Educause Security Discussion mailing list archives
Re: Mobile Data - Protecting the University from unnecessary risk
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Tue, 11 May 2010 06:04:21 -0400
I like to make the point the FDE is not really security, it's risk management and compliance - it is installed to prevent the CNN moment - an insurance policy at best. Randy's post is excellent - it is up to us (the security folks) to make sure that management understands that just because FDE is installed on systems, it does not mean that we can dispense with other security programs. My 2 cents Joel --On Tuesday, May 11, 2010 1:12 AM -0400 Valdis Kletnieks <Valdis.Kletnieks () VT EDU> wrote:
On Mon, 10 May 2010 21:53:07 EDT, randy marchany said:2. This is significant in that as long as the system is booted up, your files are encrypted UNTIL they are accessed by a userid or process owned by a userid that has READ access to the files in question. World read access allows any userid to decrypt the file. A process running under your userid's privileges can decrypt any file you have read access and any malware running under your userid has that same access.Something that Randy implies, but a fair number of people need to be hit over the head with repeatedly till they get it: 2a) Full Disk Encryption is only really useful when defending against some miscreant who has wandered off with your computer *while it's powered off* under his arm, taken it back to their den of iniquity, and powered it on and said "OK, now what?". This is a very real and valid threat model for a laptop or small desktop, but probably not your ERP system, which is probably hardly ever powered down, and probably won't fit under a miscreant's arm without the assistance of a forklift. And yet, I've heard more than one tale of a misguided security person insisting that FDE be installed on the ERP system - resulting in the loss of 1 or 2 nines of reliability because at the next reboot, it did exactly what FDE will make it do - sit there and not mount the disk till it gets fed the magic word. Whoops.
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Mobile Data - Protecting the University from unnecessary risk Todd Britton (May 10)
- <Possible follow-ups>
- Re: Mobile Data - Protecting the University from unnecessary risk SCHALIP, MICHAEL (May 10)
- Re: Mobile Data - Protecting the University from unnecessary risk randy marchany (May 10)
- Re: Mobile Data - Protecting the University from unnecessary risk John Ladwig (May 10)
- Re: Mobile Data - Protecting the University from unnecessary risk Valdis Kletnieks (May 10)
- Re: Mobile Data - Protecting the University from unnecessary risk Joel Rosenblatt (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Stephen C. Gay (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Buskill, Bruce M (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Ken Connelly (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Matthew Gracie (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk Bradley, Stephen W. Mr. (May 11)
- Re: Mobile Data - Protecting the University from unnecessary risk David Bowie (May 11)
(Thread continues...)