Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (10)
Ähnlich wie Encryption
Ähnlich wie Encryption (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Encryption
- 1. UW Desktop Encryption Project UW’s approach to data encryption
- 2. Introductions • Allen Monette - Security Coordinator • Linda Pruss – Security Engineer
- 3. AGENDA • Overview of technology • Endpoint Encryption Project • Challenges/Issues • What’s next
- 4. Effective Practices for Restricted Data Handling Risk Reduction Strategy Risk Assessment Risk Reduction Strategies OR THEN OR
- 6. It’s 3am… Do you know where your laptops are? Full Disk Encryption protects against lost devices
- 7. Would you trust… this guy with your files? File and Folder Encryption protects specific data
- 8. How does it work?
- 9. File encryption Think of file encryption as a secret code A simple code: A=0 B=1 C=2 D=3 Etc A message: 7 4 11 11 14 22 14 17 11 3
- 10. Folder encryption Think of folder encryption as a safe deposit box
- 11. Full Disk Encryption Think of Full Disk Encryption like a bank vault
- 12. How does it really work?
- 13. File and folder Encryption • Encrypts individual files or entire folders • Requires authentication to decrypt and access the files
- 14. Full Disk Encryption • Replaces the master boot record with a special preboot environment • Encrypts the entire hard drive • Preboot Authentication plus OS authentication • Decrypts as files are used
- 15. How to choose between Full Disk and File/Folder?
- 16. When to use Full Disk Encryption Full Disk Encryption protects against lost devices
- 17. When to use file/folder • Need an additional layer of security • Need portability • Need to support removable media
- 19. Charter • • To research tools and methods for encrypting data on desktops and laptops so that risk is reduced if a computer storing restricted data is lost, stolen, compromised or disposed of improperly. Deliverables are : 1) recommend a product for pilot 2) pilot the product 3) recommend final product to sponsors
- 20. Scope • Common desktops operating systems – Macintosh and Windows • Full disk and file/directory level encryption • Removable media devices – USB drives, CDRW • Managed (IT administered) and unmanaged (self-administered) systems
- 21. Out of scope • Encryption of Linux OS, handhelds or smart phones • Hardware encryption • Database encryption • Encryption of server-based solutions • Secure transmission • Secure printing
- 22. Out of scope • End user education • Best practices • Support infrastructure • Policy work
- 23. Approach • Define the project • Get Smart! – Product and Market Analysis – Requirements Gathering
- 24. Get Smart! • Team knowledge and research • NIST document (800-111) – Nov, 2007 – Guide to Storage Encryption Technologies for end user devices – http://csrc.nist.gov/publications/nistpubs/ 800-111/SP800-111.pdf • Campus forum • Leverage others work
- 25. Market Analysis Source: Gartner Group Full report at: http://mediaproducts.gartner.com/reprints/credant/151075.html
- 26. Requirements • Device support – Windows … all flavors – Macintosh – Linux – Smart Phone/Handheld • Industry Standard Encryption – AES 256 – FIPS certified
- 27. Requirements • Key Management – Key backup/escrow mechanisms – Key recovery mechanisms – Key generation mechanisms • Removable Media support – USB disks, etc – CD R/W
- 28. Requirements • Management Capabilities – Centrally managed • Provide service to campus departments – Cooperatively managed • Delegated management – Delegated management • IT managed • UW campus or IT department – Unmanaged • Self-managed
- 29. Requirements • Directory Integration – Diversity on our campuses – The more varieties the better • File and Folder encryption – Don’t want to support multiple product • Leverage our Public Key Infrastructure – Strong AuthN
- 30. Approach • Define the project • Get Smart! – Product and Market Analysis – Requirements Gathering • Mapped Solutions to Requirements – Reduce possible solutions to 9
- 31. Approach • Define the project • Get Smart! – Product and Market Analysis – Requirements Gathering • Mapped Solutions to Requirements – Reduce possible solutions to 9 • Team Test of top 2 products
- 32. Product Selected SafeBoot – http://www.safeboot.com/ – Acquired by McAfee in Q4 2007
- 33. Product Selected • Key Differentiators – Macintosh on Roadmap – File/Folder; smartphone encryption too – Allows for centralized, collaborative and delegated models – Management not tied to specific product – Lots of connectors (or not) – Small desktop footprint – Ease of use; understandable
- 35. Technical Challenges • Market Turbulence/Definition – Acquisitions/partnerships – Many new features being introduced • Assumes client/server model – Periodic check in to server – Delegated/collaborative management
- 36. Technical Challenges • Laptop states – Power off protection – Screen saver – Logoff – Hibernate, Suspend • Not a panacea – Still need host hardening – Power on protection
- 37. Technical Challenges • Authentication – Strong passwords – 2 factor authentication – Integrated Windows AuthN • Synchronization issues • Recovery – User or machine password recovery • Identity proofing – Hardware Failure – Forensics
- 39. Non-Technical Challenges Policy • Where and when to use Full Disk Encryption? • Where and when to use File/Folder? • What encryption solutions are acceptable? • Log in once or twice?
- 40. Non-Technical Challenges Centralized service; decentralized campus • Who pays? • Maintenance • Running the server • Administering the application • Managing the service • Support • Help Desk calls • 2nd level technical expertise • Licenses
- 41. Non-Technical Challenges User Acceptance • Department IT Staff • Willingness to collaborate • End Users • Strong passwords necessary • Double authentication with Pre-Boot • Initial setup cost - takes time to encrypt
- 42. What Next?
- 43. What next? • Two new project teams • Policy • Support & Best Practices • Pilot runs through the end of June • Evaluating our ability to collaborate as well as the software • Initial rollouts of 10-20 laptops • Report to sponsors with recommendations • Gradually open up pilot starting in July
- 44. UW Desktop Encryption Project Allen Monette, amonette@wisc.edu Linda Pruss, lmpruss@wisc.edu
Hinweis der Redaktion
- OCIS is out on the two ends with ongoing projects: Find it; Encrypt it. Middle is harder. Restricted data, for us defined by WI Statue, but can be applied to any data you need to protect. Two types of encryption: full disk and file/folder.
- Endpoints defined. Lost laptops—VA; estimated costs per record are around $200 for 10000 records $2million
- Lost CDs – British government
- Photo by "Scott Beale / Laughing Squid” laughingsquid.com.
- Good solutions integrate with the OS, eg added to right-click context menu; can select files by type, eg .doc
- Data at rest. Can also be used for secure hdd disposal.
- FDE can’t protect a laptop that’s on and logged in; FDE doesn’t stop unencrypted data from leaving the encrypted drive
- Create charter and solicit a team Team Members Sponsors
- Server based solutions like mywebspace, webDAV Novell and Microsoft filie server; Incidental not intended.
- (e.g. encrypting the restricted data, but then emailing it unencrypted; strong encryption passwords)
- Get SMART
- Campus concerns and experiences Milwaukee … Survey Center … Educause list Burton group
- Describe quadrants
- Variety of machines supported Vista laggers; none—some promised; why important? Why should audience care?
- Key management importance; lost keys mean lost data Just encrypted disk, but then just copy the entire thing to USB in clear text
- invited vendors for demos/webex; gathered additional information; ranked products as demos completed see what floated to top
- Get SMART; hands on test of both products; continued to gather information; decide on product to pilot—license affordable?
- Some are Safeboot specific most would pertain to any product we selected. Think about any particular challenges you would have with implementation of this kind of product