UW Desktop Encryption Project UW's approach to data encryption

778 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
778
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • OCIS is out on the two ends with ongoing projects: Find it; Encrypt it. Middle is harder. Restricted data, for us defined by WI Statue, but can be applied to any data you need to protect. Two types of encryption: full disk and file/folder.
  • Endpoints defined. Lost laptops—VA; estimated costs per record are around $200 for 10000 records $2million
  • Lost CDs – British government
  • Photo by "Scott Beale / Laughing Squid” laughingsquid.com.
  • Good solutions integrate with the OS, eg added to right-click context menu; can select files by type, eg .doc
  • Data at rest. Can also be used for secure hdd disposal.
  • FDE can’t protect a laptop that’s on and logged in; FDE doesn’t stop unencrypted data from leaving the encrypted drive
  • Create charter and solicit a team Team Members Sponsors
  • Server based solutions like mywebspace, webDAV Novell and Microsoft filie server; Incidental not intended.
  • (e.g. encrypting the restricted data, but then emailing it unencrypted; strong encryption passwords)
  • Get SMART
  • Campus concerns and experiences Milwaukee … Survey Center … Educause list Burton group
  • Describe quadrants
  • Variety of machines supported Vista laggers; none—some promised; why important? Why should audience care?
  • Key management importance; lost keys mean lost data Just encrypted disk, but then just copy the entire thing to USB in clear text
  • invited vendors for demos/webex; gathered additional information; ranked products as demos completed see what floated to top
  • Get SMART; hands on test of both products; continued to gather information; decide on product to pilot—license affordable?
  • Some are Safeboot specific most would pertain to any product we selected. Think about any particular challenges you would have with implementation of this kind of product
  • UW Desktop Encryption Project UW's approach to data encryption

    1. 1. UW Desktop Encryption Project UW’s approach to data encryption
    2. 2. Introductions <ul><li>Allen Monette - Security Coordinator </li></ul><ul><li>Linda Pruss – Security Engineer </li></ul>
    3. 3. AGENDA <ul><li>Overview of technology </li></ul><ul><li>Endpoint Encryption Project </li></ul><ul><li>Challenges/Issues </li></ul><ul><li>What’s next </li></ul>
    4. 4. Effective Practices for Restricted Data Handling Risk Reduction Strategy OR OR THEN Risk Reduction Strategies Risk Assessment
    5. 5. Why Encryption?
    6. 6. It’s 3am … <ul><li>Do you know where your laptops are? </li></ul>Full Disk Encryption protects against lost devices
    7. 7. Would you trust… <ul><ul><li>this guy with your files? </li></ul></ul>File and Folder Encryption protects specific data
    8. 8. How does it work?
    9. 9. File encryption <ul><li>Think of file encryption as a secret code </li></ul>A simple code: A=0 B=1 C=2 D=3 Etc A message: 7 4 11 11 14 22 14 17 11 3
    10. 10. Folder encryption <ul><li>Think of folder encryption as a safe deposit box </li></ul>
    11. 11. Full Disk Encryption <ul><li>Think of Full Disk Encryption like a bank vault </li></ul>
    12. 12. How does it really work?
    13. 13. File and folder Encryption <ul><li>Encrypts individual files or entire folders </li></ul><ul><li>Requires authentication to decrypt and access the files </li></ul>
    14. 14. Full Disk Encryption <ul><li>Replaces the master boot record with a special pre-boot environment </li></ul><ul><li>Encrypts the entire hard drive </li></ul><ul><li>Preboot Authentication plus OS authentication </li></ul><ul><li>Decrypts as files are used </li></ul>
    15. 15. How to choose between Full Disk and File/Folder?
