Re: Group encryption solutions

[Brad Judy <Brad.Judy () COLORADO EDU>]

Two of the options in this space are PGP NetShare (as has been
mentioned), which we have used in our IT security office.  I like how it
works, particularly if you're already using PGP for other encryption
functions (e-mail, whole disk, virtual disks, removable media, etc).

Another option is the parallel item from Utimaco called LANCrypt.  It's
conceptually similar to NetShare, but different in implementation.

One thing to keep in mind is that these are client-side solutions which
have pros and cons:

Pros:
-No need for software on the file server
-Data is encrypted between client and server
-Data is encrypted on backups

Cons:
-All clients must have the software installed to access the encrypted
items
-Can cause confusion if clients without the software write files to
directories tagged for encryption (these files will be created, but not
encrypted unless a client with the software later enforces the
encryption)
-Client configuration consistency may be important (depends on the
application and implementation)

Brad Judy

IT Security Office
University of Colorado at Boulder

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tonkin, Derek K.
Sent: Friday, March 14, 2008 1:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Group encryption solutions

PGP does tie-in to LDAP for determining group policy settings.  The way
PGP does network shares is called PGP NetShare and they have just made
some significant changes to the administration side of this.  We don't
actually use the NetShare functionality (although we are licensed for
it) but as I understand it this would address your main concerns.  Our
view on the shares is that since we have really good security for our
servers that is already a safe place (shares can have access controlled
by Group Policy as well).

You are correct about the encrypted ZIPs not scaling well although PGP
does give you the ability to encrypt to a passphrase or to make multiple
keys work for a single zip file.

Let me know if there was anything I didn't address or if you have other
questions,

Derek

-------------Baylor University-------------
Derek Tonkin
Information Security Analyst
Information Technology Services - Security
derek_tonkin () baylor edu        254-710-7061
---------------Sic 'em Bears---------------


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Curt Wilson
Sent: Friday, March 14, 2008 1:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Group encryption solutions

Thanks Derek. Are you handling scenarios where a workgroup all needs to 
get to selected resources on a share? Using whole-disk in this case 
doesn't really buy you much in case the server gets compromised, for 
instance. I see the value of full disk in the case of theft, but when 
you have 50 some ppl that need to get to access the data at varying 
times throughout the day, how is this best accomplished? Ideally there 
is some solution that will protect the data while it's on the server, 
and while it's on the workstation as well, based on Active Directory or 
LDAP group attributes.

We could create encrypted zip files now, with Secure Zip, but from what 
I understand that approach doesn't really scale that well and you have a

static key that you have to pass around. When one person leaves the 
group, you've got to redo everything to keep the knowledge of the 
key/passphrase from leaking.  Does your PGP solution align with AD/LDAP 
groups?

Thanks
CurtW





Tonkin, Derek K. wrote:
> We use PGP's Universal Server product with a central server (running
on
> a VM).  We don't typically use it for individual file/folder
encryption
> although it can do that through the creation of encrypted zip files.
We
> use it for whole-disk encryption because that way we don't have to
worry
> about the user remembering/caring enough to take the time to encrypt
> sensitive files.  There is a slight performance hit which is more
> noticeable on older machines but most users do not even notice it.
> Universal Server also includes the option to encrypt and sign e-mails
> and encrypt network shares and we are beginning to experiment with
these
> aspects of it as well.  If you have any questions about the
> implementation feel free to ask.
>
> Derek
>
> -------------Baylor University-------------
> Derek Tonkin
> Information Security Analyst
> Information Technology Services - Security
> derek_tonkin () baylor edu        254-710-7061
> ---------------Sic 'em Bears---------------
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Curt Wilson
> Sent: Friday, March 14, 2008 12:49 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Group encryption solutions
>
> Individual file/folder encryption for a windows user is pretty simple
- 
> TrueCrypt, SecureZIP are two viable options depending upon
requirements.
> What are other .edus using for group encryption? I've gotten the 
> impression that the more user-friendly the system is, the more
back-end 
> work required. A nice balance is sought so that users don't find it
too 
> much of a pain that they won't use it, and also so that our limited 
> admin resources aren't overtaxed.
>
> I've heard of people using PGP for this, and I'm aware of an Entrust 
> offering that I've yet to evaluate. The Entrust offering requires 
> setting up several servers, and I believe it's relatively new so I'm a

> bit hesitant to recommend it. PGP seems tried and true, but I've only 
> used it for personal encryption or to encrypt documents for a small 
> group of recipients.
>
> Comments appreciated on or off list. If I get a lot of responses I may

> summarize them for the group.
>
> Thanks
> Curt Wilson
> SIUC