uw desktop encryption project uw's approach to data encryption
TRANSCRIPT
UW Desktop Encryption Project
UW’s approach to data encryption
Introductions
• Allen Monette - Security Coordinator
• Linda Pruss – Security Engineer
AGENDA
• Overview of technology
• Endpoint Encryption Project
• Challenges/Issues
• What’s next
Effective Practices for Restricted Data HandlingRisk Reduction Strategy
OR
ORTHEN
Risk Reduction Strategies Risk Assessment
Why Encryption?
It’s 3am…
Do you know where your laptops are?
Full Disk Encryption protects against lost devices
Would you trust…
this guy with your files?
File and Folder Encryption protects specific data
How does it work?
File encryption
Think of file encryption as a secret code
A simple code:A=0B=1C=2D=3Etc
A message:7 4 11 11 1422 14 17 11 3
Folder encryption
Think of folder encryption as a safe deposit box
Full Disk Encryption
Think of Full Disk Encryption like a bank vault
How does it really work?
File and folder Encryption
• Encrypts individual files or entire folders• Requires authentication to decrypt and access the
files
Full Disk Encryption
• Replaces the master boot record with a special pre-boot environment
• Encrypts the entire hard drive• Preboot Authentication plus OS authentication• Decrypts as files are used
How to choose between Full Disk and File/Folder?
When to use Full Disk Encryption
Full Disk Encryption protects against lost devices
When to use file/folder
• Need an additional layer of security• Need portability• Need to support removable media
Endpoint Encryption Project
Charter
• To research tools and methods for encrypting data on desktops and laptops so that risk is reduced if a computer storing restricted data is lost, stolen, compromised or disposed of improperly.
• Deliverables are :
1) recommend a product for pilot 2) pilot the product3) recommend final product to sponsors
Scope
• Common desktops operating systems– Macintosh and Windows
• Full disk and file/directory level encryption
• Removable media devices – USB drives, CDRW
• Managed (IT administered) and unmanaged (self-administered) systems
Out of scope
• Encryption of Linux OS, handhelds or smart phones
• Hardware encryption• Database encryption• Encryption of server-based solutions• Secure transmission • Secure printing
Out of scope
• End user education
• Best practices
• Support infrastructure
• Policy work
Approach
• Define the project
• Get Smart!– Product and Market Analysis– Requirements Gathering
Get Smart!
• Team knowledge and research• NIST document (800-111) – Nov, 2007
– Guide to Storage Encryption Technologies for end user devices
– http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
• Campus forum• Leverage others work
Market AnalysisSource: Gartner GroupFull report at: http://mediaproducts.gartner.com/reprints/credant/151075.html
Requirements
• Device support– Windows … all flavors– Macintosh – Linux– Smart Phone/Handheld
• Industry Standard Encryption– AES 256– FIPS certified
Requirements
• Key Management– Key backup/escrow mechanisms– Key recovery mechanisms– Key generation mechanisms
• Removable Media support– USB disks, etc– CD R/W
Requirements
• Management Capabilities– Centrally managed
• Provide service to campus departments
– Cooperatively managed • Delegated management
– Delegated management• IT managed • UW campus or IT department
– Unmanaged• Self-managed
Requirements
• Directory Integration– Diversity on our campuses– The more varieties the better
• File and Folder encryption– Don’t want to support multiple product
• Leverage our Public Key Infrastructure– Strong AuthN
Approach
• Define the project
• Get Smart!– Product and Market Analysis– Requirements Gathering
• Mapped Solutions to Requirements– Reduce possible solutions to 9
Approach
• Define the project• Get Smart!
– Product and Market Analysis– Requirements Gathering
• Mapped Solutions to Requirements– Reduce possible solutions to 9
• Team Test of top 2 products
Product Selected
SafeBoot– http://www.safeboot.com/– Acquired by McAfee in Q4 2007
Product Selected
• Key Differentiators
– Macintosh on Roadmap– File/Folder; smartphone encryption too– Allows for centralized, collaborative and
delegated models– Management not tied to specific product– Lots of connectors (or not)– Small desktop footprint– Ease of use; understandable
Challenges/Issues
Technical Challenges
• Market Turbulence/Definition– Acquisitions/partnerships– Many new features being introduced
• Assumes client/server model– Periodic check in to server– Delegated/collaborative management
Technical Challenges
• Laptop states– Power off protection– Screen saver– Logoff– Hibernate, Suspend
• Not a panacea– Still need host hardening– Power on protection
Technical Challenges
• Authentication– Strong passwords– 2 factor authentication– Integrated Windows AuthN
• Synchronization issues
• Recovery – User or machine password recovery
• Identity proofing
– Hardware Failure– Forensics
•
Non-Technical Challenges
Non-Technical Challenges
Policy• Where and when to use Full Disk
Encryption?• Where and when to use File/Folder?• What encryption solutions are
acceptable?• Log in once or twice?
Non-Technical Challenges
Centralized service; decentralized campus• Who pays?• Maintenance
• Running the server• Administering the application• Managing the service
• Support• Help Desk calls• 2nd level technical expertise
• Licenses
Non-Technical Challenges
User Acceptance• Department IT Staff• Willingness to collaborate
• End Users• Strong passwords necessary• Double authentication with Pre-Boot• Initial setup cost - takes time to encrypt
What Next?
What next?
• Two new project teams• Policy• Support & Best Practices
• Pilot runs through the end of June• Evaluating our ability to collaborate as well as the
software• Initial rollouts of 10-20 laptops• Report to sponsors with recommendations
• Gradually open up pilot starting in July
