• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Mobile Device Security FAQs for I...
 

Mobile Device Security FAQs for I...

on

  • 866 views

 

Statistics

Views

Total Views
866
Views on SlideShare
866
Embed Views
0

Actions

Likes
0
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Mobile Device Security FAQs for I... Mobile Device Security FAQs for I... Document Transcript

    • INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Mobile Device Security  FAQs for IT Pros Protecting Data at Rest: Guidance for the Encryption of Sensitive Data   on Laptops & USB Flash Drives 1
    • INFORMATION TECHNOLOGY SECURITY SERVICES Contents General Topics..............................................................................................................................................................4 I don’t have time to read all this. Just tell me what to do......................................................................................4 What is a mobile device?.............................................................................................................................................4 What is mobile device security?.................................................................................................................................5 Why should I care about mobile device security?...................................................................................................5 What are some best practices using mobile devices?.............................................................................................5 Encryption.....................................................................................................................................................................6 How do I provide mobile device security?..............................................................................................................6 Data at rest is data that is stored on some physical storage media like a hard disk, flash drive, or DVD. Data in motion refers to data that is traveling as packets through a network e.g. as an email makes its way across the internet. Note that data on a thumb drive is considered data at rest even though the thumb drive itself may be mobile. .........................................................................................................................................6 What is encryption?.....................................................................................................................................................6 Why can’t I just password protect my laptop?........................................................................................................7 Why is encryption so important?..............................................................................................................................7 Do I need to encrypt my data?...................................................................................................................................7 What data is considered “sensitive”?........................................................................................................................7 What should I look for in an encryption solution?.................................................................................................7 Explain file/folder-level encryption versus full-drive encryption........................................................................8 How do I decide between file/folder-level encryption and full-drive encryption?...........................................8 What encryption solutions are out there?................................................................................................................9 What is meant by virtual disk encryption?............................................................................................................12 Your encryption solution matrix only references four parameters. What other variables should I consider when evaluating an encryption solution?..............................................................................................................13 Why should I pay for a third-party solution when encryption is built-in to Windows/Mac?.......................13 Encryption for Windows...........................................................................................................................................14 What encryption solutions are built-in to Windows?...........................................................................................14 What’s the difference between EFS and Bitlocker?...............................................................................................14 Can EFS and BitLocker be used together?..............................................................................................................15 Why would I use both EFS and BitLocker?............................................................................................................15 I’m purchasing new laptops. What should I get to run BitLocker?....................................................................15 How do I use BitLocker?...........................................................................................................................................15 How do I use EFS?.....................................................................................................................................................15 Encryption for