Full Disk Encryption Summary

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi:



I recently asked for responses as to what folks are doing in the Full Disk
encryption or file/folder encryption space.  I received numerous requests to
provide a summary of my findings to the group. Here it is and a big thank
you for those of you that responded!



At a high level the data breaks down like this:




Total Respondents

How many respondents are using Full Disk Encryption (FDE)

How many respondents are using Folder Encryption

How many respondents are using no encryption


23

21

3 (2 of these two offer both types)

1



Here is a copy of the various feedback I received:




Encryption Type

Reason


FDE

Ease of use and most secure


FDE - In Pilot

Most secure


FDE

Ease of use and most secure


FDE - In Pilot

Most secure


FDE - In Pilot

Most secure


FDE

Ease of use and most secure. "we are using whole disk encryption because I
do not think its reliable to expect users to use folder-based encryption."




FDE - In Research

Ease of use and most secure


None

"A wing and a prayer" to quote their Security guy


FDE - asked us to not go public with this yet as they are still in vendor
negotiation

" Ease of use and ease of management. In operation, the encrypt/decrypt
functions should be almost transparent to the user base, which we really,
really need. Key recovery is very manageable for large, distributed
environments."


FDE

"We chose full-disk (vs folder) to avoid there ever being a question about
whether a file was in the protected folder or not (or in swap space, temp
space, etc).  Plus, ease of use is paramount to us - this approach required
no change of habit by the user."




Folder Encryption

True crypt is free but "we aren't sure anyone will actually take the time to
use the encrypted folder we are giving them."


FDE

"The decision for folder vs. whole disk encryption was fairly easy for us.
We wanted encryption to be as transparent as possible.  With whole disk, the
user doesn't have to remember to store sensitive information in a certain
folder or volume.  In addition, we could guarantee that none of the data on
stolen\lost laptop that was encrypted could have been compromised, whereas
you can't have a 100% guarantee with a partially encrypted device." HIPAA
requires us to as well.


FDE

Ease of use and most secure." The result is mitigation of data loss that can
result from the loss or theft of a technology asset."






FDE

Ease of use and most secure.


FDE, Folder or File

"if no sensitive data found, no need for encryption; if data is found, get
rid of it or encrypt"


Laptop Encryption (I think this meant FDE)

"My mandate is for laptops that hold university information "protected by
privacy laws and rights. to be encrypted"


FDE

"Worry-free.  We didn't want to depend on people's actions no matter how
well intentioned."


FDE

"full disk encryption as our preferred method, to avoid cases where the
enduser may not store their sensitive files in the encrypted folders."


FDE - In Pilot

Ease of use and most secure.


FDE

Ease of use and most secure


FDE

"We decided against the encrypted folder option to keep it easier for laptop
users. "


FDE

PCI requirement


FDE

"during beta we found that users did not use folder encryption when it was
provided to them".


FDE

Ease of use and most secure.


FDE solution just purchased

Governor Executive order requiring FDE issued in September 2007;  CIO policy
requiring FDE issued in October 2008 (note- as an institution of higher
education we are not required to follow either of these edicts). An Ohio
State administration rule that does not exclude Higher Education is in draft
form for review at every state agency currently and it requires that all
Restricted data be encrypted. December 2008 the State of Ohio began
purchasing SafeBoot in order to mandate using FDE for ALL state agencies.


Currently discussing whether they will require encryption of all Researchers
working on Federal grant research.

"Indications are that the answer to this question is going to be yes."


Encryption of Data is required

Folder encryption is acceptable if there is a business reason to use that
architecture but FDE is optimal.


FDE

"I would like to see full disk encryption,  as it fully protects our data"


Encryption is not a core requirement of FERPA but protection of the
Student's records is.

"Our obligation under FERPA is to provide complete and comprehensive
security of student educational records and personally identifiable
information.  Encryption as the most viable and transparent tool for faculty
to meet this obligation."

                





-Kevin



Kevin L. McLaughlin

CISM, CISSP, GIAC,PMP, ITIL Master Certified

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

513-558-ISEC (department)





 UC-Logo-800




CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.

Attachment: smime.p7s
Description: