Firmin,
We are using encrypted drives on our
laptops. They are the Seagate Momentus 5400 FDE.2 drives that have
hardware-based encryption. We are pretty much a Dell shop, and you can
get the drives as an option on some of the newer Latitude D-series and I think
on the new E series as well. We retrofitted all the laptops that were
compatible for just under $100 per drive (120GB). 7200rpm drives are
coming this fall as I understand it.
You can also get an enterprise version
that lets you do all the management, key generation, key storage, and key
recovery from a central server (MS-SQL Server 2005 and IIS6 required).
For us to get a 25-user license for the server software, plus maintenance per
seat, plus the drives, was under $3000.
Because all the encryption/decryption is
done on the drive itself in hardware, there isn’t the performance hit you
get with software solutions, and because you have central management of your
keys, it really isn’t a big headache to manage. I’m still
getting it all figured out, but you’re welcome to come over and see it in
action if you like. We are also considering a policy that bans unauthorized
CD’s, DVD’s, thumb drives, and other removable media from our
computers. That is still in discussion with the executive management of
our department, however!
Eddie Parker is also deploying a messaging
security gateway from Proofpoint, which is sort of like a Barracuda that does
encryption. As I understand it, this device will detect sensitive data
and ask the user to encrypt it before it will send out the message (if they don’t
encrypt it first like they’re supposed to!) Eddie is very happy
with it, and it is up and running in our office now. We just have to do
some user training on it to be fully operational.
Fundamentally, encrypting your storage
hardware gives you protection against the physical device being stolen –
that is why you see it (software or hardware based) on laptops – they are
the most at risk for being stolen. If a server (or even a desktop) is
compromised, you don’t get the benefit of the encryption because the
intruder is reading data off the disk based on the credentials they have
compromised or the elevated privileges they have gotten. I suppose you
could have designated encrypted areas on a disk that you would have to
authenticate to somehow, but that would begin to be a management nightmare on a
couple of levels. I know that we got pinged on an audit for not having
encryption on our servers when one of them got compromised a couple of years
ago, and both Jim Smith and Phil Burnett were not to keen on putting encryption
on servers, and I can understand why. We still don’t have it on our
servers.
VPN’s are the obvious solution for
encryption over-the-wire, but that brings in its share of headaches too!
-Scott
HR Systems Development and Support
From: MSU Network
Administrators Group [mailto:[log in to unmask]] On Behalf Of Charlot, Firmin
Sent: Friday, September 12, 2008
12:43 PM
To: [log in to unmask]
Subject: [MSUNAG] Encryption on
File servers, desktops and laptops
Encryption
is something that I have been thinking about for a while now and a lot of the
solutions that I have seen are extremely user unfriendly, very costly,
and sometimes has little management features OR if you look at free solutions
there is usually no management of keys which could be tricky when keys are lost
or passwords are forgotten.
Protecting
data through encryption is a great way to go, we all can agree there but as
that data moves from servers to laptops and/ or to other mobile devices, it can
become exposed.
Is
anyone encrypting their file servers? If so what are you using?
What
about email? Not only on the servers but what about on the desktops?
Is
anyone encrypting their laptops’ hard drives?
Firmin
Charlot, MCSE, A+, Information Systems Manager
Office of the Vice President for Student Affairs and
Services
Educational
and Support Services 162
[log in to unmask] (517) 432-7541
Submit technical
requests at http://help.ess.msu.edu/