Macs..................................................................................................................................................15 What encryption solution is built-in to the Macintosh?.......................................................................................15 What’s the difference between FileVault and Disk Utility?................................................................................16 Can FileVault and Disk Utility be used together?.................................................................................................16 Why would I use both FileVault and Disk Utility?...............................................................................................16 How do I use the Macintosh Disk Utility to encrypt data?.................................................................................16 USB Flash Drive Encryption.....................................................................................................................................16 What about USB flash drive encryption? What are the decision factors?.........................................................16 Which USB flash drives have encryption software built-in?...............................................................................17 What are some concerns with purchasing a secure flash drive?........................................................................17 Physical Protection.....................................................................................................................................................18 What about “LoJack” type (device recovery) solutions?.....................................................................................19 What about remote erasure solutions?...................................................................................................................19 How do I securely dispose of or recycle a mobile device?..................................................................................19 2
    • INFORMATION TECHNOLOGY SECURITY SERVICES 3
    • INFORMATION TECHNOLOGY SECURITY SERVICES General Topics I don’t have time to read all this. Just tell me what to do. First, avoid storing sensitive data on mobile devices. If you must store sensitive data on mobile devices (particularly laptops and USB flash drives), use the encryption software that is already built-in to those devices: • If your laptops are running Windows XPSP2, use EFS (Encrypting File System). as explained here: http://www.safecomputing.umich.edu/tools/download/securityshorts_encrypt_d ocs_windows.pdf • If your laptops are running Windows Vista Enterprise or Ultimate Edition, use Bitlocker as explained here: http://www.safecomputing.umich.edu/tools/security_shorts.html • If your laptops are running a version of Windows Vista other than Enterprise or Ultimate, upgrade to Enterprise or Ultimate. • If you‘re using a Macintosh, use FileVault, which can be found in system preferences under Security. • If you will be purchasing a PC-based laptop, we recommend any Dell Latitude, which will meet the following requirements: o They meet the minimum hardware requirements for Windows Vista (http://go.microsoft.com/fwlink/?LinkId=83233) o They have a TPM 1.2 chip (TPM stands for Trusted Platform Module) o They are TCG compliant BIOS (TCG stands for Trusted Computing Group) • If you need to store data on a USB flash drive, we recommend the Lexar JumpDrive with encryption software Secure II Software v2.0. This USB flash drive can be used with both Windows and Macs (Windows 2000/SP4/ Windows XP/SP2/ Vista and Mac OSX v10.4+ ). Instructions for setting up the encryption can be found here: http://www.safecomputing.umich.edu/tools/download/securityshorts_encrypt_thumbdriv e.pdf What is a mobile device? Mobile devices include portable computers (such as laptops, notebooks, tablet PCs); handheld devices (such as Personal Digital Assistants (PDA’s), SmartPhones, BlackBerries) and portable storage devices such as USB flash drives (aka thumb drives) 4
    • INFORMATION TECHNOLOGY SECURITY SERVICES or USB hard drives. For the purposes of this document, we have limited the scope of our recommendations to portable laptops and USB flash drives. What is mobile device security? Mobile device security refers to those tools and techniques that are particularly useful for mitigating the types of threats mobile devices are commonly exposed to, specifically theft, loss, and communication over insecure public networks such as the Internet or wireless hotspots. Why should I care about mobile device security? Liability and privacy are the primary drivers for mobile device security. As of Fall 2007, at least 35 states (including Michigan) legislate businesses and state agencies (including public universities) to publicly disclose security breaches involving personal information. This notification process is costly not only in terms of pure process, but also in negative publicity. Additionally, If you are a Reasons you should care about mobile device security (and this FAQ)… … • You don’t want to lose your research data. • You don’t want your research data to fall into the wrong hands. • You don’t want to put your research subjects in jeopardy. • You don’t want lack of proper security controls to be a factor in getting a research grant. Researcher • You don’t want lack of proper security controls to stall the IRB approval process. • You don’t want yourself or the University to be liable with respect to regulations that cover certain types of research data. For example, the Health Insurance Portability and Accountability Act (HIPAA) may apply to certain types of human subject research. If you store any “institutional” data on a mobile (or any other) device, then you have an obligation and a job responsibility to protect that Faculty or resource appropriately and in accordance with applicable laws and Staff Member regulations. See SPG 601.12 for further information including a definition of “institutional” data. There are no University-wide mandates or required products for the IT protection of sensitive data on mobile (or any other) devices. Thus, you Professional should become familiar with the risks that are present in your environment as well as the options for mitigating those risks. What are some best practices using mobile devices? 5
    • INFORMATION TECHNOLOGY SECURITY SERVICES Follow these best practices for physically securing your mobile device: • Don’t store sensitive data on your mobile device in the first place! • Do not leave your laptop unattended. Lock your office or lab when you leave. • Use a laptop lock in your work station, or lock it out of sight if you are traveling with it. • Be particularly cautious about keeping your laptop safe in airports and other public places. • Use a strong password: more than eight characters, with a combination of upper- and lower-case letters, symbols and numerals. • Keep software up-to-date. For more information, see: (http://www.safecomputing.umich.edu/tools/download/securityshorts_essentials_homepc. pdf) • Use a host-based firewall. For more information, see: (http://www.safecomputing.umich.edu/tools/download/securityshorts_essentials_homepc. pdf) • Install anti-virus software. For more information, see: (http://www.safecomputing.umich.edu/tools/download/securityshorts_essentials_homepc. pdf) Encryption How do I provide mobile device security? The short answer is encryption. Encrypt data at rest and encrypt data in motion1. Encryption mitigates the most prevalent threats associated with mobile devices. Encrypting data at rest mitigates the disclosure of data when a mobile device is lost or stolen. Encrypting data in motion mitigates the threats (e.g. eavesdropping) associated with the transmission of sensitive data over insecure public networks that mobile devices often connect to. Encryption, of course, does not address every mobile device concern. For example, encryption does nothing to prevent a mobile device from be lost or stolen in the first place. This FAQ talks about other safeguards that can be used in conjunction with encryption to address a range of mobile device concerns. What is encryption? Encryption scrambles data in a way that it can only be read by someone who possesses the corresponding decryption key. If an unauthorized individual obtains access to a device with encrypted data, but does not have the decryption key, they see only random gibberish instead of sensitive data. 1 Data at rest is data that is stored on some physical storage media like a hard disk, flash drive, or DVD. Data in motion refers to data that is traveling as packets through a network e.g. as an email makes its way across the internet. Note that data on a thumb drive is considered data at rest even though the thumb drive itself may be mobile. 6
    • INFORMATION TECHNOLOGY SECURITY SERVICES Why can’t I just password protect my laptop? Using a “boot” (BIOS) password and/or account password along with a password protected screensaver is a recommended best practice for keeping honest people honest. These “boot” or logon passwords however, do nothing to prevent an individual from accessing a hard drive if they want to: to bypass a boot password, all someone has to do is put the hard drive in another machine. To bypass an account password, someone can simply insert a different boot disk. In short, passwords provide no protection when physical security is breached as in the case of a stolen, lost, or confiscated device. Why is encryption so important? Besides actually protecting confidential data from unauthorized disclosure, encryption has the added benefit of saving you the cost and embarrassment of having to notify potentially affected individuals when your mobile device is lost, stolen, confiscated etc. Because a properly implemented encryption solution is recognized as an adequate protection mechanism against even the most determined attacker, most notification laws provide for an exemption if sensitive data on a lost or stolen device is encrypted. Due to the high costs and negative publicity of notification along with the potential fines and legal ramifications associated with a sensitive data breach, encryption of sensitive data is often cost justified. Do I need to encrypt my data? If it’s sensitive and mobile, you should encrypt it. Of course, there are other scenarios that also warrant encryption, but this FAQ is focused on protecting sensitive data on mobile devices. What data is considered “sensitive”? Sensitive data is defined as data whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services, or individuals. The following link has further information: https://www.itss.umich.edu/umonly/documents/Data%20Classifications.pdf What should I look for in an encryption solution? Deciding on an encryption solution can depend on a lot of factors. Some decision points such as usability, cost, and platform support are easy to understand. Other decision factors, such as algorithm support, are complicated but less interesting because in the end, different solutions will support the same techniques. One influential parameter that is worth understanding further is the approach used to secure the files on disk. The two competing philosophies are File/Folder-level encryption and Full-Drive encryption. These two approaches are explained in further detail below. 7
    • INFORMATION TECHNOLOGY SECURITY SERVICES Explain file/folder-level encryption versus full-drive encryption File/folder level encryption is selective. It allows specific files to be encrypted or it allows a container (i.e. folder or directory) to be created such that files saved in the container are encrypted. Full-drive encryption, on the other hand, encrypts all the sectors on a disk or disk volume. Thus, a full-drive encryption solution will often encrypt operating system files, applications, system settings, and cache files in addition to specific sensitive data files. The benefit most often cited for full-drive encryption over file/folder-level encryption is that full-drive encryption leaves less doubt about whether all instances of sensitive data were actually encrypted. This is because operating systems and applications write data in caches, temp directories, page files, hibernation files and other areas that are difficult to identify let alone selectively encrypt. Furthermore, humans make mistakes. Users may simply forget to store sensitive data in the right (encrypted) folder. Techniques and solutions exist to mitigate all of these file/folder-level shortcomings, but such solutions are typically only viable in “managed” environments where the mobile devices are managed by an IT department and end-users do not log in with administrative privileges. How do I decide between file/folder-level encryption and full-drive encryption2? First, make sure you have a choice. Your unit, or authoritative compliance office, may already mandate a specific encryption approach. If the file/folder versus full-drive approach has not already been decided, we offer the following guidance: If both approaches are available for the effectively the same cost3, then use the full-drive encryption approach. However, if the cost of full-drive encryption significantly outweighs the cost of file/folder level encryption, then that cost needs to be weighed against the likelihood and incremental impact of the lost or stolen laptop. When considering this trade-off, we offer these baseline recommendations: • If the data being encrypted is subject to legal or regulatory requirements and that data is newsworthy in terms of quantity, then strive to use the full-drive encryption approach. • Even if the data is not regulated but its unauthorized access would have a significant impact on people’s lives or on the reputation or mission of the 2 File/folder and full-drive encryption are not necessarily mutually exclusive. However, this FAQ does not discuss using both approaches simultaneously because this FAQ is concerned primarily with the threat of information disclosure due to a lost, stolen, or confiscated laptop and either approach may be used, by itself, to mitigate this threat. 3 Cost includes administrative, operational and performance costs in addition to outright hardware & software costs. 8
    • INFORMATION TECHNOLOGY SECURITY SERVICES University, then strive to use the full-drive encryption approach. Full-drive encryption is recommended for regulated environments because, as explained in the answer to the previous question, full-drive encryption reduces doubts that people (users, administrators, auditors, investigators, customers, research subjects etc.) have regarding the possible exposure of sensitive data when the device is lost or stolen. In fact, in Japan, only the full-drive encryption approach is recognized as sufficient for avoiding notification when a device containing private personal information is lost or stolen4. That being said, highly “managed” environments which are run by an IT department supporting end users that do not have administrative rights may be able to successfully deploy a policy-based file/folder level encryption solution even for regulated or other highly sensitive data. For these environments, a good centrally-managed policy based file-folder encryption solution may be as transparent and demonstrably comprehensive as the full-disk encryption approach, but the IT department should convince themselves of that. What encryption solutions are out there? The following table provides information regarding encryption solutions offered by various vendors in the Fall of 2007. Use the table to narrow down your options based on the following parameters: • File/Folder versus Full-Drive Encryption – As noted earlier, rely on a Full-Drive encryption solution unless you are in a highly managed environment where centralized policies and reporting capabilities increase the likelihood that sensitive data is being encrypted. • Platform (Windows, Macintosh, Linux) – Obviously, the chosen solution needs to run on the hardware and operating system that you have. When available, we’ve tried to include more detailed information in the Notes column regarding specific versions supported within a given platform. Always check with the vendor, however, to get the most up to date, definitive version information. In general, you can assume that Windows includes (or will soon include) Windows Vista. • Consider for Managed/Unmanaged Environments – These two columns distinguish products based on their target markets. “Consider for Managed Environments” means you should consider the product only if you have an IT department that provides an infrastructure for and centrally manages end-user desktops. “Consider for UnManaged Environments” means the product is more likely to be successfully used by end users that manage their own desktops. When a single product is listed in the table as meeting both criteria, it is likely part of a “product line” that, e.g., may include a personal edition along with an enterprise edition. 4 http://www.busmanagement.com/pastissue/article.asp?art=269724&issue=222 9
