Your SlideShare is downloading. ×
UW Desktop Encryption Project UW's approach to data encryption
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

UW Desktop Encryption Project UW's approach to data encryption

510
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
510
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • OCIS is out on the two ends with ongoing projects: Find it; Encrypt it. Middle is harder. Restricted data, for us defined by WI Statue, but can be applied to any data you need to protect. Two types of encryption: full disk and file/folder.
  • Endpoints defined. Lost laptops—VA; estimated costs per record are around $200 for 10000 records $2million
  • Lost CDs – British government
  • Photo by "Scott Beale / Laughing Squid” laughingsquid.com.
  • Good solutions integrate with the OS, eg added to right-click context menu; can select files by type, eg .doc
  • Data at rest. Can also be used for secure hdd disposal.
  • FDE can’t protect a laptop that’s on and logged in; FDE doesn’t stop unencrypted data from leaving the encrypted drive
  • Create charter and solicit a team Team Members Sponsors
  • Server based solutions like mywebspace, webDAV Novell and Microsoft filie server; Incidental not intended.
  • (e.g. encrypting the restricted data, but then emailing it unencrypted; strong encryption passwords)
  • Get SMART
  • Campus concerns and experiences Milwaukee … Survey Center … Educause list Burton group
  • Describe quadrants
  • Variety of machines supported Vista laggers; none—some promised; why important? Why should audience care?
  • Key management importance; lost keys mean lost data Just encrypted disk, but then just copy the entire thing to USB in clear text
  • invited vendors for demos/webex; gathered additional information; ranked products as demos completed see what floated to top
  • Get SMART; hands on test of both products; continued to gather information; decide on product to pilot—license affordable?
  • Some are Safeboot specific most would pertain to any product we selected. Think about any particular challenges you would have with implementation of this kind of product
  • Transcript

