Educause Security Discussion mailing list archives
Re: Whole Disk Encryption Tools
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 9 Nov 2006 14:20:48 -0700
We're taking a look into disk encryption options here and I have played a bit with BitLocker on a Vista test box (just stand-alone, haven't done AD integration with BitLocker). I think it's an appealing option, if your machines have TPM 1.2 chips. If they don't, it's a much more limited option. Steve Riley gave a presentation on Vista security stuff at our Windows in Higher Education conference this past summer, including some good BitLocker info. He gave us permission to redistribute it here: http://windows-hied.org/Conf2006/Riley_Vista_system_integrity.ppt Michael Greene from MS did a BitLocker Q&A on behalf of higher ed and posted the transcript here: http://blogs.technet.com/migreene/archive/2006/09/01/453142.aspx Of course, the BitLocker webpage is a very useful source of info, particularly the pretty well done technical review: http://www.microsoft.com/technet/windowsvista/security/bitlockr.mspx It has its pros and cons. Most notably, it's a single OS solution (not just single platform) so it won't be the only solution for most campuses, and it's geared towards TPM so the hardware platform is limited at the moment. On the plus side, it's free (assuming you own Vista), seems well thought out, and has some AD backed management capability. BTW: Thanks to everyone posting their thoughts on various apps, we've added some items on our list to check out. Brad Judy IT Security Office Information Technology Services University of Colorado at Boulder
-----Original Message----- From: jack suess [mailto:jack () UMBC EDU] Sent: Thursday, November 09, 2006 10:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Whole Disk Encryption Tools I'm curious is anyone is looking at Windows Vista and its Encrypted file system. I know plans are in flux with VISTA (though it is supposed to come out 1st quarter of 2007). I was thinking about this and it looks to be an interesting solution. It will integrate in AD and can be mandated automatically through AD policies. It has the ability to do a master password override and looks somewhat promising to me. I bring this up because I'm thinking that for some of the areas we want to force encryption we might just push this as a first group to be using vista. If for no other reason than Vista looks to have some nice security enhancements. Saying that, if you have to roll this out en-masse right now VISTA is not a solution. I'm just expecting that rolling out encryption will be a multi-year effort on our campus and as such VISTA might be the long-term solution. jack suess On Nov 9, 2006, at 10:19 AM, Steve Brukbacher wrote:We are currently going through an evaluation process for whole disk encryption. The current candidates are Guardian Edge, Pointsec and Voltage, who OEM's (repackages) the Safeboot product. All three of them do about the same thing. The features are very similar. Our technical team is reviewing them next. Theyall allowfor administrative recovery of data for a variety ofscenarios. Theyalso create their own MBR independent of the Windows bootpartition.There was some chatter about waiting for Vista Bitlocker,but I thinkit's better defense in depth to use a non-Windows productfor this.Plus this way we can use data from the management consoleto certifythat the drive was encrypted in case of theft which helps if your state has a disclosure law like ours does. One downside to Pointsec is that the key exchange betweenthe serverand the clients happens over windows ports. Since we blockthese atthe edge, this will probably be a no go. So it's prettymuch betweenguardian Edge and Voltage (Safeboot). I'm happy to share the requirement analysis spreadsheet wedevelopedfor the first round of information gathering. Now it's up to the tech staff to pick one. We're also evaluating asset recovery products. That's between the Absolute software product and CyberAngel. Cyber Angel's pricing is better, plus they will allow us to resell this at a steepdiscount forpersonal devices. The Absolute product is already built in to most modern Dell Bios' so we would simply need to purchase a license and we're off and running, but again, the pricing isn't as attractive here. -- Steve Brukbacher, CISSP University of Wisconsin Milwaukee Information Security Coordinator UWM Computer Security Web Site www.security.uwm.edu Phone: 414.229.2224 Penn, Blake wrote:Computrace from Absolute Software (www.absolute.com) is an asset recovery product that is compatible with Utimaco's whole diskencryption ifyou are looking to do both. It has a persistent BIOS-based agent to survive hard disk formatting and the like - pretty cool stuff. ____________________________________________ Blake Penn, CISSP InformationSecurityOfficer University of Wisconsin-Whitewater (p) 262-472-7792 (f) 262-472-1285 pennb () uww edu | http://www.uww.edu/security/ -----Original Message----- From: Krizi Trivisani [mailto:krizi () GWU EDU] Sent: Wednesday, November 08, 2006 3:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Whole Disk Encryption Tools Hi Kim, At GW we are using Safeguard Easy (Utimaco product) for full-disk encryption. We just finished a successful pilot and have been approved to move forward with our phased enterprise roll-out. Ourfirst phase isfull-disk encryption of laptops for high risk users(target by endof Feb; approx. 700 laptops). We will also be encrypting desktops in Phases 2 and 3. Fortunately we have a mandate from our board ofdirectors, so ourenforcement teeth are there. Communications, training,awareness,and standards are critical success factors for us. We are not using an asset recovery product at this time. If you would like to talk off-line, please feel free to call me. Cheers, Krizi ********************************* Krizi Trivisani, CISSP Director of Systems Security Operations Chief Security Officer The George Washington University 202/994-7803 krizi () gwu edu ----- Original Message ----- From: "Logan, Kimberly (loganks)" <LOGANKS () UCMAIL UC EDU> Date: Wednesday, November 8, 2006 3:58 pm Subject: [SECURITY] Whole Disk Encryption Tools To: SECURITY () LISTSERV EDUCAUSE EDUHi Everyone, University of Cincinnati is now looking at whole diskencryptiontools. We are looking for a tool that will allow us to managethe keys.I'd like to know what those of you looking at or usingwhole diskencryption are using and why. Also, does anyone know ifthere isone product that provides both whole disk encryption and asset recovery? Thanks, Kim Kim Logan Information Security Officer University of Cincinnati (513)556-9070 kim.logan () uc edu
Current thread:
- Whole Disk Encryption Tools Logan, Kimberly (loganks) (Nov 08)
- <Possible follow-ups>
- Re: Whole Disk Encryption Tools Krizi Trivisani (Nov 08)
- Re: Whole Disk Encryption Tools Bob Kehr (Nov 08)
- Re: Whole Disk Encryption Tools Gary Dobbins (Nov 08)
- Re: Whole Disk Encryption Tools Penn, Blake (Nov 09)
- Re: Whole Disk Encryption Tools Steve Brukbacher (Nov 09)
- Re: Whole Disk Encryption Tools Logan, Kimberly (loganks) (Nov 09)
- Re: Whole Disk Encryption Tools jack suess (Nov 09)
- Re: Whole Disk Encryption Tools Chris Green (Nov 09)
- Re: Whole Disk Encryption Tools Krizi Trivisani (Nov 09)
- Re: Whole Disk Encryption Tools Brad Judy (Nov 09)
- Re: Whole Disk Encryption Tools Jack Suess (Nov 09)
- Re: Whole Disk Encryption Tools Bob Ono (Nov 10)
- Re: Whole Disk Encryption Tools Clifford Collins (Nov 10)
- Re: Whole Disk Encryption Tools George Farah (Nov 10)
- Re: Whole Disk Encryption Tools Curt Wilson (Nov 13)