    • INFORMATION TECHNOLOGY SECURITY SERVICES • Notes – The notes column includes additional information readily gleaned from the vendor’s web site regarding additional or limited functionality not covered by the other columns. Absence of a note does not mean there is nothing noteworthy (either positive or negative) about the product. It most likely means the web-site is less forthcoming with information. • License Cost – In this version of the FAQ, the license cost column is used to distinguish “free” products from products that require an additional capital expenditure. EnvironmentsConsider for Unmanaged Consider for Managed Environments File/Folder Full-Drive Windows Product or Linux License Mac Vendor Product Notes Cost Line Free Apple FileVault     Encrypts user’s home directory (Built-In) FileFolder level encryption is provided via Free Apple Disk Utility     Virtual Disk Encryption (Built-In) Authenex HDLock   Uses “Two-Factor” to encrypt/decrypt $$$ Authenex ASafe   Uses “Two-Factor” to encrypt/decrypt $$$ Also supports the concept of “data destruction” for lost or stolen devices. However, if you only plan on using the encryption feature, compare with the Microsoft Data Encryption Toolkit. The Lost Data Beachhead    Beachhead solution simply uses policies to $$$ Destruction manage EFS which is the same approach taken by the Data Encryption Toolkit which is free. The Beachhead solution is also resold by Iron Mountain under the “Data Defense” brand. Solutions also for PDA’s (Personal Digital BeCrypt DISK Protect    $$$ Assistants) and USB Flash Drives CE Infosys Compusec Free       Linux = RedHat and Suse Free Adds support for Hardware based Compusec CE Infosys       encryption $$$ Mobile Linux = 2.4 and 2.6 Kernels Linux = 2.6.4 or higher kernel Red Hat, SuSE 9.x RHEL4, NLD Checkpoint also has separate products for Checkpoint Pointsec PC     PDA and USB encryption. “Pointsec Mobile” $$$ for encryption on PDA’s and SmartPhones. “Pointsec Protector” for encryption of USB Flash Drives. CREDANT CMG    Policy-based file/folder encryption. Also $$$ Technologies supports encryption for PDA’s and USB 10
    • INFORMATION TECHNOLOGY SECURITY SERVICES EnvironmentsConsider for Unmanaged Consider for Managed Environments File/Folder Full-Drive Windows Product or Linux License Mac Vendor Product Notes Cost Line Flash Drives Entelligence Entrust    Based on Pointsec for PC Technology $$$ Disk Security Entelligence Entrust    Based on Pointsec Media Technology $$$ Media Security Expert only encryption solution designed to Free Privacy Guard GNU     be compliant with the OpenPGP standard (Open (GPG) and thus compatible with PGP. Source) Also has a Removable Storage Encryption Guardian Data Protection    solution under the same Data Protection $$$ Edge Platform Platform Data Defense also supports the concept of “data destruction” for lost or stolen devices. However, if you plan on using only the encryption feature, compare with the Microsoft Data Encryption Toolkit. Iron Iron Mountain simply uses policies to manage Data Defense    $$$ Mountain EFS which is the same approach taken by the Data Encryption Toolkit which is free. Secondly, the Iron Mountain solution is a repackaging of the Beachhead solution so consider sourcing it from the original vendor instead. Information Security Secret Agent       Also support Unix flavors and Pocket PC’s $$$ Corporation Information Security SpyProof!    Allows mounting of encrypted virtual disk. $$$ Corporation EFS is not supported on the Home Edition Free Microsoft EFS     of XP or the Basic Edition of Vista (Built-In) Data Encryption Centrally Manage EFS Encryption via Group Microsoft    Free Toolkit Policy Windows = Vista Ultimate and Enterprise Free Microsoft Bitlocker     Editions only (Built-In) Linux = Red Hat 3.0 Mobile Armor Data Armor     Also supports Windows Mobile, Palm OS $$$ and RIM BlackBerry Mobile Armor File Armor    Also supports USB Flash Drives $$$ PGP Whole Disk       • Full Drive Encryption on Mac is for non- $$$ Encryption boot disks only 11
    • INFORMATION TECHNOLOGY SECURITY SERVICES EnvironmentsConsider for Unmanaged Consider for Managed Environments File/Folder Full-Drive Windows Product or Linux License Mac Vendor Product Notes Cost Line • FileFolder level encryption is provided via Virtual Disk Encryption – can use to encrypt USB Flash Drives • Includes support for Secure Delete • Managed environments may want to combine with PGP Universal Server PGP Desktop Same as PGP Whole Disk Encryption, but PGP       $$$ Professional adds support for encrypting email. Device Device encryption for Palm OS, Pocket PC, SafeBoot Encryption for    Symbian, Tablet PC, and Windows Mobile $$$ PC also available. “…the solution is powered by SafeBoot® Persistent Encryption Technology™ (PET), so files and folders remain encrypted regardless of where they are copied or Content SafeBoot    saved, even if they are attached to an e- $$$ Encryption mail, are used in terminal services environments, or are stored on removable media such as USB memory sticks, CDs, or DVDs.” Supports encryption of data on USB Flash SafeNet ProtectDrive    $$$ Drives. Supports encryption of data on File Servers SafeNet ProtectFile    $$$ and USB Flash Drives. Full Drive Encryption only applies to Non- Free TrueCrypt TrueCrypt       OS partitions. File/Folder encryption is via (Open Virtual Disk. Source) Ultimaco SafeGuard Easy    $$$ Safeware Ultimaco SafeGuard Virtual disk solution available in an     $$$ Safeware PrivateDisk Enterprise and “Personal” edition WinMagic SecureDoc     Corporate and Personal Editions available $$$ What is meant by virtual disk encryption? Virtual disk encryption is a technique for providing file/folder level encryption. Virtual disk encryption works by creating a single encrypted file and making that one file appear to look 12
