Educause Security Discussion mailing list archives
Re: Group encryption solutions
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Fri, 14 Mar 2008 13:39:00 -0600
Two of the options in this space are PGP NetShare (as has been mentioned), which we have used in our IT security office. I like how it works, particularly if you're already using PGP for other encryption functions (e-mail, whole disk, virtual disks, removable media, etc). Another option is the parallel item from Utimaco called LANCrypt. It's conceptually similar to NetShare, but different in implementation. One thing to keep in mind is that these are client-side solutions which have pros and cons: Pros: -No need for software on the file server -Data is encrypted between client and server -Data is encrypted on backups Cons: -All clients must have the software installed to access the encrypted items -Can cause confusion if clients without the software write files to directories tagged for encryption (these files will be created, but not encrypted unless a client with the software later enforces the encryption) -Client configuration consistency may be important (depends on the application and implementation) Brad Judy IT Security Office University of Colorado at Boulder -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tonkin, Derek K. Sent: Friday, March 14, 2008 1:11 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Group encryption solutions PGP does tie-in to LDAP for determining group policy settings. The way PGP does network shares is called PGP NetShare and they have just made some significant changes to the administration side of this. We don't actually use the NetShare functionality (although we are licensed for it) but as I understand it this would address your main concerns. Our view on the shares is that since we have really good security for our servers that is already a safe place (shares can have access controlled by Group Policy as well). You are correct about the encrypted ZIPs not scaling well although PGP does give you the ability to encrypt to a passphrase or to make multiple keys work for a single zip file. Let me know if there was anything I didn't address or if you have other questions, Derek -------------Baylor University------------- Derek Tonkin Information Security Analyst Information Technology Services - Security derek_tonkin () baylor edu 254-710-7061 ---------------Sic 'em Bears--------------- -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Curt Wilson Sent: Friday, March 14, 2008 1:53 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Group encryption solutions Thanks Derek. Are you handling scenarios where a workgroup all needs to get to selected resources on a share? Using whole-disk in this case doesn't really buy you much in case the server gets compromised, for instance. I see the value of full disk in the case of theft, but when you have 50 some ppl that need to get to access the data at varying times throughout the day, how is this best accomplished? Ideally there is some solution that will protect the data while it's on the server, and while it's on the workstation as well, based on Active Directory or LDAP group attributes. We could create encrypted zip files now, with Secure Zip, but from what I understand that approach doesn't really scale that well and you have a static key that you have to pass around. When one person leaves the group, you've got to redo everything to keep the knowledge of the key/passphrase from leaking. Does your PGP solution align with AD/LDAP groups? Thanks CurtW Tonkin, Derek K. wrote:
We use PGP's Universal Server product with a central server (running
on
a VM). We don't typically use it for individual file/folder
encryption
although it can do that through the creation of encrypted zip files.
We
use it for whole-disk encryption because that way we don't have to
worry
about the user remembering/caring enough to take the time to encrypt sensitive files. There is a slight performance hit which is more noticeable on older machines but most users do not even notice it. Universal Server also includes the option to encrypt and sign e-mails and encrypt network shares and we are beginning to experiment with
these
aspects of it as well. If you have any questions about the implementation feel free to ask. Derek -------------Baylor University------------- Derek Tonkin Information Security Analyst Information Technology Services - Security derek_tonkin () baylor edu 254-710-7061 ---------------Sic 'em Bears--------------- -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Curt Wilson Sent: Friday, March 14, 2008 12:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Group encryption solutions Individual file/folder encryption for a windows user is pretty simple
-
TrueCrypt, SecureZIP are two viable options depending upon
requirements.
What are other .edus using for group encryption? I've gotten the impression that the more user-friendly the system is, the more
back-end
work required. A nice balance is sought so that users don't find it
too
much of a pain that they won't use it, and also so that our limited admin resources aren't overtaxed. I've heard of people using PGP for this, and I'm aware of an Entrust offering that I've yet to evaluate. The Entrust offering requires setting up several servers, and I believe it's relatively new so I'm a
bit hesitant to recommend it. PGP seems tried and true, but I've only used it for personal encryption or to encrypt documents for a small group of recipients. Comments appreciated on or off list. If I get a lot of responses I may
summarize them for the group. Thanks Curt Wilson SIUC
Current thread:
- Group encryption solutions Curt Wilson (Mar 14)
- <Possible follow-ups>
- Re: Group encryption solutions Tonkin, Derek K. (Mar 14)
- Re: Group encryption solutions Curt Wilson (Mar 14)
- Re: Group encryption solutions Tonkin, Derek K. (Mar 14)
- Re: Group encryption solutions Brad Judy (Mar 14)