Educause Security Discussion mailing list archives
Re: Laptop encryption experiences
From: Sherry Callahan <scallahan () KUMC EDU>
Date: Wed, 17 Nov 2010 14:28:34 -0600
We started with the 2006 Gartner Magic Quadrant for mobile encryption and reviewed every vendor offering that was in the Leader quadrant. At the time, it was Safeboot, PointSec, WinMagic and Utimaco. We also took a look at some outside of the Leader quadrant such as Mobile Armor, Credant and Trust Digital. I no longer have the matrix to share with you, but I do remember the main points that we were looking for (in addition to the usual annual costs, support offerings, installation volume, how long the company has been in existence, ability to deliver, etc.). That list included: - support for multiple operating systems - Windows 32/64-bit, Macintosh, Linux, and even dual-boot capabilities - extended encryption for removable media inserted into the device - secure storage of keys - had to be encrypt the entire drive with minimum AES-128 encryption (encryption sits at pre-OS level) - easy mechanism for a centralized admin group to recover lost keys or recover a drive in case of problems with the software (emergency decrypt) - ease of installation and, preferably, a mechanism to "push" the software over the network - centralized management; particularly, the ability to say with 100% certainty that a device was encrypted on that day if it were lost or stolen. If we didn't have this requirement because of HIPAA, we would have seriously considered Bitlocker or another free option - seamless to the user (single signon) with adherence to Univerity password policies - we had an interest in two-factor authentication support, but it wasn't a requirement - protection for hibernation\suspend - ability to encrypt multiple drives in the same device - must not be circumventable by the user - good reporting capabilities I hope you find this list useful! Most of the players that we looked at in 2006 have now been bought out by some of the larger players in the security market, so a comparison today would look much different than ours from 2006. I can tell you, however, that we have been very pleased with our experiences with Safeboot\McAfee Endpoint and the purchase by McAfee has only made the product that much better. We can now use ePO to find devices that are not encrypted and can even push encryption to them via the McAfee client. Our laptops are configured to check into our ePO server no matter where they are in the world, so we always have up-to-date information on where they are and whether or not they are encrypted. In the case of a lost or stolen device with sensitive information on it, that can be a lifesaver. Sherry
Shahra Meshkaty <meshkaty () SANDIEGO EDU> 11/15/2010 12:10 PM >>>
We are very much interested in FDE project but have a lot of push back due to complexities and concerns of our technical team. We have Computrace on on all of our recent (as of 2 years) laptops. The suggestion for manual process is great. My question is which encryption product you reviewed and which passed the test of your comparison? Can you share matrix used in your pilot process-- is your solution cross platform , what about data integrity, restored experience with encrypted data? From: Sherry Callahan <scallahan () KUMC EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Mon, 15 Nov 2010 09:07:34 -0800 To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Laptop encryption experiences We've been encrypting all of our laptops for four years and currently have approximately 2000 encrypted devices, including our medical students' tablets. One of the things that we grappled with initially was the same litmus test that you mentioned. Ultimately, we felt that we couldn't ensure that patient data or other sensitive information wouldn't end up on an unencrypted device, whether through user error or otherwise. The trade-off for the up-front effort to encrypt pays off on the back end in peace of mind and knowing that any data on the drive is protected. When we began the encryption process, communication was an extremely important component because of the general unease that both technical and non-technical folks had with the new software. We also felt it was necessary to address the unease with a manual process at first: user signs up for an encryption appointment, brings in their laptop, it is backed up first, and then encrypted. At the same time, we also installed CompuTrace (theft-tracking software) and, due to a couple of hiccups caused by these two software packages trying to reside side by side in the BIOS, there were a handful of times very early on when we were happy that we have the backups of the drive. But a handful is a small percentage of the total number of laptops that we touched and we haven't had these problems for several years. We are now pretty much hands off, since we can push upgrades to the encryption software from a central server (we're using Safeboot, dba McAfee Endpoint Encryption) and our folks are no longer scared of the technology. Sherry Callahan Information Security Officer University of Kansas Medical Center (913) 588-0966
Alan Bowen <abowenml () GMAIL COM> 11/15/2010 10:32 AM >>>
At TCNJ, we've been in the alpha/pilot phase of a laptop full disk encryption project for a very long time. We are grappling with the complexities and resource requirements for encrypting our entire laptop inventory. I'd like to know what types of parameters schools use for a "litmus test" to determine if a given laptop needs to be encrypted. Also, data on the number of laptops that have been encrypted over a time period, e.g. month or semester, would be very useful. Any extenuating circumstances or qualifiers outside of these questions would be much appreciated as well. Thanks. -Alan -- Alan Bowen Manager of IT Security The College of New Jersey
Current thread:
- Re: Laptop encryption experiences, (continued)
- Re: Laptop encryption experiences Tonkin, Derek K. (Nov 15)
- Re: Laptop encryption experiences SCHALIP, MICHAEL (Nov 15)
- Re: Laptop encryption experiences Rich Graves (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Mclaughlin, Kevin (mclaugkl) (Nov 16)
- Re: Laptop encryption experiences randy marchany (Nov 16)
- Re: Laptop encryption experiences Joel Rosenblatt (Nov 16)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Rich Graves (Nov 16)
- Re: Laptop encryption experiences Sherry Callahan (Nov 17)
- Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)
- Re: Laptop encryption- Follow-up James Farr '05 (Nov 16)
- Re: Laptop encryption- Follow-up Dave Koontz (Nov 16)
- Re: Laptop encryption- Follow-up SCHALIP, MICHAEL (Nov 16)
- Re: Laptop encryption- Follow-up randy marchany (Nov 17)