    • 1. UW Desktop Encryption Project UW’s approach to data encryption
    • 2. Introductions
      • Allen Monette - Security Coordinator
      • Linda Pruss – Security Engineer
    • 3. AGENDA
      • Overview of technology
      • Endpoint Encryption Project
      • Challenges/Issues
      • What’s next
    • 4. Effective Practices for Restricted Data Handling Risk Reduction Strategy OR OR THEN Risk Reduction Strategies Risk Assessment
    • 5. Why Encryption?
    • 6. It’s 3am …
      • Do you know where your laptops are?
      Full Disk Encryption protects against lost devices
    • 7. Would you trust…
        • this guy with your files?
      File and Folder Encryption protects specific data
    • 8. How does it work?
    • 9. File encryption
      • Think of file encryption as a secret code
      A simple code: A=0 B=1 C=2 D=3 Etc A message: 7 4 11 11 14 22 14 17 11 3
    • 10. Folder encryption
      • Think of folder encryption as a safe deposit box
    • 11. Full Disk Encryption
      • Think of Full Disk Encryption like a bank vault
    • 12. How does it really work?
    • 13. File and folder Encryption
      • Encrypts individual files or entire folders
      • Requires authentication to decrypt and access the files
    • 14. Full Disk Encryption
      • Replaces the master boot record with a special pre-boot environment
      • Encrypts the entire hard drive
      • Preboot Authentication plus OS authentication
      • Decrypts as files are used
    • 15. How to choose between Full Disk and File/Folder?
    • 16. When to use Full Disk Encryption Full Disk Encryption protects against lost devices
    • 17. When to use file/folder
      • Need an additional layer of security
      • Need portability
      • Need to support removable media
    • 18. Endpoint Encryption Project
    • 19. Charter
      • To research tools and methods for encrypting data on desktops and laptops so that risk is reduced if a computer storing restricted data is lost, stolen, compromised or disposed of improperly.
      • Deliverables are :
        • recommend a product for pilot
        • pilot the product
        • recommend final product to sponsors
    • 20. Scope
      • Common desktops operating systems
        • Macintosh and Windows
      • Full disk and file/directory level encryption
      • Removable media devices
        • USB drives, CDRW
      • Managed (IT administered) and unmanaged (self-administered) systems
    • 21. Out of scope
      • Encryption of Linux OS, handhelds or smart phones
      • Hardware encryption
      • Database encryption
      • Encryption of server-based solutions
      • Secure transmission
      • Secure printing
    • 22. Out of scope
      • End user education
      • Best practices
      • Support infrastructure
      • Policy work
    • 23. Approach
      • Define the project
      • Get Smart!
        • Product and Market Analysis
        • Requirements Gathering
    • 24. Get Smart!
      • Team knowledge and research
      • NIST document (800-111) – Nov, 2007
        • Guide to Storage Encryption Technologies for end user devices
        • http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
      • Campus forum
      • Leverage others work
    • 25. Market Analysis Source: Gartner Group Full report at: http://mediaproducts.gartner.com/reprints/credant/151075.html
    • 26. Requirements
      • Device support
        • Windows … all flavors
        • Macintosh
        • Linux
        • Smart Phone/Handheld
      • Industry Standard Encryption
        • AES 256
        • FIPS certified
    • 27. Requirements
      • Key Management
        • Key backup/escrow mechanisms
        • Key recovery mechanisms
        • Key generation mechanisms
      • Removable Media support
        • USB disks, etc
        • CD R/W
    • 28. Requirements
      • Management Capabilities
        • Centrally managed
          • Provide service to campus departments
        • Cooperatively managed
          • Delegated management
        • Delegated management
          • IT managed
          • UW campus or IT department
        • Unmanaged
          • Self-managed
    • 29. Requirements
      • Directory Integration
        • Diversity on our campuses
        • The more varieties the better
      • File and Folder encryption
        • Don’t want to support multiple product
      • Leverage our Public Key Infrastructure
        • Strong AuthN
    • 30. Approach
      • Define the project
      • Get Smart!
        • Product and Market Analysis
        • Requirements Gathering
      • Mapped Solutions to Requirements
        • Reduce possible solutions to 9
    • 31. Approach
      • Define the project
      • Get Smart!
        • Product and Market Analysis
        • Requirements Gathering
      • Mapped Solutions to Requirements
        • Reduce possible solutions to 9
      • Team Test of top 2 products
    • 32. Product Selected
      • SafeBoot
        • http://www.safeboot.com/
        • Acquired by McAfee in Q4 2007
    • 33. Product Selected
      • Key Differentiators
        • Macintosh on Roadmap
        • File/Folder; smartphone encryption too
        • Allows for centralized, collaborative and delegated models
        • Management not tied to specific product
        • Lots of connectors (or not)
        • Small desktop footprint
        • Ease of use; understandable
    • 34. Challenges/Issues
    • 35. Technical Challenges
      • Market Turbulence/Definition
        • Acquisitions/partnerships
        • Many new features being introduced
      • Assumes client/server model
        • Periodic check in to server
        • Delegated/collaborative management
    • 36. Technical Challenges
      • Laptop states
        • Power off protection
        • Screen saver
        • Logoff
        • Hibernate, Suspend
      • Not a panacea
        • Still need host hardening
        • Power on protection
    • 37. Technical Challenges
      • Authentication
        • Strong passwords
        • 2 factor authentication
        • Integrated Windows AuthN
          • Synchronization issues
      • Recovery
        • User or machine password recovery
          • Identity proofing
        • Hardware Failure
        • Forensics
    • 38. Non-Technical Challenges
    • 39. Non-Technical Challenges
      • Policy
      • Where and when to use Full Disk Encryption?
      • Where and when to use File/Folder?
      • What encryption solutions are acceptable?
      • Log in once or twice?
    • 40. Non-Technical Challenges
      • Centralized service; decentralized campus
        • Who pays?
          • Maintenance
            • Running the server
            • Administering the application
            • Managing the service
          • Support
            • Help Desk calls
            • 2 nd level technical expertise
          • Licenses
    • 41. Non-Technical Challenges
      • User Acceptance
        • Department IT Staff
          • Willingness to collaborate
        • End Users
          • Strong passwords necessary
          • Double authentication with Pre-Boot
          • Initial setup cost - takes time to encrypt
    • 42. What Next?
    • 43. What next?
      • Two new project teams
        • Policy
        • Support & Best Practices
      • Pilot runs through the end of June
        • Evaluating our ability to collaborate as well as the software
        • Initial rollouts of 10-20 laptops
        • Report to sponsors with recommendations
      • Gradually open up pilot starting in July
    • 44. UW Desktop Encryption Project Allen Monette, [email_address] Linda Pruss, lmpruss@wisc.edu

    ×