Re: Laptop Encryption Software

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

Gary,

I'll touch on only one of your points for now: "why others were choosing commercial solutions over the native EFS". Not 
MS-bashing here, just pointing out some realities.

1) Without a PKI, XP allows you to turn your encrypted file into a digital brick. Looking to make the experience better 
from 2000 (where you had to designate a recovery agent before you could turn on EFS, but the default recovery agent was 
the domain adminstrator account and you couldn't change that without a Microsoft CA), Microsoft changed XP to allow 
turning on EFS without specifying a recovery agent. The first user to do that would likely be a Vice President, and 
then he'd forget his password and one of us would be looking for work elsewhere :) So the way key management works 
between 2000, XP and Vista varies significantly... And if you have all three in your organization, you'll need to work 
carefully if you use the Microsoft approach without a PKI.

2) The Payment Card Industry Data Security Standards specify, in version 1.1 section 3.4, that Active Directory may not 
be used to manage logical access to protected files. While this is a single regulation, it supports the more generally 
held notion that if you really want to protect sensitive information (and that's why you want the encryption, right?) 
you need to keep it secure from hackers and worms that operate within a user's logged-in session. This points toward 
using third-party or custom internal products.

So neither of these absolutely recommends against MS encryption, but there are some gotchas. Plus, since Bitlocker 
needs Vista and specific hardware, we've decided to do a third party approach to be more inclusive.

Steve


==============================================
Steven Lovaas, MSIA, CISSP
Network Security Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
============================================
-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU]
Sent: Monday, March 05, 2007 10:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop Encryption Software

Our sensitive data group just published a guideline requiring encryption for sensitive data.

http://www.jmu.edu/computing/sensitivedata/bestpractices.shtml

We are looking for a stopgap encryption solution so we have a mechanism that people can use to comply with the 
guideline.

We are recommending Windows EFS on Windows XP computers and a combination of EFS and Bitlocker on Vista computers for 
this purpose.

I was wondering why others were choosing commercial solutions over the native EFS and Bitlocker as the strategic 
solution for workstation encryption.

If you're using a commercial product, does it perform key escrow to a centralized server? Is it a standalone product or 
does it require existing infrastructure such as an Active Directory domain and/or Microsoft CA?

If you've purchased a commercial product for this purpose, would you be willing to send me the pricing you have 
obtained offline and the volume of licenses you had to purchase to get that price?

On a side note, what do you think of the ATA hard disk security feature ( i.e. hard disk password )? Although its not 
based on encryption, it looks to me to be a fairly strong protection mechanism short of someone able to read bare, 
disassembled disks.


thanks

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security