Educause Security Discussion mailing list archives

Re: Whole Disk Encryption Tools

From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 9 Nov 2006 14:20:48 -0700

We're taking a look into disk encryption options here and I have played
a bit with BitLocker on a Vista test box (just stand-alone, haven't done
AD integration with BitLocker).  I think it's an appealing option, if
your machines have TPM 1.2 chips.  If they don't, it's a much more
limited option.  

Steve Riley gave a presentation on Vista security stuff at our Windows
in Higher Education conference this past summer, including some good
BitLocker info.  He gave us permission to redistribute it here:
http://windows-hied.org/Conf2006/Riley_Vista_system_integrity.ppt

Michael Greene from MS did a BitLocker Q&A on behalf of higher ed and
posted the transcript here:
http://blogs.technet.com/migreene/archive/2006/09/01/453142.aspx

Of course, the BitLocker webpage is a very useful source of info,
particularly the pretty well done technical review:
http://www.microsoft.com/technet/windowsvista/security/bitlockr.mspx

It has its pros and cons.  Most notably, it's a single OS solution (not
just single platform) so it won't be the only solution for most
campuses, and it's geared towards TPM so the hardware platform is
limited at the moment.  On the plus side, it's free (assuming you own
Vista), seems well thought out, and has some AD backed management
capability.  

BTW: Thanks to everyone posting their thoughts on various apps, we've
added some items on our list to check out.  

Brad Judy

IT Security Office
Information Technology Services
University of Colorado at Boulder

-----Original Message-----
From: jack suess [mailto:jack () UMBC EDU] 
Sent: Thursday, November 09, 2006 10:00 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption Tools

I'm curious is anyone is looking at Windows Vista and its 
Encrypted file system. I know plans are in flux with VISTA 
(though it is supposed to come out 1st quarter of 2007). I 
was thinking about this and it looks to be an interesting 
solution.  It will integrate in AD and can be mandated 
automatically through AD policies. It has the ability to do a 
master password override and looks somewhat promising to me.

I bring this up because I'm thinking that for some of the 
areas we want to force encryption we might just push this as 
a first group to be using vista. If for no other reason than 
Vista looks to have some nice security enhancements. Saying 
that, if you have to roll this out en-masse right now VISTA 
is not a solution. I'm just expecting that rolling out 
encryption will be a multi-year effort on our campus and as 
such VISTA might be the long-term solution.

jack suess

On Nov 9, 2006, at 10:19 AM, Steve Brukbacher wrote:

We are currently going through an evaluation process for whole disk 
encryption.  The current candidates are Guardian Edge, Pointsec and 
Voltage, who OEM's (repackages) the Safeboot product.

All three of them do about the same thing. The features are very 
similar.  Our technical team is reviewing them next.  They

all allow

for administrative recovery of data for a variety of

scenarios.  They

also create their own MBR independent of the Windows boot

partition.

There was some chatter about waiting for Vista Bitlocker,

but I think

it's better defense in depth to use a non-Windows product

for this.

Plus this way we can use data from the management console

to certify

that the drive was encrypted in case of theft which helps if your 
state has a disclosure law like ours does.

One downside to Pointsec is that the key exchange between

the server

and the clients happens over windows ports.  Since we block

these at

the edge, this will probably be a no go. So it's pretty

much between

guardian Edge and Voltage (Safeboot).

I'm happy to share the requirement analysis spreadsheet we

developed

for the first round of information gathering.

Now it's up to the tech staff to pick one.

We're also evaluating asset recovery products. That's between the 
Absolute software product and CyberAngel.  Cyber Angel's pricing is 
better, plus they will allow us to resell this at a steep

discount for

personal devices.  The Absolute product is already built in to most 
modern Dell Bios' so we would simply need to purchase a license and 
we're off and running, but again, the pricing isn't as attractive 
here.

-- 
Steve Brukbacher, CISSP
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224



Penn, Blake wrote:

Computrace from Absolute Software (www.absolute.com) is an asset  
recovery
product that is compatible with Utimaco's whole disk

encryption if

you are
looking to do both.  It has a persistent BIOS-based agent to  
survive hard
disk formatting and the like - pretty cool stuff.  
____________________________________________
Blake Penn, CISSP                             Information

Security

Officer          University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security/ -----Original  
Message-----
From: Krizi Trivisani [mailto:krizi () GWU EDU] Sent: Wednesday,  
November 08, 2006 3:14 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption Tools
Hi Kim,
At GW we are using Safeguard Easy (Utimaco product) for full-disk
encryption.  We just finished a successful pilot and have been  
approved to
move forward with our phased enterprise roll-out.  Our

first phase is

full-disk encryption of laptops for high risk users

(target by end

of Feb;
approx. 700 laptops).  We will also be encrypting desktops in  
Phases 2 and
3.  Fortunately we have a mandate from our board of

directors, so our

enforcement teeth are there.  Communications, training,

awareness,

and
standards are critical success factors for us.  We are not using  
an asset
recovery product at this time.
If you would like to talk off-line, please feel free to call me.
Cheers,
Krizi
*********************************
Krizi Trivisani, CISSP
Director of Systems Security Operations
Chief Security Officer
The George Washington University
202/994-7803
krizi () gwu edu
----- Original Message -----
From: "Logan, Kimberly (loganks)" <LOGANKS () UCMAIL UC EDU>
Date: Wednesday, November 8, 2006 3:58 pm
Subject: [SECURITY] Whole Disk Encryption Tools
To: SECURITY () LISTSERV EDUCAUSE EDU

Hi Everyone,
 University of Cincinnati is now looking at whole disk

encryption

tools.
We are looking for a tool that will allow us to manage

the keys.

I'd like to know what those of you looking at or using

whole disk

encryption are using and why.  Also, does anyone know if

there is

one product that provides both whole disk encryption and asset  
recovery?
 Thanks,
 Kim
 Kim Logan
Information Security Officer
University of Cincinnati
(513)556-9070
kim.logan () uc edu

Current thread:

Whole Disk Encryption Tools Logan, Kimberly (loganks) (Nov 08)
- <Possible follow-ups>
- Re: Whole Disk Encryption Tools Krizi Trivisani (Nov 08)
- Re: Whole Disk Encryption Tools Bob Kehr (Nov 08)
- Re: Whole Disk Encryption Tools Gary Dobbins (Nov 08)
- Re: Whole Disk Encryption Tools Penn, Blake (Nov 09)
- Re: Whole Disk Encryption Tools Steve Brukbacher (Nov 09)
- Re: Whole Disk Encryption Tools Logan, Kimberly (loganks) (Nov 09)
- Re: Whole Disk Encryption Tools jack suess (Nov 09)
- Re: Whole Disk Encryption Tools Chris Green (Nov 09)
- Re: Whole Disk Encryption Tools Krizi Trivisani (Nov 09)
- Re: Whole Disk Encryption Tools Brad Judy (Nov 09)
- Re: Whole Disk Encryption Tools Jack Suess (Nov 09)
- Re: Whole Disk Encryption Tools Bob Ono (Nov 10)
- Re: Whole Disk Encryption Tools Clifford Collins (Nov 10)
- Re: Whole Disk Encryption Tools George Farah (Nov 10)
- Re: Whole Disk Encryption Tools Curt Wilson (Nov 13)