UW Desktop Encryption Project UW's approach to data encryption
Upcoming SlideShare
Loading in...5

UW Desktop Encryption Project UW's approach to data encryption






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • OCIS is out on the two ends with ongoing projects: Find it; Encrypt it. Middle is harder. Restricted data, for us defined by WI Statue, but can be applied to any data you need to protect. Two types of encryption: full disk and file/folder.
  • Endpoints defined. Lost laptops—VA; estimated costs per record are around $200 for 10000 records $2million
  • Lost CDs – British government
  • Photo by "Scott Beale / Laughing Squid” laughingsquid.com.
  • Good solutions integrate with the OS, eg added to right-click context menu; can select files by type, eg .doc
  • Data at rest. Can also be used for secure hdd disposal.
  • FDE can’t protect a laptop that’s on and logged in; FDE doesn’t stop unencrypted data from leaving the encrypted drive
  • Create charter and solicit a team Team Members Sponsors
  • Server based solutions like mywebspace, webDAV Novell and Microsoft filie server; Incidental not intended.
  • (e.g. encrypting the restricted data, but then emailing it unencrypted; strong encryption passwords)
  • Get SMART
  • Campus concerns and experiences Milwaukee … Survey Center … Educause list Burton group
  • Describe quadrants
  • Variety of machines supported Vista laggers; none—some promised; why important? Why should audience care?
  • Key management importance; lost keys mean lost data Just encrypted disk, but then just copy the entire thing to USB in clear text
  • invited vendors for demos/webex; gathered additional information; ranked products as demos completed see what floated to top
  • Get SMART; hands on test of both products; continued to gather information; decide on product to pilot—license affordable?
  • Some are Safeboot specific most would pertain to any product we selected. Think about any particular challenges you would have with implementation of this kind of product

UW Desktop Encryption Project UW's approach to data encryption UW Desktop Encryption Project UW's approach to data encryption Presentation Transcript

