Educause Security Discussion mailing list archives
Re: Laptop Encryption Software
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 5 Mar 2007 15:23:22 -0500
Lovaas,Steven wrote:
Gary, I'll touch on only one of your points for now: "why others were choosing commercial solutions over the native EFS". Not MS-bashing here, just pointing out some realities. 1) Without a PKI, XP allows you to turn your encrypted file into a digital brick. Looking to make the experience better from 2000 (where you had to designate a recovery agent before you could turn on EFS, but the default recovery agent was the domain adminstrator account and you couldn't change that without a Microsoft CA), Microsoft changed XP to allow turning on EFS without specifying a recovery agent. The first user to do that would likely be a Vice President, and then he'd forget his password and one of us would be looking for work elsewhere :) So the way key management works between 2000, XP and Vista varies significantly... And if you have all three in your organization, you'll need to work carefully if you use the Microsoft approach without a PKI.
We are recommending against using EFS on Windows 2000 for the reason you mentioned. In addition, I'd recommend against its use for any sensitive data for additional reasons ( no built-in firewall, harder to keep up to date, getting long in the tooth, better options freely available depending on your campus licenses ). Even without a PKI, the issues with EFS key escrow can be handled in the installation procedure. It would back up the user account keys and/or import a recovery agent certificate. We're planning the latter. The one area that could present a problem is that EFS uses a unique symmetric key for each file and there is no mechanism that I know of to export those keys. Nor would I want to try to manage them if I could. I don't even think they're handled by Microsoft's PKI. I haven't looked into third party tools or their architectures but they all have to have some way to archive encryption key(s) external to the machine to have any value for data recovery. To some extent then, they'd either use an external PKI or the implement a single purpose one. Is it safe to assume they all have their own central key repository? Do they use unique encryption keys for each file like EFS or is another architecture more common?
2) The Payment Card Industry Data Security Standards specify, in version 1.1 section 3.4, that Active Directory may not be used to manage logical access to protected files. While this is a single regulation, it supports the more generally held notion that if you really want to protect sensitive information (and that's why you want the encryption, right?) you need to keep it secure from hackers and worms that operate within a user's logged-in session. This points toward using third-party or custom internal products.
Kind of makes sense. It requires encryption products to implement their own account/password store and would seem to prohibit tie-in to single/same sign on systems. I wonder how many users use the same password though. It would also seem to prohibit a certificate based authentication system that makes cert credentials available to a user upon login. Kind of like going back to basic separation of duty principles.
So neither of these absolutely recommends against MS encryption, but there are some gotchas. Plus, since Bitlocker needs Vista and specific hardware, we've decided to do a third party approach to be more inclusive.
Thanks for your comments.
Steve ============================================== Steven Lovaas, MSIA, CISSP Network Security Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ============================================ -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Monday, March 05, 2007 10:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Laptop Encryption Software Our sensitive data group just published a guideline requiring encryption for sensitive data. http://www.jmu.edu/computing/sensitivedata/bestpractices.shtml We are looking for a stopgap encryption solution so we have a mechanism that people can use to comply with the guideline. We are recommending Windows EFS on Windows XP computers and a combination of EFS and Bitlocker on Vista computers for this purpose. I was wondering why others were choosing commercial solutions over the native EFS and Bitlocker as the strategic solution for workstation encryption. If you're using a commercial product, does it perform key escrow to a centralized server? Is it a standalone product or does it require existing infrastructure such as an Active Directory domain and/or Microsoft CA? If you've purchased a commercial product for this purpose, would you be willing to send me the pricing you have obtained offline and the volume of licenses you had to purchase to get that price? On a side note, what do you think of the ATA hard disk security feature ( i.e. hard disk password )? Although its not based on encryption, it looks to me to be a fairly strong protection mechanism short of someone able to read bare, disassembled disks. thanks -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
-- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Laptop Encryption Software clementz.7 (Feb 26)
- <Possible follow-ups>
- Re: Laptop Encryption Software Julian Thompson (Feb 26)
- Re: Laptop Encryption Software Pace, Guy (Feb 26)
- Re: Laptop Encryption Software Joel Rosenblatt (Feb 26)
- Re: Laptop Encryption Software Mclaughlin, Kevin L (mclaugkl) (Feb 26)
- Re: Laptop Encryption Software Lovaas,Steven (Feb 26)
- Re: Laptop Encryption Software Walter E. Petruska (Feb 28)
- Re: Laptop Encryption Software Sadler, Connie (Mar 05)
- Re: Laptop Encryption Software Gary Flynn (Mar 05)
- Re: Laptop Encryption Software Lovaas,Steven (Mar 05)
- Re: Laptop Encryption Software Gary Flynn (Mar 05)
- Re: Laptop Encryption Software Valdis Kletnieks (Mar 05)
- Re: Laptop Encryption Software Gary Flynn (Mar 05)