    • INFORMATION TECHNOLOGY SECURITY SERVICES like an entirely new disk volume (or, in Windows, a drive letter). Files that are then copied to that disk volume (drive letter) are automatically encrypted. When evaluating a file/folder level encryption solution that uses the virtual disk approach, be cognizant of the following: • Can’t encrypt “Home Directories” – Virtual disk solutions require you to create a single file which is then “mounted” to appear as a separate disk. This approach precludes the ability to encrypt the user’s “home directory” or “user profile” which is where sensitive data in the form of documents and temporary files is saved by default. • Dynamic versus Static Virtual Disks – Is the size of the virtual disk file static or dynamic? In other words, can the size of the virtual disk change over time or must you anticipate and reserve the size you think you are going to need? Your encryption solution matrix only references four parameters. What other variables should I consider when evaluating an encryption solution? • Scope (range of devices) • Key Management o Generation, Storage, Caching, Recovery • Backup o Key Recovery vs. Data Recovery • Algorithm Support • Ease of Use • Manageability • Company Viability • Technical Nuances o Hibernation versus Standby etc. o Virtual disk space utilization o Two factor authentication (2FA) Why should I pay for a third-party solution when encryption is built-in to Windows/Mac? In order to survive, third-party (add-on) solutions must provide value add that is significantly beyond what is already built-in to the operating system. Therefore, you should thoroughly understand your security requirements and you should thoroughly understand the capabilities of the solutions that are already built-in to your operating system. If your requirements are not already met by the operating system AND the cost associated with a third-party solution is worth the incremental5 benefit, then you may want to consider investing in the third-party solution. 5 i.e. the 3rd party solution is “Cost Effective”. Mathematically, “Cost Effective” means: Cost of 3rd-party solution/(Benefit of 3rd Party solution – Benefit of Built-In Solution) > 1 13
    • INFORMATION TECHNOLOGY SECURITY SERVICES Over time, purchasing a third-party solution will become harder to justify as the built-in solutions become better, more comprehensive, and ubiquitous. Here are some scenarios however that may justify a third-party solution in the near term: • I need full-drive encryption for XP since I can’t upgrade to Vista – Since Windows XP only supports file/folder level encryption natively, if you can’t upgrade to Vista, then you would need to purchase a third-party solution to provide full-drive encryption instead. • I need full-drive encryption for Macintosh – Like Windows XP, the Macintosh only has file/folder level encryption built-in. Thus, you would need to purchase a third- party solution to provide full-drive encryption for the Macintosh. As noted in the table above however, we are unaware of any third-party solution that will provide full-drive encryption for the Macintosh OS volume. Thus, if full-drive encryption is mandated or otherwise required, you would need to leverage a different platform. • Too many different built-in solutions – If you need to support an extremely heterogeneous environment of platforms, platform versions, and mobile devices you may want to standardize on a third-party solution to provide consistency for end users, administrators or both. • Value Add – Third-party encryption solutions may provide some additional related capabilities that you either need or want. For example, laptop recovery, remote disk wiping, secure delete, email integration, port control, ease of use, better management etc. Encryption for Windows What encryption solutions are built-in to Windows? There are two encryption options to consider in Windows environments: EFS and BitLocker. • EFS (Encrypting File System) is available in Windows 2000 and up including Windows Vista.6 EFS provides file/folder level encryption on a per-user basis. • BitLocker is available in the Ultimate and Enterprise editions of Windows Vista and provides full-drive encryption for all users. What’s the difference between EFS and Bitlocker? EFS provides file/folder level encryption. Bitlocker provides full-drive encryption. The difference between file/folder encryption and full-drive encryption is explained earlier in this 6 EFS is not available in Windows XP Home Edition or Windows Vista Basic Edition. 14
