Microsoft Data Encryption Toolkit for Mobile PCs

Executive Overview - A Strategic Approac to Securing Mobile Data

!ersion "#" Published: January 2007 Updated: May 2007 For the latest information, please see microsoft.com/technet/SolutionAccelerators

Copyright 2007 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedbac on this documentation! you agree to the license agreement below.

"f you are using this documentation solely for non#commercial purposes internally within $%&' company or organi(ation! then this documentation is licensed to you under the Creative Commons Attribution# )onCommercial *icense. +o view a copy of this license! visit http,--creativecommons.org-licenses-by#nc-2..- or send a letter to Creative Commons! ./0 1oward 2treet! .th 3loor! 2an 3rancisco! California! 4/50.! &2A.

+his documentation is provided to you for informational purposes only! and is provided to you entirely 6A2 "26. $our use of the documentation cannot be understood as substituting for customi(ed service and information that might be developed by Microsoft Corporation for a particular user based upon that user7s particular environment. +o the e8tent permitted by law! M"C'%2%3+ MA9:2 )% ;A''A)+$ %3 A)$ 9")<! <"2C*A"M2 A** :=>':22! "M>*":< A)< 2+A+&+%'$ ;A''A)+":2! A)< A22&M:2 )% *"AB"*"+$ +% $%& 3%' A)$ <AMA?:2 %3 A)$ +$>: ") C%)):C+"%) ;"+1 +1:2: MA+:'"A*2 %' A)$ ")+:**:C+&A* >'%>:'+$ ") +1:M.

Microsoft may have patents! patent applications! trademar s! or other intellectual property rights covering sub@ect matter within this documentation. :8cept as provided in a separate agreement from Microsoft! your use of this document does not give you any license to these patents! trademar s or other intellectual property.

"nformation in this document! including &'* and other "nternet ;eb site references! is sub@ect to change without notice. &nless otherwise noted! the e8ample companies! organi(ations! products! domain names! e# mail addresses! logos! people! places and events depicted herein are fictitious.

Microsoft! Active <irectory! Bit*oc er! ;indows! and ;indows Aista are either registered trademar s or trademar s of Microsoft Corporation in the &nited 2tates and-or other countries.

+he names of actual companies and products mentioned herein may be the trademar s of their respective owners.

$ou have no obligation to give Microsoft any suggestions! comments or other feedbac B63eedbac 6C relating to the documentation. 1owever! if you do provide any 3eedbac to Microsoft then you provide to Microsoft! without charge! the right to use! share and commerciali(e your 3eedbac in any way and for any purpose. $ou also give to third parties! without charge! any patent rights needed for their products! technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the 3eedbac . $ou will not give 3eedbac that is sub@ect to a license that reDuires Microsoft to license its software or documentation to third parties because we include your 3eedbac in them..

Contents
Executive Overview - A Strategic Approach to Securing Mobile Data....1 Business 'is s.................................................................................5 'egulatory 'is s...............................................................................0 1elping to Mitigate 'is with the <ata :ncryption +ool it......................../ )e8t 2teps......................................................................................E

Executive Overview - A Strategic Approach to Securing Mobile Data

ou mi!ht be readin! this document from the screen of your laptop computer, or perhaps "hile "aitin! for a plane to your ne#t destination. $r perhaps you%re at home on the "ee&end tryin! to catch up on your to'do list. (ut do you e)er consider "hether all the information on your laptop is really secure* +hat if it%s stolen, or if one of your employees loses a laptop* ,re your latest desi!ns and mar&etin! plans protected* -s your customers. pri)ate information secure* $r "ill your or!ani/ation be the sub0ect of the ne#t ne"s headline for losin! thousands of customer records* 1U.2. 2ur)ey: 3onfidential 4ata at 5is&,1 a recent study by the Ponemon -nstitute, states 1ei!hty'one percent of 676 sur)ey respondents report that their or!ani/ations ha)e e#perienced one or more lost or missin! laptop computers containin! sensiti)e or confidential business information in the past 82'month period.1 3oncerned* ou should be, because losin! laptops is a serious problem. +ith their e)er' increasin! capacity, laptops can store massi)e amounts of business and personal information. 9hey are ubi:uitous and e#tremely effecti)e mobile tools, but losin! confidential data on them can si!nificantly impact your or!ani/ation.s bottom line, customer !ood"ill, and le!al standin! "ith re!ard to !o)ernment'enforced le!islation. -t can e)en cost you your 0ob. ;o"e)er, it is easier than you mi!ht thin& to ta&e steps that can help address these challen!in! issues. Microsoft has technolo!ies that can help<and you mi!ht already ha)e them. -n fact, if your or!ani/ation uses +indo"s =ista> or Microsoft? +indo"s? @P Professional, you already ha)e many of the tools you need. our or!ani/ation.s -9 department can help control this problem "ith the free do"nloadable Microsoft 4ata Ancryption 9ool&it for Mobile P3s that can help or!ani/ations li&e yours enable the encryption technolo!y that you already o"n. 9he Microsoft 4ata Ancryption 9ool&it for Mobile P3s can help protect your or!ani/ation by reducin! the ris& that carelessness or simple bad luc& "ill de)ol)e into a ma0or incident and si!nificant loss of time, money, and reputation. 9he 9ool&it, "hich "ill be released in the second :uarter of 2007 as a free do"nload, uses the Ancryptin! File 2ystem BAF2C Ba)ailable "ith +indo"s 2000, +indo"s @P Professional, and +indo"s =istaC and (itDoc&er> 4ri)e Ancryption Ban important ne" data protection feature in +indo"s =istaC. 9he 9ool&it "ill also include the AF2 ,ssistant, a tool that helps centrally mana!e AF2 encryption.

