Re: Whole Disk Encryption Tools

[Bob Ono <raono () UCDAVIS EDU>]

The University of California has agreements with Pointsec Mobile Technologies and Credant Technology for encryption 
solutions. UC Davis is in the process of implementing Pointsec solutions. Pointsec was selected by UC Davis as it 
supports whole disk encryption, a central key escrow function, a helpdesk function and extends product coverage to 
Windows, Linux, smartphones and portable/USB drives. 
 
BitLocker looks attractive but broad campus use of Vista OS and TPM 1.2 is likely several years away. During early 
BitLocker deployments - perhaps without AD integration -  considerations for safeguarding the recovery password is 
essential to ensure recoverability and preserve access to institutional data. 
 
BitLocker could be a long-term encryption strategy if the primary encryption targets are only systems running Vista and 
AD integration is part of the strategy. Alternatively, an encryption strategy could focus on the use of BitLocker for 
Vista systems and other encryption solutions for non-Vista systems. Downsides to this latter approach may be user 
confusion over options and increased support costs - though the increased support costs are balanced against the 
inclusion of BitLocker functionality with Vista. 
 
Bob    
 
Robert A. Ono, CISSP
IT Security Coordinator
University of California, Davis
530-757-5795

________________________________

From: jack suess [mailto:jack () UMBC EDU]
Sent: Thu 11/9/2006 9:00 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption Tools



I'm curious is anyone is looking at Windows Vista and its Encrypted 
file system. I know plans are in flux with VISTA (though it is 
supposed to come out 1st quarter of 2007). I was thinking about this 
and it looks to be an interesting solution.  It will integrate in AD 
and can be mandated automatically through AD policies. It has the 
ability to do a master password override and looks somewhat promising 
to me.

I bring this up because I'm thinking that for some of the areas we 
want to force encryption we might just push this as a first group to 
be using vista. If for no other reason than Vista looks to have some 
nice security enhancements. Saying that, if you have to roll this out 
en-masse right now VISTA is not a solution. I'm just expecting that 
rolling out encryption will be a multi-year effort on our campus and 
as such VISTA might be the long-term solution.



jack suess


On Nov 9, 2006, at 10:19 AM, Steve Brukbacher wrote:

> We are currently going through an evaluation process for whole disk 
> encryption.  The current candidates are Guardian Edge, Pointsec and 
> Voltage, who OEM's (repackages) the Safeboot product.
>
> All three of them do about the same thing. The features are very 
> similar.  Our technical team is reviewing them next.  They all 
> allow for administrative recovery of data for a variety of 
> scenarios.  They also create their own MBR independent of the 
> Windows boot partition. There was some chatter about waiting for 
> Vista Bitlocker, but I think it's better defense in depth to use a 
> non-Windows product for this.  Plus this way we can use data from 
> the management console to certify that the drive was encrypted in 
> case of theft which helps if your state has a disclosure law like 
> ours does.
>
> One downside to Pointsec is that the key exchange between the 
> server and the clients happens over windows ports.  Since we block 
> these at the edge, this will probably be a no go. So it's pretty 
> much between guardian Edge and Voltage (Safeboot).
>
> I'm happy to share the requirement analysis spreadsheet we 
> developed for the first round of information gathering.
>
> Now it's up to the tech staff to pick one.
>
> We're also evaluating asset recovery products. That's between the 
> Absolute software product and CyberAngel.  Cyber Angel's pricing is 
> better, plus they will allow us to resell this at a steep discount 
> for personal devices.  The Absolute product is already built in to 
> most modern Dell Bios' so we would simply need to purchase a 
> license and we're off and running, but again, the pricing isn't as 
> attractive here.
>
> --
> Steve Brukbacher, CISSP
> University of Wisconsin Milwaukee
> Information Security Coordinator
> UWM Computer Security Web Site
> www.security.uwm.edu
> Phone: 414.229.2224
>
>
>
> Penn, Blake wrote:
> > Computrace from Absolute Software (www.absolute.com) is an asset 
> > recovery
> > product that is compatible with Utimaco's whole disk encryption if 
> > you are
> > looking to do both.  It has a persistent BIOS-based agent to 
> > survive hard
> > disk formatting and the like - pretty cool stuff. 
> > ____________________________________________
> > Blake Penn, CISSP                             Information Security 
> > Officer          University of Wisconsin-Whitewater
> > (p) 262-472-7792 (f) 262-472-1285
> > pennb () uww edu | http://www.uww.edu/security/ -----Original 
> > Message-----
> > From: Krizi Trivisani [mailto:krizi () GWU EDU] Sent: Wednesday, 
> > November 08, 2006 3:14 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Whole Disk Encryption Tools
> > Hi Kim,
> > At GW we are using Safeguard Easy (Utimaco product) for full-disk
> > encryption.  We just finished a successful pilot and have been 
> > approved to
> > move forward with our phased enterprise roll-out.  Our first phase is
> > full-disk encryption of laptops for high risk users (target by end 
> > of Feb;
> > approx. 700 laptops).  We will also be encrypting desktops in 
> > Phases 2 and
> > 3.  Fortunately we have a mandate from our board of directors, so our
> > enforcement teeth are there.  Communications, training, awareness, 
> > and
> > standards are critical success factors for us.  We are not using 
> > an asset
> > recovery product at this time.
> > If you would like to talk off-line, please feel free to call me.
> > Cheers,
> > Krizi
> > *********************************
> > Krizi Trivisani, CISSP
> > Director of Systems Security Operations
> > Chief Security Officer
> > The George Washington University
> > 202/994-7803
> > krizi () gwu edu
> > ----- Original Message -----
> > From: "Logan, Kimberly (loganks)" <LOGANKS () UCMAIL UC EDU>
> > Date: Wednesday, November 8, 2006 3:58 pm
> > Subject: [SECURITY] Whole Disk Encryption Tools
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Hi Everyone,
> > >  University of Cincinnati is now looking at whole disk encryption 
> > > tools.
> > > We are looking for a tool that will allow us to manage the keys.  
> > > I'd like to know what those of you looking at or using whole disk 
> > > encryption are using and why.  Also, does anyone know if there is 
> > > one product that provides both whole disk encryption and asset 
> > > recovery?
> > >  Thanks,
> > >  Kim
> > >  Kim Logan
> > > Information Security Officer
> > > University of Cincinnati
> > > (513)556-9070
> > > kim.logan () uc edu


The WatchGuard Firebox which protects your network detected a message which may not be safe.

Cause : The file type may not be safe.
Content type : application/ms-tnef
File name    : winmail.dat
Virus status : No information.
Action       : The Firebox deleted winmail.dat.

Your network administrator can not restore this attachment.