    • INFORMATION TECHNOLOGY SECURITY SERVICES FAQ (see Explain file/folder-level encryption versus full-drive encryption). Additionally, EFS encrypts files on a per-user basis so that each user of a given machine can encrypt files independently of other users. In contrast, BitLocker encrypts all system, application and data files for all users of the system. Can EFS and BitLocker be used together? Yes. Why would I use both EFS and BitLocker? Add EFS to BitLocker if you are also concerned about the “insider threat.” Specifically, if multiple users need to share the laptop or there are IT administrators that are capable of logging on to the laptop and you want to ensure that these other users or administrators can’t access the sensitive data, then you can encrypt it with EFS. I’m purchasing new laptops. What should I get to run BitLocker? Besides meeting the minimum hardware requirements for Windows Vista, (http://go.microsoft.com/fwlink/?LinkId=83233), make sure your laptop has a: • TPM 1.2 chip – TPM (Trusted Platform Module) is a special hardware chip used to protect the BitLocker decryption keys. • TCG compliant BIOS – TCG stands for Trusted Computing Group. Confirm with the vendor that the BIOS is TCG-compliant, Windows Vista-ready, and that it passes the Windows Vista logo tests. If possible, it is also helpful to have the laptop hard disk pre-configured with two partitions. BitLocker requires a small (minimum 1.5GB) partition to hold the core boot files that remain unencrypted. Note: This recommendation should not be interpreted to mean that BitLocker requires a TPM 1.2 chip – it doesn’t. Having the TPM 1.2 chip is just the preferred way to implement BitLocker. If you have a laptop without TPM support, you can deploy BitLocker using a USB flash drive instead. How do I use BitLocker? See the ITSS Security Short Windows Vista Drive Encryption http://www.safecomputing.umich.edu/tools/security_shorts.html How do I use EFS? See the ITSS Security Short How to Encrypt Documents on your Windows Computer (http://www.safecomputing.umich.edu/tools/security_shorts.html) Encryption for Macs What encryption solution is built-in to the Macintosh? 15
    • INFORMATION TECHNOLOGY SECURITY SERVICES Macs have built-in file/folder level encryption that can be leveraged in two different ways. FileVault allows a user to encrypt their home directory. Disk Utility allows a user to create arbitrary encrypted virtual disks that can store encrypted data. See the question entitled “What is meant by “Virtual Disk” Encryption?” elsewhere in this FAQ. What’s the difference between FileVault and Disk Utility? Scope. FileVault encrypts a user’s home directory only. Disk Utility can be used to create virtual disks for encrypting data outside of a user’s home directory. Under the covers, both applications use the same technology. Specifically FileVault simply creates an encrypted virtual disk that is then used to hold the user’s home directory. Can FileVault and Disk Utility be used together? Yes. Why would I use both FileVault and Disk Utility? If you need to share sensitive data between users you would need to use Disk Utility to store that encrypted data outside of a given user’s home directory. Simultaneously, you may want to continue using FileVault to secure remnants of this sensitive data that persist in the form of temp files, intermediate versions etc. How do I use the Macintosh Disk Utility to encrypt data? See the LSA document on this topic: http://www.lsa.umich.edu/lsait/admin/mac/EncryptingSensitiveData.pdf USB Flash Drive Encryption What about USB flash drive encryption? What are the decision factors? There are two approaches to consider when purchasing USB flash drives (a.ka. thumb drives) that need to store encrypted data: • Purchase blank flash drives and use your own encryption software OR • Purchase flash drives that come with encryption software pre-installed. This decision should be related to your laptop encryption decision as follows: • If your laptop encryption solution can also encrypt USB flash drives, choose the first option. In fact, you may have chosen your laptop encryption solution precisely because it was also capable of encrypting your USB flash drives and, possibly, other mobile devices. 16
    • INFORMATION TECHNOLOGY SECURITY SERVICES • On the other hand, if your preferred laptop encryption solution does not also encrypt your USB flash drives, then purchase a secure flash drive that has encryption software pre-installed. Note: Regardless of the approach taken, keep in mind that the solution used to encrypt/decrypt data on the flash drive must be able to run under the operating systems where you want the flash drive to be inserted. For example, if you want to be able to read or write encrypted data on a flash drive that is inserted into a Macintosh computer, then a Macintosh version of the encryption/decryption software must be available. Which USB flash drives have encryption software built-in? As of Fall 2007, the following vendors claim7 to offer USB flash drives with encryption support either built-in to the hardware or available via software that is pre-installed on the flash drive: Vendor Flash Drive Product Supported Platforms (for Encryption Software)1 Advanced Media RIDATA EZ Drive lineup Windows 2000/XP/Vista; Linux Kernel 2.4+; MacOS (see http://www.ritekusa.com) 8.6+ Kanguru MicroDrive AES Windows 98/98SE/ME/2000/XP/Vista (32-bit only); Windows Server 2003 Lexar JumpDrive with Secure II Windows 2000/SP4; Windows XP/SP2; Vista Software v2.0 Mac OSX v10.4+ Imation Pivot Flash Drive Windows 2000/XP/Vista IronKey IronKey Windows XP/Vista Kingston Data Traveler Elite Windows 98SE/2000/ XP PNY Secure Attache Windows 2000/XP SanDisk Cruzer Professional Windows 2000 SP4XP SP12003Vista Cruzer Enterprise What are some concerns with purchasing a secure flash drive? The primary concerns with purchasing a secure flash drive (i.e. a flash drive with pre-installed encryption software) are: 1. Driver Installation 2. Platform Support 3. Algorithm Implementation 4. Maintenance 1. Driver Installation The primary benefit often cited for purchasing a secure flash drive (i.e. a flash drive with pre-installed encryption software) is that the software moves with the flash drive. 7 ITSS has not evaluated these products and cannot confirm the vendor’s claims regarding encryption capabilities or platform support. The information conveyed by this table comes from posted product reviews and vendor web sites. If you have first-hand experience with the encryption capabilities of these or thumb drives not listed, please send feedback to itss@umich.edu. 17