Business Risks
(usiness and technical mana!ers must understand their scenarios, the re!ulatory climate, and miti!ations for data e#posure ris&s. 9he Microsoft 4ata Ancryption 9ool&it for Mobile P3s focuses mainly on the issues of protectin! data that resides on mobile computers. ;o"e)er, the same concepts, concerns, and solutions also apply to des&top computers, "hich face similar ris&s because of the potential for theft and unrestricted access scenarios.

3onsider the follo"in! account of a fictitious company.s data disclosure e)ent, "hich illustrates the problem and possible ramifications. 13ontoso, a midsi/e technolo!y company located in 3anada, produced a "id!et that customers ordered throu!h its +eb site. Personally identifiable information in the 3ontoso database included customer names, credit card numbers, addresses, and telephone numbers. 3ustomers "ere from 3anada, the United 2tates, the United Ein!dom, and France. ,t 3ontoso, a hard'"or&in! 0unior analyst named Ficolas fre:uently too& his "or& home "ith him. (efore he left "or& one day, Ficolas copied a spreadsheet of customer information to his laptop so he could run reports a!ainst it. 9hat same ni!ht, his laptop "as stolen from his car "hile he "as shoppin!. Ficolas immediately reported his loss to his mana!er and the police. Ficolas and his mana!er discussed the incident "ith the company.s le!al department as "ell as "ith outside counsel. Ficolas and his mana!er learned throu!h these discussions that all of their customers "ould need to be notified of the possible disclosure of their personal information. 9hey immediately produced an e#planatory letter to send to customers and set up a hotline to ans"er customer :uestions. -n addition, they offered one year of credit monitorin! for e)ery customer in the database to help pre)ent identity theft. Unfortunately, these efforts did not end their problems. A)en thou!h there "as no indication that the lost data had been used for illicit purposes, se)eral class action la"suits "ere filed on behalf of customers in the United 2tates, France, and the United Ein!dom that accused 3ontoso of !ross )iolations of consumer pri)acy ri!hts. 9he story "as soon pic&ed up by ma0or media outlets, and culminated in a pa!e 2 story in 9he +all 2treet Journal. +ithin "ee&s of the loss of the laptop, the company.s stoc& had lost 7G of its )alue because of the li&ely effect on the sale of their "id!et product. -n addition, the hard costs of the incident totaled some HI00,000.1 , reasonable summary of the costs associated "ith the precedin! story is sho"n in the follo"in! table. Cost ite$ Personnel costs related to the loss, includin! data reco)ery and customer notification costs. ,dditional costs, such as public and in)estor relations and additional call center calls. ,ffected customer costs Bcredit trac&in! for affected customersC. De!al dama!es, includin! fines, le!al fees, and costs related to one ci)il la"suit. Dost customer re)enue B2J0 lost customers at H700 eachC 9otal A$ount H6J,000 H8KJ,000 H70,000 H8IJ,000 H87J,000 HI00,000

:8ecutive %verview # A 2trategic Approach to 2ecuring Mobile <ata

Unfortunately, laptops are easy theft tar!ets. Fe"s stories appear "ith increasin! re!ularity about companies that ha)e accidentally lost or had stolen laptops "ith sensiti)e personal or customer information. ,lthou!h the precedin! story is fictitious, an increasin! number of real or!ani/ations are learnin! that the costs of such a disclosure are enormous<sometimes orders of ma!nitude !reater than those referenced in the storyL Many calculators are a)ailable that can help you compute the true cost of a pri)acy breach, includin! the Pri)acy (reach -mpact 3alculator a)ailable on the +eb site of -nformation 2hield, a !lobal pro)ider of information security leadin! practices.

