Re: Full Disk Encryption Summary

["Peters, Kevin" <Kevin.Peters () OLC STATE OH US>]

Kevin:

 

One small note - The State of Ohio purchased Safeboot in December 2007,
not 2008.  Same for the CIO directive, 2007 not 2008.  (I am sure it was
a fat finger thing.)

 

Thanks for the data.

 

Kevin Peters

IT Manager

The Ohio Lottery

________________________________

From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] 
Sent: Monday, January 14, 2008 12:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Full Disk Encryption Summary

 

Hi:

 

I recently asked for responses as to what folks are doing in the Full
Disk encryption or file/folder encryption space.  I received numerous
requests to provide a summary of my findings to the group. Here it is
and a big thank you for those of you that responded!

 

At a high level the data breaks down like this:

 

Total Respondents

How many respondents are using Full Disk Encryption (FDE)

How many respondents are using Folder Encryption

How many respondents are using no encryption

23

21

3 (2 of these two offer both types)

1

 

Here is a copy of the various feedback I received:

 

Encryption Type

Reason

FDE

Ease of use and most secure

FDE - In Pilot

Most secure

FDE 

Ease of use and most secure

FDE - In Pilot

Most secure

FDE - In Pilot

Most secure

FDE

Ease of use and most secure. "we are using whole disk encryption because
I do not think its reliable to expect users to use folder-based
encryption."

 

FDE - In Research

Ease of use and most secure

None

"A wing and a prayer" to quote their Security guy

FDE - asked us to not go public with this yet as they are still in
vendor negotiation

" Ease of use and ease of management. In operation, the encrypt/decrypt
functions should be almost transparent to the user base, which we
really, really need. Key recovery is very manageable for large,
distributed environments."

FDE

"We chose full-disk (vs folder) to avoid there ever being a question
about whether a file was in the protected folder or not (or in swap
space, temp space, etc).  Plus, ease of use is paramount to us - this
approach required no change of habit by the user."

 

Folder Encryption

True crypt is free but "we aren't sure anyone will actually take the
time to use the encrypted folder we are giving them."

FDE

"The decision for folder vs. whole disk encryption was fairly easy for
us.  We wanted encryption to be as transparent as possible.  With whole
disk, the user doesn't have to remember to store sensitive information
in a certain folder or volume.  In addition, we could guarantee that
none of the data on stolen\lost laptop that was encrypted could have
been compromised, whereas you can't have a 100% guarantee with a
partially encrypted device." HIPAA requires us to as well.

FDE

Ease of use and most secure." The result is mitigation of data loss that
can result from the loss or theft of a technology asset."

 

 

FDE

Ease of use and most secure.

FDE, Folder or File

"if no sensitive data found, no need for encryption; if data is found,
get rid of it or encrypt" 

Laptop Encryption (I think this meant FDE)

"My mandate is for laptops that hold university information "protected
by privacy laws and rights... to be encrypted"

FDE

"Worry-free.  We didn't want to depend on people's actions no matter how
well intentioned."

FDE

"full disk encryption as our preferred method, to avoid cases where the
enduser may not store their sensitive files in the encrypted folders."

FDE - In Pilot

Ease of use and most secure.

FDE

Ease of use and most secure

FDE

"We decided against the encrypted folder option to keep it easier for
laptop users. "

FDE

PCI requirement

FDE

"during beta we found that users did not use folder encryption when it
was provided to them". 

FDE

Ease of use and most secure.

FDE solution just purchased

Governor Executive order requiring FDE issued in September 2007;  CIO
policy requiring FDE issued in October 2008 (note- as an institution of
higher education we are not required to follow either of these edicts).
An Ohio State administration rule that does not exclude Higher Education
is in draft form for review at every state agency currently and it
requires that all Restricted data be encrypted. December 2008 the State
of Ohio began purchasing SafeBoot in order to mandate using FDE for ALL
state agencies.

Currently discussing whether they will require encryption of all
Researchers working on Federal grant research.

"Indications are that the answer to this question is going to be yes."

Encryption of Data is required

Folder encryption is acceptable if there is a business reason to use
that architecture but FDE is optimal.

FDE

"I would like to see full disk encryption,  as it fully protects our
data"

Encryption is not a core requirement of FERPA but protection of the
Student's records is.

"Our obligation under FERPA is to provide complete and comprehensive
security of student educational records and personally identifiable
information.  Encryption as the most viable and transparent tool for
faculty to meet this obligation."    

 

 

 

 

-Kevin

 

Kevin L. McLaughlin

CISM, CISSP, GIAC,PMP, ITIL Master Certified  

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

513-558-ISEC (department)

 

 

  

 


CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.