Educause Security Discussion mailing list archives
Re: Whole Disk Encryption Tools
From: jack suess <jack () UMBC EDU>
Date: Thu, 9 Nov 2006 12:00:16 -0500
I'm curious is anyone is looking at Windows Vista and its Encrypted file system. I know plans are in flux with VISTA (though it is supposed to come out 1st quarter of 2007). I was thinking about this and it looks to be an interesting solution. It will integrate in AD and can be mandated automatically through AD policies. It has the ability to do a master password override and looks somewhat promising to me. I bring this up because I'm thinking that for some of the areas we want to force encryption we might just push this as a first group to be using vista. If for no other reason than Vista looks to have some nice security enhancements. Saying that, if you have to roll this out en-masse right now VISTA is not a solution. I'm just expecting that rolling out encryption will be a multi-year effort on our campus and as such VISTA might be the long-term solution. jack suess On Nov 9, 2006, at 10:19 AM, Steve Brukbacher wrote:
We are currently going through an evaluation process for whole disk encryption. The current candidates are Guardian Edge, Pointsec and Voltage, who OEM's (repackages) the Safeboot product. All three of them do about the same thing. The features are very similar. Our technical team is reviewing them next. They all allow for administrative recovery of data for a variety of scenarios. They also create their own MBR independent of the Windows boot partition. There was some chatter about waiting for Vista Bitlocker, but I think it's better defense in depth to use a non-Windows product for this. Plus this way we can use data from the management console to certify that the drive was encrypted in case of theft which helps if your state has a disclosure law like ours does. One downside to Pointsec is that the key exchange between the server and the clients happens over windows ports. Since we block these at the edge, this will probably be a no go. So it's pretty much between guardian Edge and Voltage (Safeboot). I'm happy to share the requirement analysis spreadsheet we developed for the first round of information gathering. Now it's up to the tech staff to pick one. We're also evaluating asset recovery products. That's between the Absolute software product and CyberAngel. Cyber Angel's pricing is better, plus they will allow us to resell this at a steep discount for personal devices. The Absolute product is already built in to most modern Dell Bios' so we would simply need to purchase a license and we're off and running, but again, the pricing isn't as attractive here. -- Steve Brukbacher, CISSP University of Wisconsin Milwaukee Information Security Coordinator UWM Computer Security Web Site www.security.uwm.edu Phone: 414.229.2224 Penn, Blake wrote:Computrace from Absolute Software (www.absolute.com) is an asset recovery product that is compatible with Utimaco's whole disk encryption if you are looking to do both. It has a persistent BIOS-based agent to survive hard disk formatting and the like - pretty cool stuff. ____________________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-7792 (f) 262-472-1285 pennb () uww edu | http://www.uww.edu/security/ -----Original Message----- From: Krizi Trivisani [mailto:krizi () GWU EDU] Sent: Wednesday, November 08, 2006 3:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Whole Disk Encryption Tools Hi Kim, At GW we are using Safeguard Easy (Utimaco product) for full-disk encryption. We just finished a successful pilot and have been approved to move forward with our phased enterprise roll-out. Our first phase is full-disk encryption of laptops for high risk users (target by end of Feb; approx. 700 laptops). We will also be encrypting desktops in Phases 2 and 3. Fortunately we have a mandate from our board of directors, so our enforcement teeth are there. Communications, training, awareness, and standards are critical success factors for us. We are not using an asset recovery product at this time. If you would like to talk off-line, please feel free to call me. Cheers, Krizi ********************************* Krizi Trivisani, CISSP Director of Systems Security Operations Chief Security Officer The George Washington University 202/994-7803 krizi () gwu edu ----- Original Message ----- From: "Logan, Kimberly (loganks)" <LOGANKS () UCMAIL UC EDU> Date: Wednesday, November 8, 2006 3:58 pm Subject: [SECURITY] Whole Disk Encryption Tools To: SECURITY () LISTSERV EDUCAUSE EDUHi Everyone, University of Cincinnati is now looking at whole disk encryption tools. We are looking for a tool that will allow us to manage the keys. I'd like to know what those of you looking at or using whole disk encryption are using and why. Also, does anyone know if there is one product that provides both whole disk encryption and asset recovery? Thanks, Kim Kim Logan Information Security Officer University of Cincinnati (513)556-9070 kim.logan () uc edu
Current thread:
- Whole Disk Encryption Tools Logan, Kimberly (loganks) (Nov 08)
- <Possible follow-ups>
- Re: Whole Disk Encryption Tools Krizi Trivisani (Nov 08)
- Re: Whole Disk Encryption Tools Bob Kehr (Nov 08)
- Re: Whole Disk Encryption Tools Gary Dobbins (Nov 08)
- Re: Whole Disk Encryption Tools Penn, Blake (Nov 09)
- Re: Whole Disk Encryption Tools Steve Brukbacher (Nov 09)
- Re: Whole Disk Encryption Tools Logan, Kimberly (loganks) (Nov 09)
- Re: Whole Disk Encryption Tools jack suess (Nov 09)
- Re: Whole Disk Encryption Tools Chris Green (Nov 09)
- Re: Whole Disk Encryption Tools Krizi Trivisani (Nov 09)
- Re: Whole Disk Encryption Tools Brad Judy (Nov 09)
- Re: Whole Disk Encryption Tools Jack Suess (Nov 09)
- Re: Whole Disk Encryption Tools Bob Ono (Nov 10)
- Re: Whole Disk Encryption Tools Clifford Collins (Nov 10)
- Re: Whole Disk Encryption Tools George Farah (Nov 10)
- Re: Whole Disk Encryption Tools Curt Wilson (Nov 13)