Da$age Control
$r!ani/ations that e#perience a data'disclosure incident face immediate direct operational costs. A#amples include internal in)esti!ations, consumer hotlines, trainin! and support documentation for call center personnel, direct mail notices to customers, credit card monitorin! ser)ices, and ad)ertisin! and mar&etin! to address customer concerns. -n addition, a strate!ic -9 initiati)e "ill li&ely be established to pre)ent such an incident from e)er happenin! a!ain. ,ll of these acti)ities re:uire countless hours of mana!ement o)ersi!ht and distract or!ani/ations from their true business.

%ran& Da$age an& 'ost Confi&ence

-t%s difficult to measure the impact of loss of reputation, or the umbra!e of customers at their loss of pri)acy, or the loss of relationship "ith business partners. 9he specific circumstances of each incident, brand loyalty, and the success of dama!e control efforts are all factors that affect ho" much a brand mi!ht be dama!ed by such a disclosure e)ent. -n some cases it mi!ht ta&e years to fully re!ain the lost confidence and trust of consumers.

Regulatory Risks
-n addition to business ris&s, many !o)ernment a!encies around the "orld are respondin! to their citi/ens% pri)acy concerns by establishin! si!nificant ci)il and e)en criminal penalties for failin! to protect pri)ate data.

(ort A$erican )egulatory Consi&erations

-n the United 2tates, more than K0 indi)idual states ha)e passed statutes that re:uire or!ani/ations Bcommercial or other"iseC to notify consumers in the e)ent of accidental or illicit data disclosure. Pro)isions of these statutes are tri!!ered by the lac& of encryption of pri)ate data. -n other "ords, encryption of pri)ate data is e#plicitly prescribed to miti!ate data ris&s. (esides these state re!ulations, se)eral federal re!ulations pro)ide similar restrictions and penalties, includin! the ;ealth -nsurance Portability and ,ccountability ,ct B;-P,,C, the Mramm'Deach'(liley ,ct BMD(,C, and the 2arbanes' $#ley ,ct B2$@C. -n 3anada, the Personal -nformation Protection and Alectronic 4ocuments ,ct BP-PA4,C and Personal ;ealth -nformation Protection ,ct BP;-P,C mandate strict protection and establish re:uirements for protectin! pri)ate data.

Microsoft <ata :ncryption +ool it for Mobile >Cs

European an& Asian )egulatory Consi&erations

-n the Auropean Union, the Auropean 4ata Protection 4irecti)e, as implemented by each AU Member 2tate, si!nificantly restricts "hat consumer data can be &ept or maintained by or!ani/ations. 9hese restrictions apply to or!ani/ations that operate from non' Auropean nations but that ha)e Auropean customers. 9his 4irecti)e sets forth strict !uidelines about "hat pri)ate data can be &ept and ho" it can be used, resultin! in much international debate and confusion about ho" the 4irecti)e should be applied around the "orld. 9hese issues are far from settled. $ther important consumer protection re!ulations mi!ht also apply to your or!ani/ation, such as the United Ein!dom.s 4ata Protection ,ct B4P,C. Di&e the 3anadian re!ulations referenced earlier, the 4P, mandates strict protection and establishes re:uirements for protectin! pri)ate data, althou!h the 3anadian and United Ein!dom re!ulations are not consistent in their approach to data stora!e. Many ,sian nations are also de)elopin! formal re!ulations and attemptin! to adopt consistent approaches throu!h such or!ani/ations as the ,sia'Pacific Aconomic 3ooperation 9elecommunications +or&in! Mroup B,PA39ADC. 2in!apore, 3hile, ,ustralia, 3hina, and -ndonesia are all "or&in! dili!ently to establish a unified approach to these issues that honors each nation.s public attitudes about free speech, political and economic freedom, and personal pri)acy. ,n e#cellent summary of these approaches is a)ailable in the 3aslon ,nalytics pri)acy !uide from 3aslon ,nalytics, an ,ustralian research, analysis, and strate!ies consultancy. $r!ani/ations "ith customers in any of these countries are sub0ect to si!nificant ci)il and sometimes criminal penalties for failin! to properly protect their customer.s pri)ate data, no matter "here the or!ani/ation itself is located. -f your or!ani/ation maintains pri)ate data Bthe definition of "hich )aries !reatlyC, you must de)elop a thorou!h understandin! of the constraints that international 0urisdictions place upon your data stora!e policies. A)en accidental )iolations of these re!ulations can e#pose or!ani/ations to substantial ci)il fines, business closures, possible criminal char!es, and si!nificant le!al consultation and trial fees. ,s a result, many 3A$s and board members see& solutions that increase data protection and help ensure compliance.

