Feeds

PGP disk encrypt approved by MoD for military use

Good enough for personal data, not for missile codes

Intelligent flash storage arrays

The UK MoD has certified PGP Corporation's whole disk encryption technology as suitable for use on British military computers. However, like most software-only solutions, it has been approved only for machines holding fairly low-level information.

PGP Whole Disk Encryption had previously passed the UK government's baseline approval process run by the CESG, but has now been certified by the Defence INFOSEC Product Co-operation Group (DIPCOG) forum as approved for use in MoD and military systems. However a disk protected solely by PGP encryption is only allowed to have RESTRICTED (Impact Level 3) information on it.

The British protective markings run from UNCLAS (Impact Level 1-2) to RESTRICTED (Impact Level 3) through CONFIDENTIAL (4), SECRET (5) and TOP SECRET (6).

There are some security products already on the UK market certified to higher levels, for instance Flagstone Enhanced rated for TOP SECRET information - but this requires replacement of a laptop's hard disk with special hardware, which would be overkill for most users. Microsoft's BitLocker, included in some versions of its later operating systems, is (like PGP) only OK'd for RESTRICTED.

According to an MoD statement:

The DIPCOG is pleased to be working again with PGP Corporation, in order to exploit its famous capabilities for information security, and is looking forward to reviewing further [baseline CESG] approved products for adoption by the MoD.

This doesn't mean that PGP isn't any good. The MoD and its advisers from the intelligence community, rightly or wrongly, consider that government information from CONFIDENTIAL upwards might be a target for sophisticated nation-state spy organisations employing highly exotic attacks to get around disk encryption. Thus most security products using normal hardware tend to be limited to RESTRICTED.

But things which in many organisations would be seen as crown jewels - people's personal details, for instance - are classified RESTRICTED in the MoD (albeit usually with an added caveat, eg RESTRICTED STAFF or RESTRICTED MEDICAL, it's still only Level 3). Level 6 is stuff like the planned patrol area of Blighty's nuclear missile submarines.

Unless you think that the Russian FSB are going to lift your crypto keys right out of your RAM using a miracle Tempest probe from the next hotel room or something, PGP and similar solutions should be quite good enough. Arguably the MoD security apparat is being overly paranoid anyway - experience suggests that in fact nothing terribly interesting is normally to be found in MoD files even at the SECRET level, let alone CONFIDENTIAL, and maybe they could relax a bit. ®

Top 5 reasons to deploy VMware with Tegile

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.