toward protecting yourself and your company from the theft or loss of your data. Feel better?