Helping to Mitigate Risk with the Data Encryption oolkit

9he Microsoft 4ata Ancryption 9ool&it for Mobile P3s describes t"o effecti)e and lo"' cost solutions for data encryption. 9he 9ool&it is a )aluable resource for any security professional "ho needs to resol)e data security issues on mobile computers. Affecti)e implementation of the !uidance pro)ided in the 9ool&it can help or!ani/ations meet certain re!ulatory re:uirements. -n addition, these technolo!ies pro)ide especially attracti)e solutions because they are already licensed "ith the +indo"s @P Professional and +indo"s =ista operatin! systems. 9he 9ool&it is based on the Ancryptin! File 2ystem BAF2C and (itDoc&er 4ri)e Ancryption, both of "hich pro)ide robust encryption mechanisms but ser)e sli!htly different purposes. 9he 9ool&it pro)ides detailed information about ho" these security technolo!ies "or&. -t also describes scenarios for "hich each technolo!y is appropriate, pro)ides deployment best practices, and considers operational issues such as &ey and

:8ecutive %verview # A 2trategic Approach to 2ecuring Mobile <ata

data reco)ery. 9he 9ool&it "ill also include the AF2 ,ssistant, "hich "ill be released in the first half of 2007 to help automate the deployment and confi!uration of AF2 on protected computers. 9ool&it features include the follo"in!: 'ow ac*uisition costs. AF2 and (itDoc&er are already included in certain )ersions of the Microsoft +indo"s operatin! system. Fo additional e#penditures are needed to ac:uire them. 'ow operations costs. AF2 and (itDoc&er are robust but simple and re:uire little or no operational maintenance. Ease of &eploy$ent. 9he 9ool&it deploys easily in en)ironments that use soft"are distribution technolo!ies such as the ,cti)e 4irectory? directory ser)ice and Microsoft 2ystems Mana!ement 2er)er. )obust security. AF2 and (itDoc&er are based on industry standards and certified encryption al!orithms. Mini$al user i$pact. +hen effecti)ely confi!ured, the 9ool&it is almost completely transparent to users. Minimal technical trainin! "ill be re:uired Balthou!h !ood data handlin! and stora!e trainin! "ill al"ays be necessaryC. Central $anage$ent an& exten&e& control. -mplementation of the 9ool&it can help -9 or!ani/ations e#tend control to all mobile P3s from a central mana!ement infrastructure, "hich can help ensure uniform compliance. +nifor$ solution. 9he 9ool&it is applicable to des&top computers and mobile computers.

%it'ocker Drive Encryption

(itDoc&er 4ri)e Ancryption, a ne" feature in +indo"s =ista, pro)ides a seamless "ay to encrypt all data on an entire hard dis& )olume. +hen (itDoc&er is confi!ured, it "or&s transparently in the bac&!round and does not affect typical use of the P3 or its applications. (itDoc&er encrypts the entire )olume, so it can pre)ent many attac&s that try to circum)ent the security protections in +indo"s that cannot be enforced before +indo"s has started. (itDoc&er also offers enhanced security for encrypted data by usin! a security hard"are module called a 9rusted Platform Module B9PMC. 9PMs pro)ide offline stora!e of root encryption &eys and an optional personal identification number BP-FC that "ould be necessary to unloc& the dis& encryption. 9PMs currently ship on laptops from almost all ma0or )endors, includin! 3ompa:, 4ell, Deno)o, and 9oshiba.

Encrypting ,ile Syste$ -E,S.

AF2 pro)ides seamless data encryption for user'selected folders and indi)idual files. ,fter encryption is enabled, the user e#perience is transparent. AF2 can also help protect a!ainst intruders "ho use certain &no"n attac&s to !ain unauthori/ed access to the computer.

Microsoft <ata :ncryption +ool it for Mobile >Cs

Microsoft Encrypting ,ile Syste$ Assistant

9he Microsoft Ancryptin! File 2ystem ,ssistant BAF2 ,ssistantC tool complements AF2< it pro)ides an automated, probabilistic "ay to detect "hich files should be encrypted. Di&e AF2, it is essentially transparent to users. -t can be confi!ured to re!ularly scan the hard dis& for ne" data files that are li&ely candidates for encryption. 9his functionality miti!ates the ris& of ne" user data files bein! created but left unencrypted and thus e#posed.

!ext Steps
+e recommend that you consider your options for protectin! confidential data on mobile P3s by readin! the Microsoft 4ata Ancryption 9ool&it for Mobile P3s Security Analysis. 9his document "ill help you understand the special ris&s presented by laptops, as "ell as ho" (itDoc&er and AF2 can help address these ris&s. ou can also use the Planning and Implementation Guide to help !uide you throu!h the process of deployin! (itDoc&er and AF2. Finally, if you "ant to use AF2 to protect data on your mobile P3s, you should in)esti!ate the AF2 ,ssistant as a "ay to centrally control AF2 in your en)ironment.