    16. 16. When to use Full Disk Encryption Full Disk Encryption protects against lost devices
    17. 17. When to use file/folder <ul><li>Need an additional layer of security </li></ul><ul><li>Need portability </li></ul><ul><li>Need to support removable media </li></ul>
    18. 18. Endpoint Encryption Project
    19. 19. Charter <ul><li>To research tools and methods for encrypting data on desktops and laptops so that risk is reduced if a computer storing restricted data is lost, stolen, compromised or disposed of improperly. </li></ul><ul><li>Deliverables are : </li></ul><ul><ul><li>recommend a product for pilot </li></ul></ul><ul><ul><li>pilot the product </li></ul></ul><ul><ul><li>recommend final product to sponsors </li></ul></ul>
    20. 20. Scope <ul><li>Common desktops operating systems </li></ul><ul><ul><li>Macintosh and Windows </li></ul></ul><ul><li>Full disk and file/directory level encryption </li></ul><ul><li>Removable media devices </li></ul><ul><ul><li>USB drives, CDRW </li></ul></ul><ul><li>Managed (IT administered) and unmanaged (self-administered) systems </li></ul>
    21. 21. Out of scope <ul><li>Encryption of Linux OS, handhelds or smart phones </li></ul><ul><li>Hardware encryption </li></ul><ul><li>Database encryption </li></ul><ul><li>Encryption of server-based solutions </li></ul><ul><li>Secure transmission </li></ul><ul><li>Secure printing </li></ul>
    22. 22. Out of scope <ul><li>End user education </li></ul><ul><li>Best practices </li></ul><ul><li>Support infrastructure </li></ul><ul><li>Policy work </li></ul>
    23. 23. Approach <ul><li>Define the project </li></ul><ul><li>Get Smart! </li></ul><ul><ul><li>Product and Market Analysis </li></ul></ul><ul><ul><li>Requirements Gathering </li></ul></ul>
    24. 24. Get Smart! <ul><li>Team knowledge and research </li></ul><ul><li>NIST document (800-111) – Nov, 2007 </li></ul><ul><ul><li>Guide to Storage Encryption Technologies for end user devices </li></ul></ul><ul><ul><li>http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf </li></ul></ul><ul><li>Campus forum </li></ul><ul><li>Leverage others work </li></ul>
    25. 25. Market Analysis Source: Gartner Group Full report at: http://mediaproducts.gartner.com/reprints/credant/151075.html
    26. 26. Requirements <ul><li>Device support </li></ul><ul><ul><li>Windows … all flavors </li></ul></ul><ul><ul><li>Macintosh </li></ul></ul><ul><ul><li>Linux </li></ul></ul><ul><ul><li>Smart Phone/Handheld </li></ul></ul><ul><li>Industry Standard Encryption </li></ul><ul><ul><li>AES 256 </li></ul></ul><ul><ul><li>FIPS certified </li></ul></ul>
    27. 27. Requirements <ul><li>Key Management </li></ul><ul><ul><li>Key backup/escrow mechanisms </li></ul></ul><ul><ul><li>Key recovery mechanisms </li></ul></ul><ul><ul><li>Key generation mechanisms </li></ul></ul><ul><li>Removable Media support </li></ul><ul><ul><li>USB disks, etc </li></ul></ul><ul><ul><li>CD R/W </li></ul></ul>
    28. 28. Requirements <ul><li>Management Capabilities </li></ul><ul><ul><li>Centrally managed </li></ul></ul><ul><ul><ul><li>Provide service to campus departments </li></ul></ul></ul><ul><ul><li>Cooperatively managed </li></ul></ul><ul><ul><ul><li>Delegated management </li></ul></ul></ul><ul><ul><li>Delegated management </li></ul></ul><ul><ul><ul><li>IT managed </li></ul></ul></ul><ul><ul><ul><li>UW campus or IT department </li></ul></ul></ul><ul><ul><li>Unmanaged </li></ul></ul><ul><ul><ul><li>Self-managed </li></ul></ul></ul>
    29. 29. Requirements <ul><li>Directory Integration </li></ul><ul><ul><li>Diversity on our campuses </li></ul></ul><ul><ul><li>The more varieties the better </li></ul></ul><ul><li>File and Folder encryption </li></ul><ul><ul><li>Don’t want to support multiple product </li></ul></ul><ul><li>Leverage our Public Key Infrastructure </li></ul><ul><ul><li>Strong AuthN </li></ul></ul>
    30. 30. Approach <ul><li>Define the project </li></ul><ul><li>Get Smart! </li></ul><ul><ul><li>Product and Market Analysis </li></ul></ul><ul><ul><li>Requirements Gathering </li></ul></ul><ul><li>Mapped Solutions to Requirements </li></ul><ul><ul><li>Reduce possible solutions to 9 </li></ul></ul>
    31. 31. Approach <ul><li>Define the project </li></ul><ul><li>Get Smart! </li></ul><ul><ul><li>Product and Market Analysis </li></ul></ul><ul><ul><li>Requirements Gathering </li></ul></ul><ul><li>Mapped Solutions to Requirements </li></ul><ul><ul><li>Reduce possible solutions to 9 </li></ul></ul><ul><li>Team Test of top 2 products </li></ul>
    32. 32. Product Selected <ul><li>SafeBoot </li></ul><ul><ul><li>http://www.safeboot.com/ </li></ul></ul><ul><ul><li>Acquired by McAfee in Q4 2007 </li></ul></ul>
    33. 33. Product Selected <ul><li>Key Differentiators </li></ul><ul><ul><li>Macintosh on Roadmap </li></ul></ul><ul><ul><li>File/Folder; smartphone encryption too </li></ul></ul><ul><ul><li>Allows for centralized, collaborative and delegated models </li></ul></ul><ul><ul><li>Management not tied to specific product </li></ul></ul><ul><ul><li>Lots of connectors (or not) </li></ul></ul><ul><ul><li>Small desktop footprint </li></ul></ul><ul><ul><li>Ease of use; understandable </li></ul></ul>
    34. 34. Challenges/Issues
    35. 35. Technical Challenges <ul><li>Market Turbulence/Definition </li></ul><ul><ul><li>Acquisitions/partnerships </li></ul></ul><ul><ul><li>Many new features being introduced </li></ul></ul><ul><li>Assumes client/server model </li></ul><ul><ul><li>Periodic check in to server </li></ul></ul><ul><ul><li>Delegated/collaborative management </li></ul></ul>
    36. 36. Technical Challenges <ul><li>Laptop states </li></ul><ul><ul><li>Power off protection </li></ul></ul><ul><ul><li>Screen saver </li></ul></ul><ul><ul><li>Logoff </li></ul></ul><ul><ul><li>Hibernate, Suspend </li></ul></ul><ul><li>Not a panacea </li></ul><ul><ul><li>Still need host hardening </li></ul></ul><ul><ul><li>Power on protection </li></ul></ul>
    37. 37. Technical Challenges <ul><li>Authentication </li></ul><ul><ul><li>Strong passwords </li></ul></ul><ul><ul><li>2 factor authentication </li></ul></ul><ul><ul><li>Integrated Windows AuthN </li></ul></ul><ul><ul><ul><li>Synchronization issues </li></ul></ul></ul><ul><li>Recovery </li></ul><ul><ul><li>User or machine password recovery </li></ul></ul><ul><ul><ul><li>Identity proofing </li></ul></ul></ul><ul><ul><li>Hardware Failure </li></ul></ul><ul><ul><li>Forensics </li></ul></ul>
    38. 38. Non-Technical Challenges
    39. 39. Non-Technical Challenges <ul><li>Policy </li></ul><ul><li>Where and when to use Full Disk Encryption? </li></ul><ul><li>Where and when to use File/Folder? </li></ul><ul><li>What encryption solutions are acceptable? </li></ul><ul><li>Log in once or twice? </li></ul>
    40. 40. Non-Technical Challenges <ul><li>Centralized service; decentralized campus </li></ul><ul><ul><li>Who pays? </li></ul></ul><ul><ul><ul><li>Maintenance </li></ul></ul></ul><ul><ul><ul><ul><li>Running the server </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Administering the application </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Managing the service </li></ul></ul></ul></ul><ul><ul><ul><li>Support </li></ul></ul></ul><ul><ul><ul><ul><li>Help Desk calls </li></ul></ul></ul></ul><ul><ul><ul><ul><li>2 nd level technical expertise </li></ul></ul></ul></ul><ul><ul><ul><li>Licenses </li></ul></ul></ul>
    41. 41. Non-Technical Challenges <ul><li>User Acceptance </li></ul><ul><ul><li>Department IT Staff </li></ul></ul><ul><ul><ul><li>Willingness to collaborate </li></ul></ul></ul><ul><ul><li>End Users </li></ul></ul><ul><ul><ul><li>Strong passwords necessary </li></ul></ul></ul><ul><ul><ul><li>Double authentication with Pre-Boot </li></ul></ul></ul><ul><ul><ul><li>Initial setup cost - takes time to encrypt </li></ul></ul></ul>
    42. 42. What Next?
    43. 43. What next? <ul><li>Two new project teams </li></ul><ul><ul><li>Policy </li></ul></ul><ul><ul><li>Support & Best Practices </li></ul></ul><ul><li>Pilot runs through the end of June </li></ul><ul><ul><li>Evaluating our ability to collaborate as well as the software </li></ul></ul><ul><ul><li>Initial rollouts of 10-20 laptops </li></ul></ul><ul><ul><li>Report to sponsors with recommendations </li></ul></ul><ul><li>Gradually open up pilot starting in July </li></ul>
    44. 44. UW Desktop Encryption Project Allen Monette, [email_address] Linda Pruss, lmpruss@wisc.edu

    ×