The death of Windows XP didn’t trigger the apocalypse many feared, but it hasn’t been without incident, nor is it over yet. In May, TrueCrypt announced it was ending support and development of its open-source encryption software, suggesting users switch to BitLocker for PC or FileVault on Mac.
A post on the official website claims there are unresolved (and unspecified) security issues related to Microsoft’s shutdown of Windows XP, but many experts are quick to point out Edward Snowden’s endorsement of the software and how Lavabit, the encrypted email service Snowden used, also shut down after attracting the attention of the federal government.
Whatever the reason for ending the project, this free encryption protocol was implemented by a lot of organizations that are now facing another expensive upgrade on top of their migration from the XP operating system.
If you’re in the market for a new encryption program, here’s what you need to do:
1. Check for FIPS Validation
The biggest driving force for encryption is government regulation, such as HIPAA HITECH compliance. One way to avoid the fines and related expenses associated with a data breach is to prove you had encryption deployed on the devices.
TrueCrypt may provide a certain level of security, but you can’t count on the authorities giving you a safe harbor pass with a non-validated solution in the event of a data breach.
The government has a security validation scheme called FIPS validation. When a security product is FIPS 140-2-validated, it means the National Institute of Standards and Technology reviewed the source code, provenance, and viability of the product, so it’s secure by government standards. This requires financial investment, which obviously won’t come from open-source developers.
My advice? Visit NIST.gov to see the company’s FIPS validation certificate for yourself.
2. Know Your Software’s History
Provenance comes up often when referring to TrueCrypt. You really don’t know the history of the code or who’s been updating it. Even if TrueCrypt is revived, the nature of open-source cryptography means your enemy is likely guarding the gates, with both whistleblowers and corporations contributing to the same pool.
3. Pay for Security and Support
Let’s face it: There are some people who are so frugal they won’t pay for software. They’ll opt for open-source solutions strictly because of cost. However, commercially viable security solutions will always have someone supporting them for a price. If you implement open-source software for an important function, you could see support disappear in a flash, much like we saw with TrueCrypt.
Though TrueCrypt itself is free, think about the billable hours spent by companies that deployed it. Many companies made this investment, and now TrueCrypt says the product is not secure. We have new customers who spent significant sums of money to deploy TrueCrypt, and since they’re in regulated industries such as healthcare and finance, they’re now forced to migrate to a commercial solution to remain compliant.
4. Review Independent Case Studies
Although many worry about the NSA decrypting their data to prosecute them, there’s no evidence of the government using data access this way. In fact, the Electronic Frontier Foundation quotes case law where the government couldn’t force people to give up encryption passwords due to Fifth Amendment protection.
Commercial solutions should have independent case studies and reviews of the product to validate the solution. In addition, they should provide robust reporting that allows you to centrally monitor security compliance.
5. Consider Efficiency in the Total Cost of Ownership
My company goes to great lengths to ensure we provide a high level of security without getting in the end user’s way. This is the challenge with security software. You have to test the software before committing to large install footprints to ensure that it won’t have a negative impact on your work environment or your employees’ productivity.
TrueCrypt was a great product, but it was tough to maintain in a medium-sized or large business environment. Generally speaking, commercial options have a lower cost of ownership due to the central management capabilities — something a free solution like TrueCrypt wouldn’t be able to provide.
Make sure you test the install and remote management of the software. Efficiency isn’t a basic tenet of security, but the solution you choose must provide it.
Large-scale software implementations take a long time. Many prominent organizations are still working out compatibility issues and performing user acceptance testing on their migrations from XP to Windows. Those using TrueCrypt are in a precarious position because they’ve now fallen doubly behind.
When it comes to data security, don’t take the chance of deploying an open-source solution. With software, you truly get what you pay for, and your customers’ data is worth more than you think.