Re: Laptop encryption

[Jeff Holden <JHolden () MTSAC EDU>]

Here at Mt. Sac we are getting ready to roll out Encryption Anywhere made
by Guardian Edge.  It is full disk AES 256 bit encryption.   There is a
management interface to custom make MSI install files with all of the
options we want to be default.  It can then be pushed out through AD and
managed through AD.  Once the product is installed the user can register
themselves, which consists of a few security questions.  If they forget
their password they can answer the security questions and get access to
their laptop.   If  user forget both the security questions and their
password then an pre defined administrator account can still gain access
to the drive.  The major limitations though  is  that it is only for
windows XP or 2000 only.   A Vista version is supposed to be out by the
end of the year.  We are only deploying it to the laptops currently.  In
our testing the performance hit wasn't noticeable on a fairly recent
machine (intel core solo, 2 gigs ram).


Thanks,
Jeff Holden, CISSP, RHCE
Manager, Network & Data Security
Mt. San Antonio College
(909) 594-5611 X5017




Paul Keser <pkeser () STANFORD EDU>
10/05/2007 11:30 AM
Please respond to
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
Re: [SECURITY] Laptop encryption






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One of our Sysadmins is experimenting with the seagate solution.  So far
he likes it, no noticeable performance hit.  I like the fact that it is
OS agnostic.

We are also experimenting with EFS for windows and TrueCrypt for Linux &
Windows.  We haven't been able to find 1 vendor to support all 3
platforms yet, even PGP is only officially supporting Mac & Win these
days...and not even the boot disk on Mac.  I really wish they would port
TrueCrypt to Mac.   I also like forcefield for managing TrueCrypt on
Linux.

I still have not been sold on whole disk encryption.  Encrypting the OS
makes sys admining the box that much more complex and the potential for
disaster is too great...I think I'd rather have the os in the clear so
it is easier to integrity check.


JMHO...

- -PaulK

Paul Keser
Assoc. Information Security Officer
Stanford University
650.724.9051
GPG Fingerprint:  DBA3 E20F CE91 28AA DA1C  4A77 3BD9 C82D 2699 24FB


David Taylor wrote:
> There is also the Seagate drive that does whole disk encryption.  It
also takes most of the performance hit since most of the processing is
done on the drive hardware. Has anyone had any experience with these?  I
think they just hit the market recently.
>
http://www.pcworld.com/businesscenter/article/129734/seagate_ships_supersecure_hard_disk_drive.html

> -------------------------------
> David Taylor
> University of Pennsylvania
> Office of Information Security
> 215-898-1236
> -------------------------------
>
>
>
> -----Original Message-----
> From: O'Callaghan, Daniel [mailto:Daniel.OCallaghan () SINCLAIR EDU]
> Sent: Friday, October 05, 2007 10:33 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Laptop encryption
>
> > 1.  What is your current practice:
> We looked at laptop encryption about 2 years ago and decided the
> resource hit, risk of data loss, key management, and user-related issues
> were significant enough that we could not support 'mandating' across the
> board.
> We opted for mandating the use of drive locking technology (HP
> DriveLock) for all College-owned administrative (ie faculty & staff)
> laptops. DriveLock essentially uses the TPM chip which prevents the
> drive from booting/initializing until the password is entered, even if
> the drive is removed & inserted in another device, it will not boot.
> College policy requires all laptop purchases be coordinated with and
> processed by IT.  When the machine arrives on campus, IT sets the
> 'master' DriveLock password and the owner sets the user password on
> delivery. We initially met user resistance to this 'extra' password
> requirement, but have overcome a lot of it by also allowing users to
> implement the stored credentials (essentially a password vault) feature
> offered by the machines.  A caveat is that users must be taught to
> power-down, not just hibernate, the laptop when traveling as DriveLock
> only works at powerup.
>
> > 2.  What is your desired practice if you do not use encryption on
> laptops
> Our Acceptable Use Policy does state that all personal identifying
> information stored on local devices, portable devices, or removable
> media must be encrypted or redacted. We offer user training on using
> WinZip, AxCrypt, and Truecrypt for encryption of individual files or
> folders.
>
> We do realize that this DriveLock is essentially technology enhanced
> "security by obscurity" and is not a perfect solution,  but think it is
> a pretty good solution based on risk/usability.  Our legal counsel
> opines that if a user (who doesn't follow the AUP encryption
> requirement) loses a laptop containing personal information, DriveLock
> "might" provide a defense under the "data elements unreadable"
> definition of Ohio's data breach notification law...but we are really
> hoping we do not have the opportunity to find out.
>
>
> ________________________________________________
> Daniel V. O'Callaghan, Jr., MBA, CISSP
> Chief Information Security Officer
> Sinclair Community College
> 444 West Third Street, 14-324
> Dayton, Ohio 45402-1460
> 937-512-2452 Fax 937-512-3124
> daniel.ocallaghan () sinclair edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHBoLBO9nILSaZJPsRAt4bAJ9ZgxXjNQAP/pZk1ZXMI3JQEpZedwCfTfoO
2KZVZ1yCfoT/+arAEex65nQ=
=6wY3
-----END PGP SIGNATURE-----