Educause Security Discussion mailing list archives
Re: Full Disk Encryption Summary
From: "Peters, Kevin" <Kevin.Peters () OLC STATE OH US>
Date: Mon, 14 Jan 2008 13:29:31 -0500
Kevin: One small note - The State of Ohio purchased Safeboot in December 2007, not 2008. Same for the CIO directive, 2007 not 2008. (I am sure it was a fat finger thing.) Thanks for the data. Kevin Peters IT Manager The Ohio Lottery ________________________________ From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Monday, January 14, 2008 12:53 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Full Disk Encryption Summary Hi: I recently asked for responses as to what folks are doing in the Full Disk encryption or file/folder encryption space. I received numerous requests to provide a summary of my findings to the group. Here it is and a big thank you for those of you that responded! At a high level the data breaks down like this: Total Respondents How many respondents are using Full Disk Encryption (FDE) How many respondents are using Folder Encryption How many respondents are using no encryption 23 21 3 (2 of these two offer both types) 1 Here is a copy of the various feedback I received: Encryption Type Reason FDE Ease of use and most secure FDE - In Pilot Most secure FDE Ease of use and most secure FDE - In Pilot Most secure FDE - In Pilot Most secure FDE Ease of use and most secure. "we are using whole disk encryption because I do not think its reliable to expect users to use folder-based encryption." FDE - In Research Ease of use and most secure None "A wing and a prayer" to quote their Security guy FDE - asked us to not go public with this yet as they are still in vendor negotiation " Ease of use and ease of management. In operation, the encrypt/decrypt functions should be almost transparent to the user base, which we really, really need. Key recovery is very manageable for large, distributed environments." FDE "We chose full-disk (vs folder) to avoid there ever being a question about whether a file was in the protected folder or not (or in swap space, temp space, etc). Plus, ease of use is paramount to us - this approach required no change of habit by the user." Folder Encryption True crypt is free but "we aren't sure anyone will actually take the time to use the encrypted folder we are giving them." FDE "The decision for folder vs. whole disk encryption was fairly easy for us. We wanted encryption to be as transparent as possible. With whole disk, the user doesn't have to remember to store sensitive information in a certain folder or volume. In addition, we could guarantee that none of the data on stolen\lost laptop that was encrypted could have been compromised, whereas you can't have a 100% guarantee with a partially encrypted device." HIPAA requires us to as well. FDE Ease of use and most secure." The result is mitigation of data loss that can result from the loss or theft of a technology asset." FDE Ease of use and most secure. FDE, Folder or File "if no sensitive data found, no need for encryption; if data is found, get rid of it or encrypt" Laptop Encryption (I think this meant FDE) "My mandate is for laptops that hold university information "protected by privacy laws and rights... to be encrypted" FDE "Worry-free. We didn't want to depend on people's actions no matter how well intentioned." FDE "full disk encryption as our preferred method, to avoid cases where the enduser may not store their sensitive files in the encrypted folders." FDE - In Pilot Ease of use and most secure. FDE Ease of use and most secure FDE "We decided against the encrypted folder option to keep it easier for laptop users. " FDE PCI requirement FDE "during beta we found that users did not use folder encryption when it was provided to them". FDE Ease of use and most secure. FDE solution just purchased Governor Executive order requiring FDE issued in September 2007; CIO policy requiring FDE issued in October 2008 (note- as an institution of higher education we are not required to follow either of these edicts). An Ohio State administration rule that does not exclude Higher Education is in draft form for review at every state agency currently and it requires that all Restricted data be encrypted. December 2008 the State of Ohio began purchasing SafeBoot in order to mandate using FDE for ALL state agencies. Currently discussing whether they will require encryption of all Researchers working on Federal grant research. "Indications are that the answer to this question is going to be yes." Encryption of Data is required Folder encryption is acceptable if there is a business reason to use that architecture but FDE is optimal. FDE "I would like to see full disk encryption, as it fully protects our data" Encryption is not a core requirement of FERPA but protection of the Student's records is. "Our obligation under FERPA is to provide complete and comprehensive security of student educational records and personally identifiable information. Encryption as the most viable and transparent tool for faculty to meet this obligation." -Kevin Kevin L. McLaughlin CISM, CISSP, GIAC,PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) 513-558-ISEC (department) CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful.
Current thread:
- Full Disk Encryption Summary Mclaughlin, Kevin (mclaugkl) (Jan 14)
- <Possible follow-ups>
- Re: Full Disk Encryption Summary Peters, Kevin (Jan 14)
- Re: Full Disk Encryption Summary Gary Flynn (Jan 14)