    • INFORMATION TECHNOLOGY SECURITY SERVICES Theoretically, this makes it easier to access the encrypted portion of the flash drive as it moves from machine to machine because you can simply launch the encryption software directly from the flash drive itself. The unadvertised problem with this claim is that, in many cases, the pre-installed encryption software needs to install a file system driver on the host PC. This one-time driver installation step requires root or administrator privileges. Thus, in order to use the encrypted portion of the USB flash drive on a given PC, the end-user has to be an administrator on that PC or some other administrator would have had to pre-install the file system driver. In short, don’t assume that you’ll be able to purchase any secure flash drive, hand it out and have end-users be able to start reading and writing encrypted data as they move from machine to machine. In managed environments (where users do not have administrative access to their machines) you may need to identify and pre-install driver software on each machine where you expect the flash drives to be used. In unmanaged environments (where end-users manage their own machines) the driver installation will usually happen “under the covers” when the user logs in as an administrator and launches the encryption program from the flash drive. 2. Platform Support The unencrypted portion of a secure USB flash drive can typically be accessed on any platform. However, the encryption capabilities are often limited to specific platforms. PNY is one of the few vendors that is forthcoming with this distinction: “Security and Encryption features only accessible on Windows(R) 2000/XP systems with administrative rights. Will function as a standard USB storage device on other operating systems.” 3. Vendors Cryptographic Implementation While a particular encryption algorithm (such as AES) may be well vetted, that algorithm still needs to be interpreted and implemented by developers in software. If there are weaknesses in the developers implementation of a given encryption algorithm those weaknesses will be exploited. While there is no evidence whatsoever to suggest the existence of weaknesses in the encryption implementations of various secure flash drive vendors, these vendors are more well-known for their hardware solutions than their software and security prowess. 4. Maintenance Users need to consider how the required platform drivers and the applications that are resident on the flash drive be updated over time. Physical Protection 18
    • INFORMATION TECHNOLOGY SECURITY SERVICES What about “LoJack” type (device recovery) solutions? Tracking and recovering a stolen laptop is different than, and insufficient for, protecting the data on that laptop from unauthorized disclosure. The “LoJack” type of tracking and recovery solutions may be worth investigating if you have unusually expensive equipment that can cost-justify the service or if you cannot adequately back up your data and want to gamble on a recovery service as a last-ditch effort for recovering data that is not otherwise backed up. However, if your primary goal is to prevent the unauthorized disclosure of sensitive data, then it must be encrypted whether you use a tracking and recovery solution or not. What about remote erasure solutions? As with the “LoJack” type of solutions, you can’t count on remote data wiping solutions alone to protect the confidentiality of sensitive data. Remote erasure implies the ability to contact a machine remotely or the machine needs to have its own time bomb that initiates a self-destruct sequence if contact is not made after a given period of time. It sounds cool, but due to the implicit communication and/or time delay requirements, encryption is the better confidentiality solution. How do I securely dispose of or recycle a mobile device? The University of Michigan Property Disposition recommends that the most efficient and economical means of sanitizing computers and media storage devices such as PDAs or thumb drives is to overwrite the entire device with zeroes.Other sanitizing methods include: • Commercial software, such as ShredIt for Windows and Macs. • Free software like Eraser; its source code is released under GNU General Public License. • Built-in capability: • For Windows: use the Secure Delete command. (see www.microsoft.com/technet/sysinternals/Utilities/SDelete.mspx) • For later versions of the Mac OS X: use the Secure Erase Trash command that overwrites files in the trash. (see www.apple.com/macosx/features/security/ for "Permanent Deletion.") • In some circumstances it is best to physically destroy hard drives, CD-ROMs or tapes. When physical destruction is implemented, departments are still responsible for sending the remains to Property Disposition for proper disposal. For more information, visit: http://propertydisposition.umich.edu/html/computerprep.html 19