Life after TrueCrypt
While speculation continues around the fate of popular disk encryption software TrueCrypt, Sophos conducted a survey of over 100 IT professionals regarding their use of encryption. including TrueCrypt.
Key findings:
- One-third of IT professionals that use cryptography use TrueCrypt in some fashion
- 68% of TrueCrypt users have used the software for business
- One-third of survey respondents use encryption provided by operating system vendors such as Microsoft’s BitLocker or Apple’s FileVault
- One third of survey respondents are using a commercial solution or are not sure what is being used
- The news surrounding TrueCrypt has made 64% of respondents think critically about encryption.
“In our survey one third of the respondents using crypto to protect their secrets used TrueCrypt, the same number who are using Microsoft’s BitLocker, Apple’s FileVault or Linux solutions like dm-crypt, yet 64% of the TrueCrypt users are reconsidering their trust in something from anonymous sources with no guarantees that it does what it say,” said Chester Wisniewski, senior security advisor at Sophos. “Considering that 94% think that certification and audits are either required, desired or can’t hurt I imagine a lot more people moving towards standards approved OS supplied cryptography moving forward.”
“Many TrueCrypt users appear to have been unaware of its unclear pedigree, and considering that 68% of TrueCrypt users use it in a business environment, it appears this situation has been a bit of a wake-up call, continued Wisniewski. Apple, Microsoft and other commercial players are unlikely to stop supporting integrated encryption moving forward, in fact they will likely double-down on their investment after the allegations being made by Edward Snowden. Thinking critically about not just your laptops, but servers, desktops, cloud and mobile devices could result in organizations making changes that strengthen their security stance resulting in a positive outcome from this whole incident.”
Sophos have put together 5 key recommendations for life after TrueCrypt:
- Use vetted, trusted, operating system-level encryption like Microsoft BitLocker and Mac FileVault. TrueCrypt was not using the latest technology, so now is a great time to move to compliant encryption standards.
- The real issue with business use of encryption has been key management. You need good key management that enables encryption beyond just full-disk on your laptops.
- Data isn’t only on your disks. Users are taking it everywhere, especially the cloud. Now’s a good time to reevaluate your data protection strategy to make sure you’re protecting data everywhere.
- Non-Windows platforms need encryption, including OS X, Android and iOS. And don’t forget any systems still running Windows XP, you’ll need to protect them too.
- A thumb drive or DVD can hold sensitive records too. You need to encrypt all your storage devices as well.
The survey was conducted by Sophos on June 5-9, 2014 on Spiceworks.