Re: Mobile Data - Protecting the University from unnecessary risk

["Buskill, Bruce M" <bbuskill () RADFORD EDU>]

<html><head><meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style></head>
<body>
<font size="2"><div class="PlainText">&quot;2a) Full Disk Encryption is only really useful when defending against 
some<br>
miscreant who has wandered off with your computer *while it's powered off*<br>
under his arm, taken it back to their den of iniquity, and powered it on and<br>
said &quot;OK, now what?&quot;. This is a very real and valid threat model for a laptop<br>
or small desktop, but probably not your ERP system, which is probably hardly<br>
ever powered down, and probably won't fit under a miscreant's arm without<br>
the assistance of a forklift.&quot;<br>
<br>
Excellent point. I would add that university desktops issued for home use are also excellent candidates for FDE, as a 
safeguard against theft. <br>
<br>
Stephen<br>
<br>
----- Original Message -----<br>
From: &quot;Valdis Kletnieks&quot; &lt;Valdis.Kletnieks () VT EDU&gt;<br>
To: SECURITY () LISTSERV EDUCAUSE EDU<br>
Sent: Tuesday, May 11, 2010 1:12:55 AM GMT -05:00 US/Canada Eastern<br>
Subject: Re: [SECURITY] Mobile Data - Protecting the University from unnecessary risk<br>
<br>
On Mon, 10 May 2010 21:53:07 EDT, randy marchany said:<br>
<br>
&gt; 2. This is significant in that as long as the system is booted up,<br>
&gt; your files are encrypted UNTIL they are accessed by a userid or<br>
&gt; process owned by a userid that has READ access to the files in<br>
&gt; question. World read access allows any userid to decrypt the file. A<br>
&gt; process running under your userid's privileges can decrypt any file<br>
&gt; you have read access and any malware running under your userid has<br>
&gt; that same access.<br>
<br>
Something that Randy implies, but a fair number of people need to be hit<br>
over the head with repeatedly till they get it:<br>
<br>
2a) Full Disk Encryption is only really useful when defending against some<br>
miscreant who has wandered off with your computer *while it's powered off*<br>
under his arm, taken it back to their den of iniquity, and powered it on and<br>
said &quot;OK, now what?&quot;. This is a very real and valid threat model for a laptop<br>
or small desktop, but probably not your ERP system, which is probably hardly<br>
ever powered down, and probably won't fit under a miscreant's arm without<br>
the assistance of a forklift.<br>
<br>
And yet, I've heard more than one tale of a misguided security person<br>
insisting that FDE be installed on the ERP system - resulting in the loss<br>
of 1 or 2 nines of reliability because at the next reboot, it did exactly<br>
what FDE will make it do - sit there and not mount the disk till it gets<br>
fed the magic word.&nbsp; Whoops.<br>
</div></font>
</body>
</html>


Sent from my Android phone using TouchDown (www.nitrodesk.com)