  • UW Desktop Encryption Project UW’s approach to data encryption
  • Introductions
    • Allen Monette - Security Coordinator
    • Linda Pruss – Security Engineer
    • Overview of technology
    • Endpoint Encryption Project
    • Challenges/Issues
    • What’s next
  • Effective Practices for Restricted Data Handling Risk Reduction Strategy OR OR THEN Risk Reduction Strategies Risk Assessment
  • Why Encryption?
  • It’s 3am …
    • Do you know where your laptops are?
    Full Disk Encryption protects against lost devices
  • Would you trust…
      • this guy with your files?
    File and Folder Encryption protects specific data
  • How does it work?
  • File encryption
    • Think of file encryption as a secret code
    A simple code: A=0 B=1 C=2 D=3 Etc A message: 7 4 11 11 14 22 14 17 11 3
  • Folder encryption
    • Think of folder encryption as a safe deposit box
  • Full Disk Encryption
    • Think of Full Disk Encryption like a bank vault
  • How does it really work?
  • File and folder Encryption
    • Encrypts individual files or entire folders
    • Requires authentication to decrypt and access the files
  • Full Disk Encryption
    • Replaces the master boot record with a special pre-boot environment
    • Encrypts the entire hard drive
    • Preboot Authentication plus OS authentication
    • Decrypts as files are used
  • How to choose between Full Disk and File/Folder?
  • When to use Full Disk Encryption Full Disk Encryption protects against lost devices
  • When to use file/folder
    • Need an additional layer of security
    • Need portability
    • Need to support removable media
  • Endpoint Encryption Project
  • Charter
    • To research tools and methods for encrypting data on desktops and laptops so that risk is reduced if a computer storing restricted data is lost, stolen, compromised or disposed of improperly.
    • Deliverables are :
      • recommend a product for pilot
      • pilot the product
      • recommend final product to sponsors
  • Scope
    • Common desktops operating systems
      • Macintosh and Windows
    • Full disk and file/directory level encryption
    • Removable media devices
      • USB drives, CDRW
    • Managed (IT administered) and unmanaged (self-administered) systems
  • Out of scope
    • Encryption of Linux OS, handhelds or smart phones
    • Hardware encryption
    • Database encryption
    • Encryption of server-based solutions
    • Secure transmission
    • Secure printing
  • Out of scope
    • End user education
    • Best practices
    • Support infrastructure
    • Policy work
  • Approach
    • Define the project
    • Get Smart!
      • Product and Market Analysis
      • Requirements Gathering
  • Get Smart!
    • Team knowledge and research
    • NIST document (800-111) – Nov, 2007
      • Guide to Storage Encryption Technologies for end user devices
      • http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
    • Campus forum
    • Leverage others work
  • Market Analysis Source: Gartner Group Full report at: http://mediaproducts.gartner.com/reprints/credant/151075.html
  • Requirements
    • Device support
      • Windows … all flavors
      • Macintosh
      • Linux
      • Smart Phone/Handheld
    • Industry Standard Encryption
      • AES 256
      • FIPS certified
  • Requirements
    • Key Management
      • Key backup/escrow mechanisms
      • Key recovery mechanisms
      • Key generation mechanisms
    • Removable Media support
      • USB disks, etc
      • CD R/W
  • Requirements
    • Management Capabilities
      • Centrally managed
        • Provide service to campus departments
      • Cooperatively managed
        • Delegated management
      • Delegated management
        • IT managed
        • UW campus or IT department
      • Unmanaged
        • Self-managed
  • Requirements
    • Directory Integration
      • Diversity on our campuses
      • The more varieties the better
    • File and Folder encryption
      • Don’t want to support multiple product
    • Leverage our Public Key Infrastructure
      • Strong AuthN
  • Approach
    • Define the project
    • Get Smart!
      • Product and Market Analysis
      • Requirements Gathering
    • Mapped Solutions to Requirements
      • Reduce possible solutions to 9
  • Approach
    • Define the project
    • Get Smart!
      • Product and Market Analysis
      • Requirements Gathering
    • Mapped Solutions to Requirements
      • Reduce possible solutions to 9
    • Team Test of top 2 products
  • Product Selected
    • SafeBoot
      • http://www.safeboot.com/
      • Acquired by McAfee in Q4 2007
  • Product Selected
    • Key Differentiators
      • Macintosh on Roadmap
      • File/Folder; smartphone encryption too
      • Allows for centralized, collaborative and delegated models
      • Management not tied to specific product
      • Lots of connectors (or not)
      • Small desktop footprint
      • Ease of use; understandable
  • Challenges/Issues
  • Technical Challenges
    • Market Turbulence/Definition
      • Acquisitions/partnerships
      • Many new features being introduced
    • Assumes client/server model
      • Periodic check in to server
      • Delegated/collaborative management
  • Technical Challenges
    • Laptop states
      • Power off protection
      • Screen saver
      • Logoff
      • Hibernate, Suspend
    • Not a panacea
      • Still need host hardening
      • Power on protection
  • Technical Challenges
    • Authentication
      • Strong passwords
      • 2 factor authentication
      • Integrated Windows AuthN
        • Synchronization issues
    • Recovery
      • User or machine password recovery
        • Identity proofing
      • Hardware Failure
      • Forensics
  • Non-Technical Challenges
  • Non-Technical Challenges
    • Policy
    • Where and when to use Full Disk Encryption?
    • Where and when to use File/Folder?
    • What encryption solutions are acceptable?
    • Log in once or twice?
  • Non-Technical Challenges
    • Centralized service; decentralized campus
      • Who pays?
        • Maintenance
          • Running the server
          • Administering the application
          • Managing the service
        • Support
          • Help Desk calls
          • 2 nd level technical expertise
        • Licenses
  • Non-Technical Challenges
    • User Acceptance
      • Department IT Staff
        • Willingness to collaborate
      • End Users
        • Strong passwords necessary
        • Double authentication with Pre-Boot
        • Initial setup cost - takes time to encrypt
  • What Next?
  • What next?
    • Two new project teams
      • Policy
      • Support & Best Practices
    • Pilot runs through the end of June
      • Evaluating our ability to collaborate as well as the software
      • Initial rollouts of 10-20 laptops
      • Report to sponsors with recommendations
    • Gradually open up pilot starting in July
  • UW Desktop Encryption Project Allen Monette, [email_address] Linda Pruss, lmpruss@wisc.edu