Thursday, July 15, 2010

Consultant Tools Series: TrueCrypt

Several non-technical friends and colleagues have asked me how to manage and secure sensitive or confidential data.

One is an independent CPA that has client information in his tax preparation and accounting software.  Another is involved in high stakes business transactions and legal proceedings, and travels to dozens of countries every year to meet with investors, attorneys, and governments.  Another friend has a business that provides health insurance, retirement plans, and other employee benefits to businesses, and has to store a lot of very sensitive medical and financial information.

In the Dynamics GP world, the most sensitive data that I've worked with are client databases with full HR and Payroll records, or client data files that have confidential employee information, including name, address, phone, SSN, etc.  Just today I received some files containing employee information for an HR and Payroll integration to Dynamics GP, so I immediately wanted to encrypt the files.

While there is no single answer to the question of how such confidential information should be managed, when most people think of securing such data, they often use two phrases:  "password protect" and "encrypt".  It's a good start, but that's often the limit of their knowledge.

Before discussing details, I usually ask the person what concern or risk they are trying to address.  How sensitive or confidential is the data?  Is it only of interest to competitors?  Would criminals want it?  Would law enforcement want it?  Would lawyers or private investigators want it?  Would a government want it?

Most people just don't want the data wandering around publicly, and don't want it exposed if a computer is hacked or stolen.  But some people do legitimately need to ensure that certain files cannot be accessed by a government agency, even if the computer is confiscated.

Although there are probably lots of different options, I usually offer the following choices:

1) Put a password on the Excel or Word file.  This is usually adequate to prevent inadvertent disclosure of sensitive information, such as a list of tentative pay raises, bonuses, or terminations at a company.  The passwords on Microsoft Office files can either be stripped out or cracked by various software packages, so the Office passwords only provide a low level of security.  And one significant downside is that each file must have a password, so if you use different passwords, don't access the file regularly, or have to open a file that is several years old, it is common for people to forget the password (myself included).

2) Use WinZip or WinRAR to compress one or more files, and then use a password on the Zip or RAR file to encrypt and secure the files.  This has some benefits, such as being able to secure multiple files with one password, and the ability to secure files that don't have their own encryption (like a CSV or text file).  But such passwords really aren't any more secure than an Office file password, as password crackers can attack zip files as well.  Another downside to using WinZip with a password is that although the compressed files may be encrypted, anyone who opens the zip file can see its contents, which I personally don't like.

3) If those basic options are insufficient, I then jump straight to TrueCrypt.  TrueCrypt is a free, open source encryption application that provides very secure on-the-fly file and disk encryption.  It was created in 2004, and is widely recognized as one of the best disk encryption options available today.  The fact that it is free and open source means that I don't have to purchase upgrades as new versions of Windows are released, as encryption techniques change, or as the software vendor goes bankrupt or is acquired like at least one of the other disk encryption products I have tried.

TrueCrypt is available for Windows, Mac, and Linux, and if you review the features and documentation, I think you'll see how seriously the product addresses security.

TrueCrypt recently made news when the Brazilian government and the FBI were unable to crack hard drives encrypted using TrueCrypt.  While few people need to legitimately hide their data from such organizations, it's reassuring to know that the solution works when used properly.

There are a few key things that I like about TrueCrypt.

1) It is very easy to use.  Even if you don't understand how it works, the TrueCrypt beginner's tutorial walks you through the very simple process of creating a new encrypted container.  Once that container is setup, it's simply a matter of mounting the file and entering a password, and you have a new drive letter in Windows.

2) Because it is volume based, many applications can use TrueCrypt volumes transparently.  For small businesses or CPAs that run Lacerte tax software or QuickBooks, it's very simple to have applications read and write all of their data and files to a TrueCrypt volume, just like any other hard drive.

3) TrueCrypt doesn't require extra steps to encrypt data.  Because it encrypts and decrypts data on the fly as it is read and written to disk, there are no extra steps to secure the data, which is a huge benefit for a non-technical user.  Once the volume is dismounted, it just becomes an anonymous file on your hard drive.

4) TrueCrypt supports "key files" in addition to passwords.  Instead of trying to remember multiple 10-20 character secure passwords, you can use just about any file, or combination of files, to serve as your 'password'.  If you have a hundred MP3 or JPG files on your computer, you can randomly choose one or more of those files to serve as your key.  Just make sure to keep those MP3 or JPG files safely backed up!

5) Once you have your TrueCrypt container setup, you can use online backup services to back it up in the cloud, without worrying about whether the backup provider is really encrypting your data or has adequate safeguards to ensure that your data can't be viewed. 

This morning, after receiving a CSV file containing the data for over 900 employees, I immediately created a new TrueCrypt container and then moved the files to the mounted TrueCrypt volume.  It took maybe 2 minutes, literally, and that data is now encrypted, maintenance free.

In this case, I chose to use a standard password for the container, and then stored that password in a RoboForm secure note for safe keeping, since it may be days or weeks before I need to access the files again.

And with that, YCpRz37dTkC4Vh5PLIjuyQmBslgBB4/Oy+LPGjajHao=

(That's "Have a good weekend!", in 128-bit AES)


Stanley Glass said...

TrueCrypt is one of the most awesome tools out there. On Windows 7 you can create a Virtual Hard Drive (VHD) and encrypt it using TrueCrypt. I do this to store all of my personal data and financial data. IMHO everyone should be doing this.

Steve Endow said...

Thanks Stanley. Admittedly, there are so many features in TrueCrypt that I probably use a small fraction of its functionality and potential, but it's great to see a product that has so many features yet is so simple to use for basic needs.

I would agree that there are probably a lot of people and organizations that should probably be using solutions like TrueCrypt to protect confidential information. Much like my colleagues!