Re: Whole Disk Encryption

[Michael Sana <msana () HPU EDU>]

Aloha,

I remember some years back that using native file encryption on machines within scope could possibly violate PCI 
requirements under section 3.


3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be 
managed independently of native operating system access control mechanisms (for example, by not using local user 
account databases). Decryption keys must not be tied to user accounts.

Just something to think about.  I am definitely  NOT a QSA, so if someone could shed some light on the situation or 
elaborate, that would be great.

mike.sana.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bradley 
Jonko
Sent: Tuesday, January 17, 2012 11:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption

We currently have PGP (now Symantec) deployed for Windows and Macs, but are desperately looking to move away from PGP 
in favor of the native solutions (Bitlocker and Filevault). We have been running up against user backlash from the long 
delays for major OS patching (mostly on the Mac side), which has lead to some users outright removing their encryption.


The largest obstacle that our IT folks are worried about if we move to the native encryption is recreating the password 
recovery mechanisms that are built-in to most of the commercial products.
Has anyone implemented a key escrow/password recovery solution for either/both of the native encryption solutions? If 
so, was it a homegrown solution?


Thank you,
Brad Jonko
Information Security Office
Stanford University
jonko () stanford edu
650.724.2822



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, 
MICHAEL
Sent: Friday, January 06, 2012 9:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption

The biggest drawback for us was no password recovery - lose the password, lose the data....

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drew 
Perry
Sent: Friday, January 06, 2012 10:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Whole Disk Encryption

@Aaron,

TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise 
deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires 
direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use 
it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend 
it for any type of enterprise rollout.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry () murraystate edu<mailto:aperry () murraystate edu>

P  Save a tree. Please consider the environment before printing this message.

On Fri, Jan 6, 2012 at 10:16 AM, Aaron S. Thompson <athompson () berklee edu<mailto:athompson () berklee edu>> wrote:
Hi All,

Has anyone deployed or has experience with TrueCrypt<http://www.truecrypt.org/>?  If so are you happy with it?  Any 
things you would have changed or pitfalls?

Best,

Aaron
-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693

www.berklee.edu<http://www.berklee.edu>
617.747.8656<tel:617.747.8656>



--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.