Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Laptop encryption experiences

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Tue, 16 Nov 2010 14:00:31 -0500
Hi Randy,

That would be a Yes for NY Law - I break encryption down into two types
Static encryption - that would be FDE which is a compliance measure, not a security measure ... I get to say this at every meeting about securing sensitive data and it's the seems to be the hardest thing for people to understand. A machine with FDE is just as vulnerable to having its data compromised as a machine without as long as the machine is up and running.
Dynamic encryption - that would be encryption of either individual data elements (i.e. the SSN field in a database) or encryption of files containing sensitive data - the exposure here is that when the files are being used, the data is vulnerable, but you have reduced the exposure window (mitigated the risk in audit speak).
We are using both - we use a FDE (GuardianEdge, now Symantec endpoint data protection) product to encrypt the disk to protect us from compliance problems and walking machines and external datastores. We use truecrypt and other dynamic encryption tools to secure the data when it's not being used to try and provide some security. 

The best tool we have is CUSpider - find the data and delete it unless the manager swears on a stack of bibles that 
they really need it to do their jobs.

My 2 cents.

Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


--On Tuesday, November 16, 2010 1:37 PM -0500 randy marchany <marchany () VT EDU> wrote:


Alison, you hit on my point about FDE? Is it really compliance? It seems to
me that FDE complies with the MA law only if the laptop is powered off. Does
FDE comply when you're using the computer? Not familiar with the MA wording
so that's why I'm asking. Do you need some other encryption tool (truecrypt,
PGP Netshare, GPG, etc.) to be compliant when the machine is in use?

-r.

On Tue, Nov 16, 2010 at 7:29 AM, Allison F Dolan <adolan () mit edu> wrote:


Rich - one reason to consider FDE is compliance related - in Massachusetts,
there is a regulatory requirement to encrypt personal data on laptops (and
other portable devices)  and in other states, if the lost/stolen laptop has
been encrypted, then you don't need to notify

......Allison  Dolan (617-252-1461)








Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
Previous By Date Next
Previous By Thread Next

Current thread: