Laptop Security Desiderata



This memo outlines a vision for security for Laptop Computers and details some of the security requirements that are derived from that vision.  If the vision proves to be valid, then the requirements can be used to search for a suitable security product.


People use laptop computers very differently from their desktop PCs.  Laptops face different risks and have different user expectations.  Hence, the security model for laptops will not be the same as that of a PC.  Some of the differences are:


·         A laptop is generally used by one person.  All the data on the laptop is usually ‘owned’ by that one user.  Data protection using Access Control Lists are generally not useful on laptops.  Files on laptops are generally not shared across the network by multiple people.  In contrast, the data on a desktop computer may be shared by many people.  Desktop computers often use ‘shares’ mounted on file servers.  Access Control Lists are more suitable for such situations.

·         The laptop will be used for a variety of different business and personal purposes.  Since the user can lug around only one laptop, they will tend to use it for multiple projects and also for occasional personal projects.  Users will install personal productivity tools, games, etc. and it will not be practical for the company to try to stop them.  Desktop computers are statically located in the office and are more often used for the intended business purpose.

·         Laptops are used by people ‘on the go’.  They are turned on and off more frequently, and therefore, there is a need for them to power up and power down without much delay.

·         Laptops are lost and stolen more often.  There is greater need for the sensitive data on laptops to be encrypted to prevent it from falling into the wrong hands.



Generic requirements

1.      The user impact of installing the security software should be minimal.  Besides requiring the user to enter a password, there should be no other significant change in the way the laptop is used and maintained.

2.      There should be no noticeable performance impact, i.e., applications should not run significantly slower.

3.      The encryption should work for the data files of all applications, both currently installed and future applications.

4.      Users should be able to install and deinstall their own favorite software

5.      It should be easy to install and setup the security software product.

6.      It should not be possible for the user to disable or deinstall the security product

7.      The laptop may occasionally be infected by a virus.  The security product should be virus resistant and should not damage the disk any more than the virus does.

8.      The security product should support compressed volumes.

9.      Users will occasionally run a tool to defragment disk space.  The security product should be defrag resistant.

10.  The security product should be exportable (out of country), and importable into most of the countries frequently visited by company staff.

11.  During power up, the product should maintain a low profile and not call attention to itself as an encyption product.  The same is true for screenlock and suspend/hibernation.



Basic security requirements:

1.      The user is not expected to manually encrypt or decrypt files.  Encryption/decryption should be done automatically and should be totally transparent to the user.  

2.      Encryption/decryption should not be performed on shutdown/boot.  Most users will not have the patience to suffer through an additional delay.

3.      The batteries on laptops may occasionally run out while the user is working.  The data should be safe and protected even if this happens.

4.      We prefer drive level encryption, which will encrypt the entire partition.

5.      The boot partition should be encryptable.  The \temp directory frequently resides on C:.  This directory may contain temporary files with sensitive data.

6.      Optionally, some additional disk partitions may be left unencrypted.

7.      On power up, the laptop should not boot until the proper password is entered.

8.      Screen lock should be integrated.  The screen lock password should be the same as the password required as boot time.

9.      The suspend/hibernate features should require the password when reactivating the system.  This is motivated by the fact that users don’t shutdown the laptop, they just close the cover and start traveling.

10.  Users should not be able to disable screenlock, or the suspend/hibernate lock.

11.  Users should not be able to loosen security settings.  However, the user may tighten the requirements as necessary.

12.  The security product should support the company policy for password qualification and complexity rules.

13.  The security product should support the company policy for password aging and prevent the reuse of the last few passwords.

14.  A company specific login banner should be displayed whenever a password is requested; i.e. during boot time, screenlock break, etc.

15.  The security product should protect against password guessing attacks.  One acceptable way is to increase the wait period between attempts.

16.  The security product should lock up the laptop after n bad password attempts.  This function should be supported wherever passwords are required: specifically at boot time, screenlock breaking and reactivation after suspend/hibernation.



Advanced security requirements

1.      There should be a password reset capability through the help desk, or through an administrator.  Users will occasionally forget their passwords.  They may be on the road and away from their office at that time.  The help desk should be able to reset the password over the phone after verifying the identity of the user and confirming that he owns the laptop.  The help desk should use a one time cookie to reset the password; i.e. the cookie cannot be reused after one use.

2.      Occasionally, a system maintenance person will need to access the laptop to repair or reconfigure it.  It would be preferable if the user did not have to reveal their secret password to the system maintenance person.  Instead the maintenance person should call the help desk and obtain a one time access password for the laptop.  The user’s password would not be changed.

3.      There should be a way for authorized staff to gain access to the laptop even without the user’s password.  This is useful if the user leaves the company and the manager needs access to the data on the laptop.

4.      To prevent unauthorized users from continuing to make use of the laptop, the security product should periodically require the user to connect to the corporate network and authenticate themselves to a central server.  This action will give the laptop a new ‘lease’ to continue to work for the next period.  The time period will be set to about 2 to 4 weeks.  The lease should be renewable by the help desk over the phone.  Without a ‘lease’ the software on the laptop will be effectively unusable.  This function protects against ex-employees that do not return their laptops.

5.      There should be a method for the security administrator to preselect a set of security settings and create an installation kit that can then be distributed to all laptop users.  Examples of security settings are: password qualification rules, encryption strength, login banner text, etc.

6.      The software product should support encryption for floppies and other removable media.  Note that it is not intended that the encrypted media will be sent to and decrypted by another user.  E-mail encryption will be used to address this need.

7.      On a few laptops that contain especially sensitive data, we would like to protect the data using two factor authentication.  Besides knowing the password for the laptop, the user should be in possession of the correct smart card token.

8.      After the user unlocks the laptop, the security product should automate the signing on of the user to various applications and domains.  In this capacity, the security product will be providing a ‘single signon’ functionality.



Communications security

1.      While traveling on the road, the user will need to communicate back to the home office via an analog modem.  The security product should encrypt the data being transmitted on the public line.  A standard encryption technique should be used (PPTP, L2TP, etc)

2.      While connected to a network, access to files on the laptop should be restricted.  This prevents unauthorized access to the encrypted data on the laptop.