Re: Laptop encryption

[Greg Vickers <g.vickers () QUT EDU AU>]

Hi Dennis,

We have a project ready to go that will perform an investigation of hard
drive encryption technology and report back to our steering committee on
viable cross-platform solutions.  So I'd be interested in hearing what
other people have to say, too :)

Answers to your questions are inline below:

Dennis Tracz wrote:
> Hello all,
>
> I am new to this list so please forgive me if this topic has already
> been covered.
> I am interested in knowing, what is the common practice for Laptop
> encryption, specifically:
>
> 1.  What is your current practice:
>     a.  Do you use encryption on laptops (for laptops you administer)
>     b.  Do you encrypt the entire hard drive or selected folders i.e.(
> My Documents)
>     c.  Do you use a commercial product or EFS
>     e.  If encryption is used is it automatically configured (for
> laptops you administer) or do users have a choice

Currently we do not have a policy or centrally managed technology and I
am unaware of any unofficial use of encryption technologies by any areas
at QUT.  I understand that there may be centralized support of BitLocker
when/if our staff SOE moves to Vista, however AFAIK this is not
cross-platform to Linux/Macintosh.

> 2.  What is your desired practice if you do not use encryption on laptops
>
> a.  Is this something you are wanting, attempting or not wishing to do?
> b.  Would you encrypt the entire hard drive or selected folders i.e.( My
> Documents)
> c.  Would you use a commercial product or EFS?
> d.  Would you automatically encrypt (for laptops you administer) or
> would you let your users have a choice?

Yup, we're going to do it.  We would look for a product that can encrypt
either the whole drive or selected folders/files.  We'd be happy with a
commercial product (providing the product provides attributes and
features significantly in advance of an F/OSS product, and we can
procure the required funds) or F/OSS.  To minimize overheads, it will be
a product that can be centrally managed in some way.

We haven't defined if this technology would be mandatory, if the
protection provided is shown to be of sufficient benefit to the
organization, and outweighs the performance impact, then we would
mandate use of the technology in some way.

> Any insight is greatly appreciated.  Thanks in advance

Thanks,
--
Greg Vickers
IT Security Engineer & Project Manager
IT Security, Network Services,
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane

Phone: +61 7 3138 9536
Mobile: 0410 434 734
Fax: +61 7 3138 2921
Email: g.vickers () qut edu au
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J