Law Technology News
May 2000
AMERICAN LAWYER MEDIA NATIONAL SITES

National Sites

The American Lawyer Magazine

Corporate Counsel

National Law Journal

Law Catalog

Legal Seminars

Law.com

REGIONAL ALM SITES

New York

New Jersey

Connecticut

Pennsylvania

Delaware

Washington, D.C.

Georgia

Florida

Texas

California

Illinois

Security Spotlight

Encrypting File System: Will Windows 2000 Resolve Your Internet Security Worries?

While Windows 2000 has strong new tools, you may want to take more steps to protect your data.

By Noah Groth

HERE IS A SHORT math problem: How many billable hours does it take to replace confidential client information stolen from your firm's network?

Gaining unauthorized access to another person's electronic data is far easier than most people want to admit. These days, you must become a fanatic about protecting information on computers.

How do you protect electronic data? Through encryption -- the mathematical scrambling of words and formulas into unintelligible rubbish. On February 17, 2000, Microsoft recognized this truth -- finally. That date marked the official release of the Windows 2000 operating system. For the first time, Microsoft included in its operating system a built-in data encryption program, called "Encrypting File System" (EFS).

With the inclusion of EFS in Windows 2000, Microsoft is now taking an active and welcome part in the development of encryption tools that secure electronic information on servers and workstations. The upshot, no doubt, will be increased attention on the need for information security.

That said, EFS will not meet every firm's requirements for encryption. First, EFS works only with Windows 2000. If you don't want to upgrade just yet, you are out of luck. For large firms and corporations, the move to Windows 2000 is a major undertaking that requires significant time, planning, training, and money.

However, many other products exist that perform encryption even more efficiently and effectively than EFS, and many of these will run on your existing Windows 95/98/NT systems.

How EFS Works

At the user level, EFS operates simply, transparently encoding and decoding information without users' knowledge. EFS encrypts and stores files in any folder you specify as secure, and you can place secure folders on a desktop or portable computer or a server.

EFS uses proven encryption technology. Encryption software programs work by using complex mathematical equations --called algorithms. There are numerous encryption algorithms available, and several have withstood rigorous testing. EFS uses symmetrical and public key infrastructure (PKI) encryption algorithms in combination to encrypt data. I won't bore you with a dissertation on encryption. Just remember these differences between symmetric encryption and PKI:

1Symmetric algorithms encrypt large amounts data quickly; PKI performs such tasks very slowly. In EFS, the symmetrical algorithms are used to encrypt the data files, and the PKI algorithms are used for EFS management purposes.

2 Symmetric uses one secret key -- basically, a long sequence of randomly selected numbers. This key "locks" and "unlocks" the encrypted data. PKI employs a pair of such keys -- one public, the other private -- that are mathematically and uniquely related to each other.

EFS uses these differences to advantage. First, it encrypts data using the symmetrical algorithm. Next, it uses the public key to encrypt the symmetrical encryption key. Now only your matching private key will decrypt the symmetrical key. Typically, you use a password (or some other form of authentication) to gain access to your private key. Thus, data are encrypted relatively quickly and keys are secure. (By the way, this double-encryption approach is used by many software programs.)

Many Steps

EFS has a significant drawback: the procedure for securing a folder requires many steps ­ which can seriously increase the likelihood you will fail to protect data.

For example, let's say you have already installed Windows 2000 on a notebook computer and generated and installed (or purchased and downloaded) the PKI key pair. In Windows Explorer, click on the "My Documents" folder (make sure it is empty) and apply EFS protection to the folder. Next, apply encryption to any temporary folders your applications may use. Fail to encrypt a temporary folder and you run the risk of leaving an unencrypted file on the system. Next, configure the Windows 2000 NTFS file system's access controls to prevent an unauthorized person from changing these settings.

Now, use Windows 2000's System Key command to create a system key for the account. System keys protect your private key with a password. The password prevents unauthorized access to your private key, which means your protected files remain encrypted.

You must complete one more critical, last step. Using the Windows 2000 Certificate Export wizard, export and back-up your private key. Then delete the private key from the notebook (the private key's filename has the extension .pfx). Forget to do this, and a smart hacker can find that key and decrypt your data.

Lost Passwords

Another limitation involves the risk of losing your system key password. When a password is forgotten or an employee leaves, the process for recovering files can turn into a burden for your IT staff depending on how you set up key recovery in the first place. (You must define key recovery settings before EFS is ready to use.)

Remember, the System Key command generates a password that is bound to the individual account. Forget this password, and you simultaneously lose access to the accounts system key, which provides access to your private key. No access to the private key means no decryption of EFS-protected folders. In those instances, Microsoft instructs users to send either the encrypted files or the computer back to the recovery agent or system administrator, who will then recover the files using his or her copy of the private key and return the information to the user (in plain text, I might add -- unencrypted and unprotected).

Imagine you are in a client's office and moments away from starting a major meeting. You forget your password and can't access encrypted sensitive information. Do you have time to send the files to your administrator?

Other encryption programs provide secure and easy key recovery over the telephone or by other means; however, EFS makes key recovery a logistical headache.

More frightening is what could happen if the workstation is also the default recovery agent. If the user of that workstation forgets a password, then that user's goose is cooked.

EFS does represent an important contribution by Microsoft to data security and encryption, and it is an improvement over password-only access control systems.

EFS comes at a high price, however. The program is available only if an organization installs Windows 2000, and it may require using Windows 2000's more advanced features and services as well. Also, setting up EFS is complicated, increasing the likelihood of inadvertently leaving files unprotected on a system. Equally problematic, the process for key recovery in EFS requires considerable effort ­ especially by IT administrative staff. In my experience, system administrators dread time spent recovering lost data.

Alternatives

You may be better of taking a "best of breed" approach instead. That would involve purchasing a third-party encryption program that works as well (or perhaps even better) than EFS. Numerous software programs are available that encrypt folders, just as EFS does.

Look for a folders-level encryption program that is relatively simple to install and maintain. For example, look for a product that requires only a few minutes to set up, provides strong "on the fly" encryption, gives system administrators full file recovery capabilities, and includes tools that help users recover lost their passwords.

Alternatively, you might consider a software program that encrypts your entire hard disk. Only a handful of really good hard disk encryption programs are available; however, they offer a significant advantage over EFS -- they encrypt every file on the computer automatically and transparently. That means there is no chance that anything is left unprotected and the user doesn't have to think about whether a file needs to be secure or not. Typically, these hard disk programs are designed for large organizations.

In sum, if you are looking to Windows 2000 primarily to gain access to the EFS security feature, consider investing in some other standalone encryption application that is strong, easier to user, and lessens the risk of leaving files unprotected.

Noah Groth is president of PC Guardian, headquartered in San Rafael, Calif.

Inside
Editor's Note
Industry News
Lawtech News
People In The News
Client Notes



Compare & Contrast
Knowledge Management
MIS@ Fennemore Craig
Second Opinions
Security Spotlight
Small & Home Office
Snap Shot
Web Watch



Document Management
Intellectual Property
Mac Corner
Mail Call
Office Gear
Bits and Bytes
Portable Office
Practice Tools
Quick Takes
Regional Roundup
Time & Billing
Web Works
Privacy Statement and Terms and Conditions of Use
Copyright copy; 2000 NLP IP Company. All rights reserved