Protect Your Mobile Users With Windows' Encrypting File System
Browsing around dell.com these days will quite possibly reveal a laptop selling for $499. Picking up a 2 GB USB flash drive only sets you back about $30. The iPhone just dropped $200 and who knows what Apple will have for us next. What does all this mean? It means that mobile computing is cheap and here to stay. This is great news for end users because it means the masses can take their work with them wherever they go. Unfortunately, this is not so great for IT professionals because it means that more and more sensitive data is traveling outside of traditional physical security boundaries.
This growing phenomenon of cheap mobile computing can turn into a public relations nightmare when a mobile device carrying confidential data is lost or stolen. Security-focused media outlets frequently tell of stolen laptops containing sensitive data for tens of thousands of people. These organizations often end up paying for credit checks and other reparation for affected individuals. Imagine paying for credit checks for 50,000 people for one year. At ten dollars per month, that would be $6 million! IT professionals have a responsibility to help protect their organization from that kind of liability.
Of course, there are numerous solutions available to IT professionals to help mitigate the risk posed by the increasing use of mobile computing. Policies can be created that limit or completely disallow sensitive information on portable devices. Executive level and user level training on the potential dangers and cost is helpful. Dual-factor authentication and strict password policies are also very useful. But there is one key tool that we haven't mentioned yet, and that is encryption. This is arguably the most important instrument in protecting confidential information on mobile computing platforms from getting into the wrong hands. Policies can be disobeyed, training can be forgotten or ignored, and even strong authentication mechanisms can be subverted. Encryption should always be used on mobile devices that contain sensitive or confidential information assets.
We're going to focus on the pros and cons of protecting Windows-based computers using the Encrypting File System (EFS). Microsoft Windows is the dominant player in mobile computing for business, and protecting this segment of your user base will generally cover a majority of your mobile users.
So what is EFS and how does it work? The beauties of EFS are its simplicity and ease of use for the end user. Once files or folders have been encrypted the entire experience is hidden from the user. When encrypted files are opened by an authorized user, they are automatically decrypted by the file system before they are sent to the calling application. This means that there is no proprietary middle man necessary for an encrypted document to be opened by applications such as Microsoft Word or Excel.
Let's dig a bit deeper into the nuts and bolts of EFS. In Windows XP service pack 1 and later, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key to encrypt data on disk. When a file is designated for encryption, Windows creates what's called a File Encryption Key (FEK). This FEK is used to encrypt the file. Once this process is complete, the user's public EFS key is used to encrypt the FEK. Later, when the user wants to read the file again, the user's private EFS key is used to decrypt the FEK, and then the FEK is used to decrypt the file itself. Why does Windows complicate the process with both the FEK and the user's EFS key pair? The answer is recovery, as well as the ability to share encrypted files with other users.
The first thing a helpdesk agent is going to ask you when you mention giving the ability to encrypt files to end users is, "how do we recover the files when the user forgets their password or looses their encryption key?" This is where the Data Recovery Agent (DRA) comes into play, and is one of the reasons that EFS uses an FEK. By having the intermediary FEK, multiple EFS keys can be used to open a single encrypted file. As discussed above, when a file is designated for encryption, it is first encrypted using the FEK; then the user's public EFS key encrypts the FEK. For computers joined to a Windows domain, the FEK is also encrypted with the domain's DRA public EFS key. If the user's EFS key pair is lost or corrupted then the DRA's private EFS key can be used to recover the data. This same principal applies to sharing files encrypted with EFS. Several users' public EFS keys can be used to save the FEK which allows each of those users to open the file with their respective private keys at a later date.
Before we wrap this up, let's take a look at one of the negative aspects of EFS. The biggest failure of EFS is the quirkiness required to share files encrypted across a network file share. It can be done, but requires one of two options. The first option is to use EFS over the WebDAV protocol, otherwise known in Microsoft land as Web folders. If you must share encrypted files across the network, this is probably your best choice. The second option is to mark your file server as trusted for delegation. The problem with this solution is that the user's EFS key pair must be copied to a profile on the server itself. You will end up with a bunch of user profiles on your server even though the users have never actually performed an interactive logon on the server.
We'll be back in a week to look at how to implement EFS on your systems.