Re: Product request - Enterprise whole disk encryption for laptops

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Charlie Prothero wrote:
> I always considered encryption an exercise in risk management.
> The risk I am trying to prevent is that the theft of a
> computer will expose the data to the casual criminal.  I
> assume that someone serious about cracking the encrypted
> files will simply resort to other, and much more effective
> methods of ascertaining the correct passphrase.  So my
> question is this, just how long could I expect a passphrase,
> of at least 16 characters, composed on ONLY alpha-numeric
> characters, to withstand the attack?

how about exam papers in preparation, or critical research results
(perhaps from a project with a commercial collaborator).  If the former
gets exposed (as happened to one friend of mine two weeks before the
exam) it's a royal pita but not a disaster.  The latter could
conceivably  be very costly for the university.

Again, it all comes down getting people to think about the risks
associated the data we handle on a day to day basis.

In the case of collaborative commercial research one would hope that the
company involved had negotiated an agreement with the department that
explicitly spelled out who was responsible for what and what minimum
standards of care were applicable.

We started doing this with anyone who required access to university data
a few years ago and we still get people (mostly vendors) surprised that
we want to know what standards they use on their desktop systems (AV,
Spyware etc.) And that we want to know what they are going to do if they
expose our data and that we want it all in writing!  E.g. our agreement
with Chubb who look after all the physical locks and keys in the University.

R