Re: Group encryption solutions

[Curt Wilson <curtw () SIU EDU>]

Thanks Derek. Are you handling scenarios where a workgroup all needs to
get to selected resources on a share? Using whole-disk in this case
doesn't really buy you much in case the server gets compromised, for
instance. I see the value of full disk in the case of theft, but when
you have 50 some ppl that need to get to access the data at varying
times throughout the day, how is this best accomplished? Ideally there
is some solution that will protect the data while it's on the server,
and while it's on the workstation as well, based on Active Directory or
LDAP group attributes.

We could create encrypted zip files now, with Secure Zip, but from what
I understand that approach doesn't really scale that well and you have a
static key that you have to pass around. When one person leaves the
group, you've got to redo everything to keep the knowledge of the
key/passphrase from leaking.  Does your PGP solution align with AD/LDAP
groups?

Thanks
CurtW





Tonkin, Derek K. wrote:
> We use PGP's Universal Server product with a central server (running on
> a VM).  We don't typically use it for individual file/folder encryption
> although it can do that through the creation of encrypted zip files.  We
> use it for whole-disk encryption because that way we don't have to worry
> about the user remembering/caring enough to take the time to encrypt
> sensitive files.  There is a slight performance hit which is more
> noticeable on older machines but most users do not even notice it.
> Universal Server also includes the option to encrypt and sign e-mails
> and encrypt network shares and we are beginning to experiment with these
> aspects of it as well.  If you have any questions about the
> implementation feel free to ask.
>
> Derek
>
> -------------Baylor University-------------
> Derek Tonkin
> Information Security Analyst
> Information Technology Services - Security
> derek_tonkin () baylor edu        254-710-7061
> ---------------Sic 'em Bears---------------
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Curt Wilson
> Sent: Friday, March 14, 2008 12:49 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Group encryption solutions
>
> Individual file/folder encryption for a windows user is pretty simple -
> TrueCrypt, SecureZIP are two viable options depending upon requirements.
>
> What are other .edus using for group encryption? I've gotten the
> impression that the more user-friendly the system is, the more back-end
> work required. A nice balance is sought so that users don't find it too
> much of a pain that they won't use it, and also so that our limited
> admin resources aren't overtaxed.
>
> I've heard of people using PGP for this, and I'm aware of an Entrust
> offering that I've yet to evaluate. The Entrust offering requires
> setting up several servers, and I believe it's relatively new so I'm a
> bit hesitant to recommend it. PGP seems tried and true, but I've only
> used it for personal encryption or to encrypt documents for a small
> group of recipients.
>
> Comments appreciated on or off list. If I get a lot of responses I may
> summarize them for the group.
>
> Thanks
> Curt Wilson
> SIUC