13. File and folder Encryption
• Encrypts individual files or entire folders
• Requires authentication to decrypt and access the
files
14. Full Disk Encryption
• Replaces the master boot record with a special preboot environment
• Encrypts the entire hard drive
• Preboot Authentication plus OS authentication
• Decrypts as files are used
19. Charter
•
•
To research tools and methods for
encrypting data on desktops and laptops so
that risk is reduced if a computer storing
restricted data is lost, stolen, compromised
or disposed of improperly.
Deliverables are :
1) recommend a product for pilot
2) pilot the product
3) recommend final product to sponsors
20. Scope
• Common desktops operating systems
– Macintosh and Windows
• Full disk and file/directory level encryption
• Removable media devices
– USB drives, CDRW
• Managed (IT administered) and unmanaged
(self-administered) systems
21. Out of scope
• Encryption of Linux OS, handhelds or
smart phones
• Hardware encryption
• Database encryption
• Encryption of server-based solutions
• Secure transmission
• Secure printing
22. Out of scope
• End user education
• Best practices
• Support infrastructure
• Policy work
23. Approach
• Define the project
• Get Smart!
– Product and Market Analysis
– Requirements Gathering
24. Get Smart!
• Team knowledge and research
• NIST document (800-111) – Nov,
2007
– Guide to Storage Encryption Technologies
for end user devices
– http://csrc.nist.gov/publications/nistpubs/
800-111/SP800-111.pdf
• Campus forum
• Leverage others work
26. Requirements
• Device support
– Windows … all flavors
– Macintosh
– Linux
– Smart Phone/Handheld
• Industry Standard Encryption
– AES 256
– FIPS certified
27. Requirements
• Key Management
– Key backup/escrow mechanisms
– Key recovery mechanisms
– Key generation mechanisms
• Removable Media support
– USB disks, etc
– CD R/W
28. Requirements
• Management Capabilities
– Centrally managed
• Provide service to campus departments
– Cooperatively managed
• Delegated management
– Delegated management
• IT managed
• UW campus or IT department
– Unmanaged
• Self-managed
29. Requirements
• Directory Integration
– Diversity on our campuses
– The more varieties the better
• File and Folder encryption
– Don’t want to support multiple product
• Leverage our Public Key Infrastructure
– Strong AuthN
30. Approach
• Define the project
• Get Smart!
– Product and Market Analysis
– Requirements Gathering
• Mapped Solutions to Requirements
– Reduce possible solutions to 9
31. Approach
• Define the project
• Get Smart!
– Product and Market Analysis
– Requirements Gathering
• Mapped Solutions to Requirements
– Reduce possible solutions to 9
• Team Test of top 2 products
33. Product Selected
• Key Differentiators
– Macintosh on Roadmap
– File/Folder; smartphone encryption too
– Allows for centralized, collaborative and
delegated models
– Management not tied to specific product
– Lots of connectors (or not)
– Small desktop footprint
– Ease of use; understandable
35. Technical Challenges
• Market Turbulence/Definition
– Acquisitions/partnerships
– Many new features being introduced
• Assumes client/server model
– Periodic check in to server
– Delegated/collaborative management
36. Technical Challenges
• Laptop states
– Power off protection
– Screen saver
– Logoff
– Hibernate, Suspend
• Not a panacea
– Still need host hardening
– Power on protection
39. Non-Technical Challenges
Policy
• Where and when to use Full Disk
Encryption?
• Where and when to use File/Folder?
• What encryption solutions are
acceptable?
• Log in once or twice?
40. Non-Technical Challenges
Centralized service; decentralized
campus
• Who pays?
• Maintenance
• Running the server
• Administering the application
• Managing the service
• Support
• Help Desk calls
• 2nd level technical expertise
• Licenses
41. Non-Technical Challenges
User Acceptance
• Department IT Staff
• Willingness to collaborate
• End Users
• Strong passwords necessary
• Double authentication with Pre-Boot
• Initial setup cost - takes time to encrypt
43. What next?
• Two new project teams
• Policy
• Support & Best Practices
• Pilot runs through the end of June
• Evaluating our ability to collaborate as well as the
software
• Initial rollouts of 10-20 laptops
• Report to sponsors with recommendations
• Gradually open up pilot starting in July
44. UW Desktop Encryption Project
Allen Monette, amonette@wisc.edu
Linda Pruss, lmpruss@wisc.edu
Hinweis der Redaktion
OCIS is out on the two ends with ongoing projects: Find it; Encrypt it. Middle is harder. Restricted data, for us defined by WI Statue, but can be applied to any data you need to protect.
Two types of encryption: full disk and file/folder.
Endpoints defined. Lost laptops—VA; estimated costs per record are around $200 for 10000 records $2million
Lost CDs – British government
Photo by "Scott Beale / Laughing Squid” laughingsquid.com.
Good solutions integrate with the OS, eg added to right-click context menu; can select files by type, eg .doc
Data at rest. Can also be used for secure hdd disposal.
FDE can’t protect a laptop that’s on and logged in; FDE doesn’t stop unencrypted data from leaving the encrypted drive
Create charter and solicit a team
Team Members
Sponsors
Server based solutions like mywebspace, webDAV Novell and Microsoft filie server; Incidental not intended.
(e.g. encrypting the restricted data, but then emailing it unencrypted; strong encryption passwords)
Get SMART
Campus concerns and experiences
Milwaukee … Survey Center … Educause list
Burton group
Describe quadrants
Variety of machines supported
Vista laggers; none—some promised; why important? Why should audience care?
Key management importance; lost keys mean lost data
Just encrypted disk, but then just copy the entire thing to USB in clear text
invited vendors for demos/webex; gathered additional information; ranked products as demos completed see what floated to top
Get SMART; hands on test of both products; continued to gather information; decide on product to pilot—license affordable?
Some are Safeboot specific most would pertain to any product we selected.
Think about any particular challenges you would have with implementation of this kind of product