Educause Security Discussion mailing list archives
Re: Mobile Data - Protecting the University from unnecessary risk
From: "Stephen C. Gay" <sgay () KENNESAW EDU>
Date: Tue, 11 May 2010 06:38:26 -0400
"2a) Full Disk Encryption is only really useful when defending against some miscreant who has wandered off with your computer *while it's powered off* under his arm, taken it back to their den of iniquity, and powered it on and said "OK, now what?". This is a very real and valid threat model for a laptop or small desktop, but probably not your ERP system, which is probably hardly ever powered down, and probably won't fit under a miscreant's arm without the assistance of a forklift." Excellent point. I would add that university desktops issued for home use are also excellent candidates for FDE, as a safeguard against theft. Stephen ----- Original Message ----- From: "Valdis Kletnieks" <Valdis.Kletnieks () VT EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Sent: Tuesday, May 11, 2010 1:12:55 AM GMT -05:00 US/Canada Eastern Subject: Re: [SECURITY] Mobile Data - Protecting the University from unnecessary risk On Mon, 10 May 2010 21:53:07 EDT, randy marchany said:
2. This is significant in that as long as the system is booted up, your files are encrypted UNTIL they are accessed by a userid or process owned by a userid that has READ access to the files in question. World read access allows any userid to decrypt the file. A process running under your userid's privileges can decrypt any file you have read access and any malware running under your userid has that same access.
Something that Randy implies, but a fair number of people need to be hit over the head with repeatedly till they get it: 2a) Full Disk Encryption is only really useful when defending against some miscreant who has wandered off with your computer *while it's powered off* under his arm, taken it back to their den of iniquity, and powered it on and said "OK, now what?". This is a very real and valid threat model for a laptop or small desktop, but probably not your ERP system, which is probably hardly ever powered down, and probably won't fit under a miscreant's arm without the assistance of a forklift. And yet, I've heard more than one tale of a misguided security person insisting that FDE be installed on the ERP system - resulting in the loss of 1 or 2 nines of reliability because at the next reboot, it did exactly what FDE will make it do - sit there and not mount the disk till it gets fed the magic word. Whoops.
Current thread:
- Mobile Data - Protecting the University from unnecessary risk Todd Britton (May 10)
- <Possible follow-ups>
- Re: Mobile Data - Protecting the University from unnecessary risk SCHALIP, MICHAEL (May 10)
- Re: Mobile Data - Protecting the University from unnecessary risk randy marchany (May 10)
- Re: Mobile Data - Protecting the University from unnecessary risk John Ladwig (May 10)
- Re: Mobile Data - Protecting the University from unnecessary risk Valdis Kletnieks (May 10)
- Re: Mobile Data - Protecting the University from unnecessary risk Joel Rosenblatt (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Stephen C. Gay (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Ken Connelly (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Matthew Gracie (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Bradley, Stephen W. Mr. (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk David Bowie (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
(Thread continues...)