Encryption is hard. Case in point: the US government, which requires its agencies to encrypt all sensitive data on laptops and mobile devices. But according to the US Government Accountability Office, as of last year, 70 per cent of such devices didn't encrypt -- and the other 30 per cent weren't in great shape either.
The GAO just released a report that audited 24 agencies and departments for their mobile encryption implementations. It included trouble spots like the US Department of Veterans Affairs, which in 2006 lost a laptop containing the personal information of 26 million vets and military personnel, and the US Commerce Department, which has lost more than 1,000 laptops since 2001.
You already know the headline conclusion: At the time of the audit, June to September 2007, more than two-thirds of the mobile devices in these 24 agencies weren't using encryption at all.
But that's not the interesting part. The GAO also found that, in many cases, even the devices believed to be encrypted had problems. Sometimes the encryption wasn't actually installed. Or it wasn't configured correctly. Or it hadn't been turned on. Often, users hadn't been trained, sensitive information hadn't been inventoried, and crypto key control procedures hadn't been established.
You can read the gory details by downloading the report (it's on the Web at www.gao.gov/new.items/d08525.pdf). The real horror stories start on page 29.
(Predownload quiz: Guess which department hadn't installed encryption on any laptops, even though officials insisted that it had? Guess which hotshot technical agency said it had no way of telling whether encryption software had been successfully installed on a laptop? And guess which department's employees never used encryption because no one told them it was installed?)
Even if you don't care about the dirt turned up by the audit, you should download the report. It includes a remarkably readable crib sheet on the different types of encryption for mobile device hard disks (full disk, file, folder, virtual disk), communications (VPNs, digital signatures and certificates) and handheld devices.
It also gives a good rundown of the categories of problems the agencies ran into with their encryption efforts, as well as a table listing the actual volume pricing that government agencies are getting. (One nice non-horror story from the report: The US Department of Agriculture cut its own deal for 180,000 encryption licenses at US$9.63 each, way below even the best government price schedule.)
In short, it's a useful, practical overview of the ups and downs of putting encryption on laptops, portable drives and BlackBerries. And it's based on real-world experience -- even if, for most government agencies, that experience hasn't yet translated into success.
Why do you care? Because encryption is hard. And encryption is coming to portable devices near you. Whether because of regulations, lawsuits or common sense, soon or late you'll be doing this in your IT shop.
The more you learn now about someone else's foul-ups, failures and dead ends, the better you'll be able to avoid them. And as long as your tax dollars are being spent on these mistakes, you might as well get some value from the exercise.
Besides, what other report that you browse this year will tell you how the US State Department dodged its audit: "Although the inventory provided by the agency indicated that the employees were assigned to the location that we visited, they were actually assigned to posts throughout the world."
Happy reading.