Educause Security Discussion mailing list archives

Re: Laptop Encryption

From: James Farr '05' <jfarr () UTICA EDU>
Date: Wed, 18 Feb 2009 09:00:04 -0500

We are looking at a product my by Credent Technology.  We want to go with a
commercial product so we have the ability to do key recovery.  This product
claims to be seamless for the user.  We shall see.

James Farr
Utica College
jfarr () utica edu
315-223-2386



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wes Young
Sent: Wednesday, February 18, 2009 6:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop Encryption

We're in the process of investigating right now. We've been looking at
the native solutions (file-vault, bitlocker, efs).

Right now it seems like Commercial PGP seems to be the front runner.
We're looking at the differences between that and truecrypt, which is
a great solution, but the PGP commercial package looks better for
enterprise key recovery, management, etc...

Downloading the PGP demo is simple and easy to install (compared to
other commercial products we were looking at).

On Feb 17, 2009, at 11:16 PM, Valdis Kletnieks wrote:

On Tue, 17 Feb 2009 19:06:05 CST, Timothy Payne said:

Can anyone share with the list their experiences with enterprise
level
encryption products?  I'm most interested in products that use some
sort of 2-factor authentication...ie, a USB key required to boot
and a
password, or password/checksum combo.

How do you deal with the inevitable user who loses their token or
forgets their password?


Also consider the case of a stolen laptop - what are the chances the
USB
key is in the laptop bag?  At that point, it's not 2-factor any more.

And then you need to ask yourself - 'What threat model does that
second factor
actually protect me against?'.  Remember that *most* 2-factor auth
is intended
to protect you against "keystroke logger sniffs password, attacker
comes in
over Internet from 9 time zones away" (because then they have
"something they
know", but can't supply "something they have" or "something they
are" *because*
they're 9 time zones away...).


--
Wes
http://claimid.com/wesyoung

Current thread:

Laptop Encryption Timothy Payne (Feb 17)
- <Possible follow-ups>
- Re: Laptop Encryption Gary Dobbins (Feb 17)
- Re: Laptop Encryption Valdis Kletnieks (Feb 17)
- Re: Laptop Encryption Wes Young (Feb 18)
- Re: Laptop Encryption James Farr '05' (Feb 18)
- Re: Laptop Encryption Gary Flynn (Feb 18)
- Re: Laptop Encryption Zach Jansen (Feb 18)
- Re: Laptop Encryption Gregg, Christopher S. (Feb 18)
- Re: Laptop Encryption Warner, David F (Feb 18)
- Re: Laptop Encryption Basgen, Brian (Feb 18)