Educause Security Discussion mailing list archives
Re: Laptop encryption experiences
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Tue, 16 Nov 2010 14:00:31 -0500
Hi Randy, That would be a Yes for NY Law - I break encryption down into two typesStatic encryption - that would be FDE which is a compliance measure, not a security measure ... I get to say this at every meeting about securing sensitive data and it's the seems to be the hardest thing for people to understand. A machine with FDE is just as vulnerable to having its data compromised as a machine without as long as the machine is up and running.
Dynamic encryption - that would be encryption of either individual data elements (i.e. the SSN field in a database) or encryption of files containing sensitive data - the exposure here is that when the files are being used, the data is vulnerable, but you have reduced the exposure window (mitigated the risk in audit speak).
We are using both - we use a FDE (GuardianEdge, now Symantec endpoint data protection) product to encrypt the disk to protect us from compliance problems and walking machines and external datastores. We use truecrypt and other dynamic encryption tools to secure the data when it's not being used to try and provide some security.
The best tool we have is CUSpider - find the data and delete it unless the manager swears on a stack of bibles that they really need it to do their jobs. My 2 cents. Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 --On Tuesday, November 16, 2010 1:37 PM -0500 randy marchany <marchany () VT EDU> wrote:
Alison, you hit on my point about FDE? Is it really compliance? It seems to me that FDE complies with the MA law only if the laptop is powered off. Does FDE comply when you're using the computer? Not familiar with the MA wording so that's why I'm asking. Do you need some other encryption tool (truecrypt, PGP Netshare, GPG, etc.) to be compliant when the machine is in use? -r. On Tue, Nov 16, 2010 at 7:29 AM, Allison F Dolan <adolan () mit edu> wrote:Rich - one reason to consider FDE is compliance related - in Massachusetts, there is a regulatory requirement to encrypt personal data on laptops (and other portable devices) and in other states, if the lost/stolen laptop has been encrypted, then you don't need to notify ......Allison Dolan (617-252-1461)
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
Current thread:
- Re: Laptop encryption experiences, (continued)
- Re: Laptop encryption experiences Shahra Meshkaty (Nov 15)
- Re: Laptop encryption experiences randy marchany (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Tonkin, Derek K. (Nov 15)
- Re: Laptop encryption experiences SCHALIP, MICHAEL (Nov 15)
- Re: Laptop encryption experiences Rich Graves (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Mclaughlin, Kevin (mclaugkl) (Nov 16)
- Re: Laptop encryption experiences randy marchany (Nov 16)
- Re: Laptop encryption experiences Joel Rosenblatt (Nov 16)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Shahra Meshkaty (Nov 15)
- Re: Laptop encryption experiences Rich Graves (Nov 16)
- Re: Laptop encryption experiences Sherry Callahan (Nov 17)
- Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)
- Re: Laptop encryption- Follow-up James Farr '05 (Nov 16)
- Re: Laptop encryption- Follow-up Dave Koontz (Nov 16)