Firmin,

 

We are using encrypted drives on our laptops.  They are the Seagate Momentus 5400 FDE.2 drives that have hardware-based encryption.  We are pretty much a Dell shop, and you can get the drives as an option on some of the newer Latitude D-series and I think on the new E series as well.  We retrofitted all the laptops that were compatible for just under $100 per drive (120GB).  7200rpm drives are coming this fall as I understand it.

 

You can also get an enterprise version that lets you do all the management, key generation, key storage, and key recovery from a central server (MS-SQL Server 2005 and IIS6 required).  For us to get a 25-user license for the server software, plus maintenance per seat, plus the drives, was under $3000.

 

Because all the encryption/decryption is done on the drive itself in hardware, there isn’t the performance hit you get with software solutions, and because you have central management of your keys, it really isn’t a big headache to manage.  I’m still getting it all figured out, but you’re welcome to come over and see it in action if you like.  We are also considering a policy that bans unauthorized CD’s, DVD’s, thumb drives, and other removable media from our computers.  That is still in discussion with the executive management of our department, however!

 

Eddie Parker is also deploying a messaging security gateway from Proofpoint, which is sort of like a Barracuda that does encryption.  As I understand it, this device will detect sensitive data and ask the user to encrypt it before it will send out the message (if they don’t encrypt it first like they’re supposed to!)  Eddie is very happy with it, and it is up and running in our office now.  We just have to do some user training on it to be fully operational.

 

Fundamentally, encrypting your storage hardware gives you protection against the physical device being stolen – that is why you see it (software or hardware based) on laptops – they are the most at risk for being stolen.  If a server (or even a desktop) is compromised, you don’t get the benefit of the encryption because the intruder is reading data off the disk based on the credentials they have compromised or the elevated privileges they have gotten.  I suppose you could have designated encrypted areas on a disk that you would have to authenticate to somehow, but that would begin to be a management nightmare on a couple of levels.  I know that we got pinged on an audit for not having encryption on our servers when one of them got compromised a couple of years ago, and both Jim Smith and Phil Burnett were not to keen on putting encryption on servers, and I can understand why.  We still don’t have it on our servers.

 

VPN’s are the obvious solution for encryption over-the-wire, but that brings in its share of headaches too!

 

-Scott

HR Systems Development and Support

 

 

Encryption is something that I have been thinking about for a while now and a lot of the solutions that I have seen are extremely user unfriendly, very costly,  and sometimes has little management features OR if you look at free solutions there is usually no management of keys which could be tricky when keys are lost or passwords are forgotten.

 

Protecting data through encryption is a great way to go, we all can agree there but as that data moves from servers to laptops and/ or to other mobile devices, it can become exposed. 

 

Is anyone encrypting their file servers? If so what are you using?

What about email? Not only on the servers but what about on the desktops?

Is anyone encrypting their laptops’ hard drives?

 

Firmin Charlot, MCSE, A+, Information Systems Manager

Office of the Vice President for Student Affairs and Services

Educational and Support Services   162 Student Services Building   East Lansing, MI 48824
[log in to unmask]  (517) 432-7541
Submit technical requests at http://help.ess.msu.edu/