Feeds

PGP disk encrypt approved by MoD for military use

Good enough for personal data, not for missile codes

Choosing a cloud hosting partner with confidence

The UK MoD has certified PGP Corporation's whole disk encryption technology as suitable for use on British military computers. However, like most software-only solutions, it has been approved only for machines holding fairly low-level information.

PGP Whole Disk Encryption had previously passed the UK government's baseline approval process run by the CESG, but has now been certified by the Defence INFOSEC Product Co-operation Group (DIPCOG) forum as approved for use in MoD and military systems. However a disk protected solely by PGP encryption is only allowed to have RESTRICTED (Impact Level 3) information on it.

The British protective markings run from UNCLAS (Impact Level 1-2) to RESTRICTED (Impact Level 3) through CONFIDENTIAL (4), SECRET (5) and TOP SECRET (6).

There are some security products already on the UK market certified to higher levels, for instance Flagstone Enhanced rated for TOP SECRET information - but this requires replacement of a laptop's hard disk with special hardware, which would be overkill for most users. Microsoft's BitLocker, included in some versions of its later operating systems, is (like PGP) only OK'd for RESTRICTED.

According to an MoD statement:

The DIPCOG is pleased to be working again with PGP Corporation, in order to exploit its famous capabilities for information security, and is looking forward to reviewing further [baseline CESG] approved products for adoption by the MoD.

This doesn't mean that PGP isn't any good. The MoD and its advisers from the intelligence community, rightly or wrongly, consider that government information from CONFIDENTIAL upwards might be a target for sophisticated nation-state spy organisations employing highly exotic attacks to get around disk encryption. Thus most security products using normal hardware tend to be limited to RESTRICTED.

But things which in many organisations would be seen as crown jewels - people's personal details, for instance - are classified RESTRICTED in the MoD (albeit usually with an added caveat, eg RESTRICTED STAFF or RESTRICTED MEDICAL, it's still only Level 3). Level 6 is stuff like the planned patrol area of Blighty's nuclear missile submarines.

Unless you think that the Russian FSB are going to lift your crypto keys right out of your RAM using a miracle Tempest probe from the next hotel room or something, PGP and similar solutions should be quite good enough. Arguably the MoD security apparat is being overly paranoid anyway - experience suggests that in fact nothing terribly interesting is normally to be found in MoD files even at the SECRET level, let alone CONFIDENTIAL, and maybe they could relax a bit. ®

Choosing a cloud hosting partner with confidence

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.