Re: Whole Disk Encryption Tools

[jack suess <jack () UMBC EDU>]

I'm curious is anyone is looking at Windows Vista and its Encrypted
file system. I know plans are in flux with VISTA (though it is
supposed to come out 1st quarter of 2007). I was thinking about this
and it looks to be an interesting solution.  It will integrate in AD
and can be mandated automatically through AD policies. It has the
ability to do a master password override and looks somewhat promising
to me.

I bring this up because I'm thinking that for some of the areas we
want to force encryption we might just push this as a first group to
be using vista. If for no other reason than Vista looks to have some
nice security enhancements. Saying that, if you have to roll this out
en-masse right now VISTA is not a solution. I'm just expecting that
rolling out encryption will be a multi-year effort on our campus and
as such VISTA might be the long-term solution.



jack suess


On Nov 9, 2006, at 10:19 AM, Steve Brukbacher wrote:

> We are currently going through an evaluation process for whole disk
> encryption.  The current candidates are Guardian Edge, Pointsec and
> Voltage, who OEM's (repackages) the Safeboot product.
>
> All three of them do about the same thing. The features are very
> similar.  Our technical team is reviewing them next.  They all
> allow for administrative recovery of data for a variety of
> scenarios.  They also create their own MBR independent of the
> Windows boot partition. There was some chatter about waiting for
> Vista Bitlocker, but I think it's better defense in depth to use a
> non-Windows product for this.  Plus this way we can use data from
> the management console to certify that the drive was encrypted in
> case of theft which helps if your state has a disclosure law like
> ours does.
>
> One downside to Pointsec is that the key exchange between the
> server and the clients happens over windows ports.  Since we block
> these at the edge, this will probably be a no go. So it's pretty
> much between guardian Edge and Voltage (Safeboot).
>
> I'm happy to share the requirement analysis spreadsheet we
> developed for the first round of information gathering.
>
> Now it's up to the tech staff to pick one.
>
> We're also evaluating asset recovery products. That's between the
> Absolute software product and CyberAngel.  Cyber Angel's pricing is
> better, plus they will allow us to resell this at a steep discount
> for personal devices.  The Absolute product is already built in to
> most modern Dell Bios' so we would simply need to purchase a
> license and we're off and running, but again, the pricing isn't as
> attractive here.
>
> --
> Steve Brukbacher, CISSP
> University of Wisconsin Milwaukee
> Information Security Coordinator
> UWM Computer Security Web Site
> www.security.uwm.edu
> Phone: 414.229.2224
>
>
>
> Penn, Blake wrote:
> > Computrace from Absolute Software (www.absolute.com) is an asset
> > recovery
> > product that is compatible with Utimaco's whole disk encryption if
> > you are
> > looking to do both.  It has a persistent BIOS-based agent to
> > survive hard
> > disk formatting and the like - pretty cool stuff.
> > ____________________________________________
> > Blake Penn, CISSP                             Information Security
> > Officer          University of Wisconsin-Whitewater
> > (p) 262-472-7792 (f) 262-472-1285
> > pennb () uww edu | http://www.uww.edu/security/ -----Original
> > Message-----
> > From: Krizi Trivisani [mailto:krizi () GWU EDU] Sent: Wednesday,
> > November 08, 2006 3:14 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Whole Disk Encryption Tools
> > Hi Kim,
> > At GW we are using Safeguard Easy (Utimaco product) for full-disk
> > encryption.  We just finished a successful pilot and have been
> > approved to
> > move forward with our phased enterprise roll-out.  Our first phase is
> > full-disk encryption of laptops for high risk users (target by end
> > of Feb;
> > approx. 700 laptops).  We will also be encrypting desktops in
> > Phases 2 and
> > 3.  Fortunately we have a mandate from our board of directors, so our
> > enforcement teeth are there.  Communications, training, awareness,
> > and
> > standards are critical success factors for us.  We are not using
> > an asset
> > recovery product at this time.
> > If you would like to talk off-line, please feel free to call me.
> > Cheers,
> > Krizi
> > *********************************
> > Krizi Trivisani, CISSP
> > Director of Systems Security Operations
> > Chief Security Officer
> > The George Washington University
> > 202/994-7803
> > krizi () gwu edu
> > ----- Original Message -----
> > From: "Logan, Kimberly (loganks)" <LOGANKS () UCMAIL UC EDU>
> > Date: Wednesday, November 8, 2006 3:58 pm
> > Subject: [SECURITY] Whole Disk Encryption Tools
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Hi Everyone,
> > >  University of Cincinnati is now looking at whole disk encryption
> > > tools.
> > > We are looking for a tool that will allow us to manage the keys.
> > > I'd like to know what those of you looking at or using whole disk
> > > encryption are using and why.  Also, does anyone know if there is
> > > one product that provides both whole disk encryption and asset
> > > recovery?
> > >  Thanks,
> > >  Kim
> > >  Kim Logan
> > > Information Security Officer
> > > University of Cincinnati
> > > (513)556-9070
> > > kim.logan () uc edu